Geek Answers Handbook

C # ActiveDirectory LDAP Group Querying

Basically, what I'm trying to do, I have an ASP.Net web application that uses authentication with special code to associate it with ActiveDirectory (very similar to this one works).

However, whenever I request a domain controller for user groups, it returns only the groups in which they are explicitly located, and not subgroups (for example, there is a specific security group to which the user belongs, for example group A, a group member, which I want, say, group B, the user is explicitly in group A, but only implicitly in group B, because group A is a member of group B).

I read a tokenGroups request that could help me here, but I currently have no way to analyze this data.

However, it would be most preferable if I could transfer certain groups by LDAP request and have a domain controller, just give me a boolean value (true / false) if this user is in this group or not.

Any suggestions?

+4
source share
1 answer

Yes, "regular" user.Properties["memberOf"] returns only direct memberships.

If you are using .NET 3.5, you can use more advanced "principle-based" methods:

 using(PrincipalContext ctx = new PrincipalContext(ContextType.Domain)) { using(Principal p = Principal.FindByIdentity(ctx, "yourUserName")) { var groups = p.GetGroups(); using (groups) { foreach (Principal group in groups) { Console.WriteLine(group.SamAccountName + "-" + group.DisplayName); } } } }

This method (add the link to the assembly "System.DirectoryServices.AccountManagement" to your project) should work and deliver the main user group and its membership in nested groups.

If you are using .NET 2.0 / 3.0 and cannot move up, using the approach by reading the "tokenGroups" attribute is the best approach - see details on how to do it all in Ryan Dunn great blog post, Enumeration of token groups (tokenGroups) in .NET .

Mark

+4
source

More articles:


All Articles