All geek questions in one place

Retrieving user groups in Active Directory

I had a problem integrating my ASP.NET web service with setting up Active Directory and using it for authentication and verification users with the AD groups that they are members of and if they have permissions to use my user application.

My custom application has its own permissions, and administrators configure Active Directory groups that allow the use of the custom application.

The problem I am encountering is when a user from another AD Trusted Forest, with full trust in two ways, tries to log in, I cannot get a list of his groups from the AD server that ASP Web Services interacts with. NET The ASP.NET Web service has access only to the AD server (AD Main), and not to the AD trust controller (AD Secondary).

A user is a member of a domain (AD Secondary), and I can authenticate this user in a domain (AD Main), but I cannot get a list of groups from the AD Main domain when the user is in (AD secondary domain).

Ive tried this code.

StringCollection groupids = new StringCollection(); try { DirectoryLibrary dirLib = new DirectoryLibrary(); DirectoryEntry directoryEntry = new DirectoryEntry("LDAP://" + domain,username, password); if (directoryEntry != null) { //Enum the properties so we can see what is in them foreach (string propname in directoryEntry.Properties.PropertyNames) { Debug.WriteLine(propname); } object obGroups = directoryEntry.Invoke("Groups"); foreach (object ob in (IEnumerable)obGroups) { // Create object for each group. DirectoryEntry obGpEntry = new DirectoryEntry(ob); groupids.Add(obGpEntry.NativeGuid); } } } catch (DirectoryServicesCOMException ex) { throw ex; }

Ive tried to move away from the DirectoryEntry object, something like this.

 List<GroupPrincipal> result = new List<GroupPrincipal>(); StringCollection groupids = new StringCollection(); PrincipalContext yourDomain = new PrincipalContext(ContextType.Domain, domain, userName, password); // find your user UserPrincipal user = UserPrincipal.FindByIdentity(yourDomain, userName); // if found - grab its groups if (user != null) { PrincipalSearchResult<Principal> groups = user.GetGroups(); // iterate over all groups foreach (Principal p in groups) { // make sure to add only group principals if (p is GroupPrincipal) { groupids.Add(p.DisplayName); } } }

But I am not getting the user, and I cannot get the list of groups for this user in another domain. Any help would be appreciated.

+6
source share
2 answers

This seems to be a great use case for the memberOf AD attribute. Using the DirectoryEntry directoryEntry object, you can list which groups the user belongs to.

 foreach (object group in directoryEntry.Properties["memberOf"]) { DirectoryEntry obGpEntry = New DirectoryEntry("LDAP://" + (String)group); groupids.Add(obGpEntry.NativeGuid); }

It is also likely that you can use the first code segment if you prefix ob with "LDAP: //"

+1
source

I think you need to connect to remote AD and get the data you need.

I wrote replication once, where I replicate from many AD

Some of them:

 Public Function GetDirectoryEntry() As Object If InStr(1, m_sLdapPath, "DC=") > 0 Then Dim directory_service As New PrincipalContext(ContextType.Domain, m_sDomain, m_sLdapPath) Return directory_service Else Dim directory_service As New PrincipalContext(ContextType.Machine, m_sDomain, m_sLdapPath) Return directory_service End If End Function Public Function GetUserList() As PrincipalSearchResult(Of Principal) Dim directory_service As PrincipalContext = CType(GetDirectoryEntry(), PrincipalContext) Dim directory_user As New UserPrincipal(directory_service) Dim directory_userlist As New PrincipalSearcher(directory_user) directory_userlist.QueryFilter = directory_user Return directory_userlist.FindAll End Function Public Function GetGroupList() As PrincipalSearchResult(Of Principal) Dim directory_service As PrincipalContext = CType(GetDirectoryEntry(), PrincipalContext) Dim directory_group As New GroupPrincipal(directory_service) Dim directory_grouplist As New PrincipalSearcher(directory_group) directory_grouplist.QueryFilter = directory_group Return directory_grouplist.FindAll End Function

I know that this is not exactly what you need, but it shows how to connect and extract data from any AD. In my case, I get a list of users, a list of groups, or something else, and then work with these collections.

 Dim l_oGroupList As Object = oDirectory.GetGroupList() For Each l_oGroup In l_oGroupList If l_oGroup.Members.Count > 0 Then If l_oGroup.Members.Contains(directory_service, IdentityType.UserPrincipalName, Username) Then ' he is part of the group End If End If Next

Hope this helps solve the problem a bit ...

0
source

Source: https://habr.com/ru/post/912799/

More articles:


All Articles