User objects cannot be created in the specified container

Discussion in 'ASP .Net Security' started by chand, Jul 20, 2007.

  1. chand

    chand Guest

    Hi,

    I am using ActiveDirectoryProvider to authenticate users (AD). If I
    point my provider to the root of AD every thing works fine.

    If I point the provider to a CN which has a group of users under a
    nested container under root I am getting the following error.

    Root --> OU1--> OU12--> CN

    My connection is pointing to the CN.


    "User objects cannot be created in the specified container"

    I tried reflect over the AD provider and found that the provider is
    failing at the following method,

    DirectoryAttribute objectClass =
    response.Entries[0].Attributes["objectClass"];
    if (!this.ContainerIsSuperiorOfUser(objectClass))
    {
    throw new
    ProviderException(SR.GetString("ADMembership_Container_not_superior"));
    }
    Is there a problem with configuration of AD?

    Thanks,
    chand
    chand, Jul 20, 2007
    #1
    1. Advertising

  2. chand

    Joe Kaplan Guest

    What type of object is the CN=xxx object? If it is not an OU or a
    container, this won't work. It sounds like you are trying to use a group
    object. Groups are not container types.

    Joe K.

    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    --
    "chand" <> wrote in message
    news:...
    > Hi,
    >
    > I am using ActiveDirectoryProvider to authenticate users (AD). If I
    > point my provider to the root of AD every thing works fine.
    >
    > If I point the provider to a CN which has a group of users under a
    > nested container under root I am getting the following error.
    >
    > Root --> OU1--> OU12--> CN
    >
    > My connection is pointing to the CN.
    >
    >
    > "User objects cannot be created in the specified container"
    >
    > I tried reflect over the AD provider and found that the provider is
    > failing at the following method,
    >
    > DirectoryAttribute objectClass =
    > response.Entries[0].Attributes["objectClass"];
    > if (!this.ContainerIsSuperiorOfUser(objectClass))
    > {
    > throw new
    > ProviderException(SR.GetString("ADMembership_Container_not_superior"));
    > }
    > Is there a problem with configuration of AD?
    >
    > Thanks,
    > chand
    >
    Joe Kaplan, Jul 20, 2007
    #2
    1. Advertising

  3. chand

    chand Guest

    Hi Joe,

    Thank you for replying. Yes. CN is a group object. This CN has a list
    of members that are allowed to access my application. This
    configuration is identical to other CNs used by other applications
    like "Business Objects" in the organization.

    Unfortunately I don't have much control over the AD configuration. If
    we put a test user directly under OU12 every thing works. But now our
    Ad admin is not willing to add each user as a container directly under
    OU12. His argument is that, this kind of configuration won't allow
    users to be under another OU which can be used by some other
    application in the organization. I am not sure whether that is a
    correct assumption.

    Is there any way to configure the AD to give a User, access to
    multiple OUs without using group?

    Thank you,
    chand
    chand, Jul 22, 2007
    #3
  4. chand

    chand Guest

    Hi Joe,

    Thank you for replying. Yes. CN is a group object. This CN has a list
    of members that are allowed to access my application. This
    configuration is identical to other CNs used by other applications
    like "Business Objects" in the organization.

    Root --> OU1--> OU12--> CN (group)

    1. If I point the connection to Root, every thing works fine. But this
    would allow every one in the organization to access my application.
    The goal is to restrict access to a group of users

    2. If I point the LDAP connection to OU12, I am not getting the above
    error. However provider's 'ValidateUser' method is returning false for
    any member in the CN group. Either this method is not searching the
    group or not finding the users in the group. I am using
    sAMAccountName attribute.

    3. If we put a test user directly under OU12 every thing works. Is
    this the only way to configure AD to work with
    ActiveDirectoyMembershipProvider? Using the groups under OUs seems to
    be the reasonable option as this allows the admin to manage users
    without worrying about different applications.

    Thank you,
    chand
    chand, Jul 22, 2007
    #4
  5. chand

    Joe Kaplan Guest

    Groups are not containers. Groups have membership. These are totally
    different things. In order to get users provisioned into the directory,
    they will have to be in a container. They can be in only one container in
    the hierarchy (think of it like a folder in a file system). Examples of
    container classes include organizational units and containers.

    Objects can be members of multiple groups. The membership of an object in a
    group is not related to its location in the directory hierarchy.

    So, you'll need to provision your users to a container. As to how to get
    them to a member of a group, you can do that in code as well, but I don't
    think it is supported by the membership provider by default. You would need
    to implement that logic yourself.

    Joe K.

    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    --
    "chand" <> wrote in message
    news:...
    > Hi Joe,
    >
    > Thank you for replying. Yes. CN is a group object. This CN has a list
    > of members that are allowed to access my application. This
    > configuration is identical to other CNs used by other applications
    > like "Business Objects" in the organization.
    >
    > Root --> OU1--> OU12--> CN (group)
    >
    > 1. If I point the connection to Root, every thing works fine. But this
    > would allow every one in the organization to access my application.
    > The goal is to restrict access to a group of users
    >
    > 2. If I point the LDAP connection to OU12, I am not getting the above
    > error. However provider's 'ValidateUser' method is returning false for
    > any member in the CN group. Either this method is not searching the
    > group or not finding the users in the group. I am using
    > sAMAccountName attribute.
    >
    > 3. If we put a test user directly under OU12 every thing works. Is
    > this the only way to configure AD to work with
    > ActiveDirectoyMembershipProvider? Using the groups under OUs seems to
    > be the reasonable option as this allows the admin to manage users
    > without worrying about different applications.
    >
    > Thank you,
    > chand
    >
    Joe Kaplan, Jul 22, 2007
    #5
  6. chand

    chand Guest

    OK. We made our application users, members of a group and assigned
    that group to a OU container. And I am using the container as my
    connection string. But it appears that asp.net membership provider
    cannot Bind the users of that group. It simply returns invalid login
    attempt error. Could it be that provider doesn't support users of a
    group under a container?

    Thanks,
    chand
    chand, Jul 23, 2007
    #6
  7. chand

    Guest

    On Jul 23, 9:09 am, chand <> wrote:
    > OK. We made our application users, members of a group and assigned
    > that group to a OU container. And I am using the container as my
    > connection string. But it appears that asp.net membership provider
    > cannot Bind the users of that group. It simply returns invalid login
    > attempt error. Could it be that provider doesn't support users of a
    > group under a container?
    >
    > Thanks,
    > chand


    The users must be child objects of that container for your
    configuration to work. As you have it the Group is a child of the
    container which is not the same thing. The Group is an object, and
    users are objects. But the membership of the group is just a
    property. Therefore the binds will fail.
    , Aug 23, 2007
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. jimjim
    Replies:
    12
    Views:
    1,881
    Ron Natalie
    Jun 3, 2005
  2. Theon Greyjoy
    Replies:
    0
    Views:
    503
    Theon Greyjoy
    Oct 20, 2006
  3. Kees de Winter
    Replies:
    2
    Views:
    499
    Kees de Winter
    Jan 29, 2007
  4. Replies:
    1
    Views:
    1,066
  5. Derek Basch
    Replies:
    4
    Views:
    179
    -berlin.de
    Aug 16, 2006
Loading...

Share This Page