We use ASP script in our company to have some kind of internal addressbook on our intranet site.
We have one slice problem.
1 forest two domains (one parent and one child).
For example:
domain1.local
domain2.company.local
In ASP script we are able to connect over LDAP to parent domain (domain1.local) but not able to connect to 2nd domain.
Domain admin is in "all possible" Administrator groups in second domain...
Part of the script:
'=========================================
' SET LDAP DATA
'========================================= domainContainer = "DC=company,DC=local"
//ldapStrUsers = "<LDAP://" & domainContainer & ">;(&(mailnickname=*)(|(&(objectCategory=person)(objectClass=user)(!(homeMDB=*))(!(msExchHomeServerName=*)))(&(objectCategory=person)(objectClass=user)(|(homeMDB=*)(msExchHomeServerName=*)))(&(objectCategory=person)(objectClass=contact))(objectCategory=group)(objectCategory=publicFolder)(objectClass=msExchDynamicDistributionList)));adspath;subtree"
if IsNull(keyword) or keyword = "" then
ldapFilter = ""
else
ldapFilter = " AND (sn='"&keyword&"*' OR givenname='"&keyword&"*' OR initials='"&keyword&"*' OR cn='"&keyword&"*' OR telephonenumber='*"&keyword&"*' OR mobile='*"&keyword&"*' OR ipPhone='*"&keyword&"*')"
end if
if (status = "1") then
ldapFilter = ldapFilter & " AND ((memberOf='CN=Workers,OU=Microsoft Exchange Distribution Groups,DC=Company,DC=local') OR (memberOf='CN=Workers-child company,OU=Microsoft Exchange Distribution Groups,DC=company,DC=local') OR (memberOf='Workers-third company,OU=Microsoft
Exchange Distribution Groups,DC=company,DC=local'))"
elseif (status = "2") then
ldapFilter = ldapFilter & " AND (memberOf='CN=students,OU=Microsoft Exchange Distribution Groups,DC=company,DC=local')"
elseif (status = "3") then
ldapFilter = ldapFilter & " AND NOT(memberOf='CN=Zaposleni,OU=Microsoft Exchange Distribution Groups,DC=company,DC=local') AND NOT(memberOf='CN=Workers-child company,OU=Microsoft Exchange Distribution Groups,DC=company,DC=local') AND NOT(memberOf='Workers-third
company,OU=Microsoft Exchange Distribution Groups,DC=company,DC=local') AND NOT(memberOf='CN=Students,OU=Microsoft Exchange Distribution Groups,DC=company,DC=local')"
end if
if NOT IsNull(department) and department <> "" then
// response.write "department (memberOf='"&department&"')"
ldapFilter = ldapFilter & " AND (memberOf='"&department&"')"
end if
//response.write "Filter "&ldapFilter
ldapFields = "cn,displayname,samaccountname,sn,givenname,initials,department,telephonenumber,mobile,mail,ipPhone,useraccountcontrol"
ldapStrUsers = "SELECT "&ldapFields&" FROM 'LDAP://" & domainContainer &"' WHERE objectCategory='person' AND NOT(title='*test*') AND company='company*'"&ldapFilter&" ORDER BY "&sort
Are you sure there is a two-way domain trust set up that domain1 is allowed to talk to domain2? Also, you might want to consider using asp.net directory services instead of this LDAP VBScript code.
The strange thing is if I open Active Directory Users and Computers on first DC I am able to open exchange distribution group and see all the users there (including with users from child domain), but ldap does not find them...
Sounds very much like a two-way trust issue. Ask your AD Administrators if both domains trust each other and if that user in question is allowed to query both domains.
Esentially, if you query against the rootDSE, that accesses the entire forest. Since these two exist under the forest named local, you should have no problem querying against both.
Secondly excuse me for my stupidity (the script was not made by me I'm just trying to edit it to work with two domains), where can I put
Dim defaultNamingContext As String
Using rootDSE As New
DirectoryEntry("LDAP://RootDSE")
defaultNamingContext =
rootDSE.Properties("defaultNamingContext").Value.ToString()
End
Using
Console.WriteLine("Accessing domain: {0}",
defaultNamingContext)
should I just put at the end?
