All geek questions in one place

Can I map a user to a group across different domains?

I am trying to write an LDAP query that will detect if the user is a member of the group that matches the substitution request, and I am trying to use the LDAP_MATCHING_RULE_IN_CHAIN ​​OID for this. I basically follow example 2 on this page:

http://support.microsoft.com/kb/914828

I found that this method works well within the domain, i.e. if user1 is in group1 and group1 is in group2, then I can write a query matching "* 2" and the LDAP query will find the nested relationship and map the user against the group.

However, now I have been asked to maintain relationships between domains in the same forest. So now I have:

  • user1 is a member of group 1 in domain 1
  • group1 in domain 1 is a member of group 2 in domain 2

And I want to be able to map user1 to group2 .... I cannot decide how to do LDAP_MATCHING_RULE_IN_CHAIN ​​to do this:

I tried to set the request base to the following:

  • Domain 1, but it just returns the groups in domain 1
  • The parent domain is domain 1 and domain 2, but this does not return any results.
  • GC found by querying the rootDSE property, but that just returns the groups inside domain 1 (which is the GC server).

Does anyone know how I can make this work?

+5
source share
1 answer

As I understand it, one way to do this is:

  • In RootDSE, find the NamingContext configuration.
  • In the configuration, NamingContext looks for objects of the crossRef class with the nETBIOSName existing attribute.
  • From these entries, use the algorithm that you describe using the dnsRoot and nCName . The working DNS forest allows you to join the dnsRoot domain dnsRoot . nCName allows you to search from the root.

Be careful, do this as a member of the enterpreise admin group.

Here is a sample code.

 /* Retreiving RootDSE */ string ldapBase = "LDAP://WM2008R2ENT:389/"; string sFromWhere = ldapBase + "rootDSE"; DirectoryEntry root = new DirectoryEntry(sFromWhere, "dom\\jpb", "PWD"); string configurationNamingContext = root.Properties["configurationNamingContext"][0].ToString(); /* Retreiving the root of all the domains */ sFromWhere = ldapBase + configurationNamingContext; DirectoryEntry deBase = new DirectoryEntry(sFromWhere, "dom\\jpb", "PWD"); DirectorySearcher dsLookForDomain = new DirectorySearcher(deBase); dsLookForDomain.Filter = "(&(objectClass=crossRef)(nETBIOSName=*))"; dsLookForDomain.SearchScope = SearchScope.Subtree; dsLookForDomain.PropertiesToLoad.Add("nCName"); dsLookForDomain.PropertiesToLoad.Add("dnsRoot"); SearchResultCollection srcDomains = dsLookForDomain.FindAll(); foreach (SearchResult aSRDomain in srcDomains) { /* For each root look for the groups containing my user */ string nCName = aSRDomain.Properties["nCName"][0].ToString(); string dnsRoot = aSRDomain.Properties["dnsRoot"][0].ToString(); /* To find all the groups that "user1" is a member of : * Set the base to the groups container DN; for example root DN (dc=dom,dc=fr) * Set the scope to subtree * Use the following filter : * (member:1.2.840.113556.1.4.1941:=cn=user1,cn=users,DC=x) */ /* Connection to Active Directory */ sFromWhere = "LDAP://" + dnsRoot + "/" + nCName; deBase = new DirectoryEntry(sFromWhere, "dom\\jpb", "PWD"); DirectorySearcher dsLookFor = new DirectorySearcher(deBase); // you cancomplete the filter here (&(member:1.2.840.113556.1.4.1941:=CN=user1 Users,OU=MonOu,DC=dom,DC=fr)(cn=*2) dsLookFor.Filter = "(member:1.2.840.113556.1.4.1941:=CN=user1 Users,OU=MonOu,DC=dom,DC=fr)"; dsLookFor.SearchScope = SearchScope.Subtree; dsLookFor.PropertiesToLoad.Add("cn"); SearchResultCollection srcGroups = dsLookFor.FindAll(); foreach (SearchResult srcGroup in srcGroups) { Console.WriteLine("{0}", srcGroup.Path); } }

This is just a proof of concept, you have to do:

using the using(){} form to host DirectoryEntry objects

Exception management

Edited (2011-10-18 13:25)

Your comment on how you solve the problem can be found in the method specified in System.DirectoryServices.AccountManagement Namespace . This is a kind of recursive solution. This time I am testing a user belonging to group 1 (in another domain) who belongs to group 2 (in the third domain) and it seems to be working.

 /* Retreiving a principal context */ Console.WriteLine("Retreiving a principal context"); PrincipalContext domainContext = new PrincipalContext(ContextType.Domain, "WM2008R2ENT:389", "dc=dom,dc=fr", "jpb", "PWD"); /* Look for all the groups a user belongs to */ UserPrincipal aUser = UserPrincipal.FindByIdentity(domainContext, "user1"); PrincipalSearchResult<Principal> a = aUser.GetAuthorizationGroups(); foreach (GroupPrincipal gTmp in a) { Console.WriteLine(gTmp.Name); }
+3
source

Source: https://habr.com/ru/post/900483/

More articles:


All Articles