Geek Answers Handbook

MemberEntry memberOf property returns full path

I just need commonName from the groups the user is a member of.

DirectoryEntry user = new DirectoryEntry("LDAP://cn=myuser...."); foreach(string path in user.Properties["memberOf"]) Console.WriteLine(path);

then the memberOf property contains a set of strings full of group paths. That makes sense, but that’s not what I want.

I'm pretty sure that I'm not new to DirectoryEntry for each of these paths to get a common name, but is it better to just parse cn from the path? (which seems pretty rude)

There should be a better way to get SearchResults from the groups the user is a member of.

By the way, this is .NET 2, so I can’t do any of LINQ to AD’s fancy stuff and don’t have access to the new bits in DirectoryServices for ActiveDirectory.

+4
source share
3 answers

CN does not necessarily match the name of the group. Parsing it from a DN is not recommended, since the DN is escaped. You will need to request a directory for the objects.

To get one object, set your distinguished name for the search base, the search area - "base" and run the query.

Caching query results in your application to avoid issuing the same LDAP query more than once is desirable (in case you retrieve memberOf more than one object per line).

Sample code ( immediately after MSDN , only slightly modified):

 string dn = "LDAP://CN=Group Name,ON=Groups,DC=fabrikam,DC=com"; // Bind to a specific group. DirectoryEntry entry = new DirectoryEntry(dn); // Create a DirectorySearcher object. DirectorySearcher mySearcher = new DirectorySearcher(entry); mySearcher.SearchScope = SearchScope.Base; mySearcher.PropertiesToLoad.Add("displayName"); // Use the FindOne method to find the group object. SearchResult resEnt = mySearcher.FindOne();
+2
source

Unfortunately, in .NET 2.0 there is no better way than what you are describing. The memberOf attribute simply contains the full distinguished names of all the groups of which the user is a member, so the best solution is to analyze each distinguished name.

0
source

Found this old thread in the "Related" section.

There are two more suggestions on this.
Each of them can receive objects in the memberOf attribute directly as SearchResult in one search.

All code is in C #.

Attribute Scope Request (ASQ):

 DirectoryEntry userEntry = new DirectoryEntry("LDAP://<server>/<user DN>", "user", "pwd"); DirectorySearcher searcher = new DirectorySearcher(userEntry); searcher.SearchScope = SearchScope.Base; searcher.AttributeScopeQuery = "memberOf"; searcher.PropertiesToLoad.Clear(); // just load any attributes you want, not limited to cn searcher.PropertiesToLoad.Add("cn"); foreach (SearchResult result in searcher.FindAll()) { Console.WriteLine(result.Path); }

Limitations:

  • Do not process primary group membership
  • Functional level of 2003 is required (forgot domain / forest)
  • ASQ does not work across the domain (at least System.DirectoryServices cannot, it will throw an exception for any object in another domain)

LDAP_MATCHING_RULE_IN_CHAIN ​​matching rule:

 DirectoryEntry rootEntry = new DirectoryEntry("GC://<GC server>", "user", "pwd"); DirectorySearcher searcher = new DirectorySearcher(rootEntry); searcher.SearchScope = SearchScope.Subtree; searcher.Filter = "(member:1.2.840.113556.1.4.1941:=<user DN>)"; searcher.PropertiesToLoad.Clear(); // just load any attributes you want, not limited to cn searcher.PropertiesToLoad.Add("cn"); foreach (SearchResult result in searcher.FindAll()) { Console.WriteLine(result.Path); }

Limitations:

  • Do not process primary group membership
  • Functional level 2008 R2 is required (forgot domain / forest)
  • it gets nested group membership, not just one memberOf level
0
source

More articles:


All Articles