If I put the hole script here, are you able to determine how to edit it properly ...
bostjanc
Member
8 Points
5 Posts
ASP page, LDAP query in two domains
Nov 22, 2011 01:57 PM|LINK
Greetings!
We use ASP script in our company to have some kind of internal addressbook on our intranet site.
We have one slice problem.
1 forest two domains (one parent and one child).
For example:
domain1.local
domain2.company.local
In ASP script we are able to connect over LDAP to parent domain (domain1.local) but not able to connect to 2nd domain.
Domain admin is in "all possible" Administrator groups in second domain...
Part of the script:
'=========================================
' SET LDAP DATA
'=========================================
domainContainer = "DC=company,DC=local"
//ldapStrUsers = "<LDAP://" & domainContainer & ">;(&(mailnickname=*)(|(&(objectCategory=person)(objectClass=user)(!(homeMDB=*))(!(msExchHomeServerName=*)))(&(objectCategory=person)(objectClass=user)(|(homeMDB=*)(msExchHomeServerName=*)))(&(objectCategory=person)(objectClass=contact))(objectCategory=group)(objectCategory=publicFolder)(objectClass=msExchDynamicDistributionList)));adspath;subtree"
if IsNull(keyword) or keyword = "" then
ldapFilter = ""
else
ldapFilter = " AND (sn='"&keyword&"*' OR givenname='"&keyword&"*' OR initials='"&keyword&"*' OR cn='"&keyword&"*' OR telephonenumber='*"&keyword&"*' OR mobile='*"&keyword&"*' OR ipPhone='*"&keyword&"*')"
end if
if (status = "1") then
ldapFilter = ldapFilter & " AND ((memberOf='CN=Workers,OU=Microsoft Exchange Distribution Groups,DC=Company,DC=local') OR (memberOf='CN=Workers-child company,OU=Microsoft Exchange Distribution Groups,DC=company,DC=local') OR (memberOf='Workers-third company,OU=Microsoft Exchange Distribution Groups,DC=company,DC=local'))"
elseif (status = "2") then
ldapFilter = ldapFilter & " AND (memberOf='CN=students,OU=Microsoft Exchange Distribution Groups,DC=company,DC=local')"
elseif (status = "3") then
ldapFilter = ldapFilter & " AND NOT(memberOf='CN=Zaposleni,OU=Microsoft Exchange Distribution Groups,DC=company,DC=local') AND NOT(memberOf='CN=Workers-child company,OU=Microsoft Exchange Distribution Groups,DC=company,DC=local') AND NOT(memberOf='Workers-third company,OU=Microsoft Exchange Distribution Groups,DC=company,DC=local') AND NOT(memberOf='CN=Students,OU=Microsoft Exchange Distribution Groups,DC=company,DC=local')"
end if
if NOT IsNull(department) and department <> "" then
// response.write "department (memberOf='"&department&"')"
ldapFilter = ldapFilter & " AND (memberOf='"&department&"')"
end if
//response.write "Filter "&ldapFilter
ldapFields = "cn,displayname,samaccountname,sn,givenname,initials,department,telephonenumber,mobile,mail,ipPhone,useraccountcontrol"
ldapStrUsers = "SELECT "&ldapFields&" FROM 'LDAP://" & domainContainer &"' WHERE objectCategory='person' AND NOT(title='*test*') AND company='company*'"&ldapFilter&" ORDER BY "&sort
bbcompent1
All-Star
32994 Points
8509 Posts
Moderator
Re: ASP page, LDAP query in two domains
Nov 22, 2011 02:14 PM|LINK
Are you sure there is a two-way domain trust set up that domain1 is allowed to talk to domain2? Also, you might want to consider using asp.net directory services instead of this LDAP VBScript code.
bostjanc
Member
8 Points
5 Posts
Re: ASP page, LDAP query in two domains
Nov 22, 2011 02:16 PM|LINK
The strange thing is if I open Active Directory Users and Computers on first DC I am able to open exchange distribution group and see all the users there (including with users from child domain), but ldap does not find them...
bbcompent1
All-Star
32994 Points
8509 Posts
Moderator
Re: ASP page, LDAP query in two domains
Nov 22, 2011 02:20 PM|LINK
Sounds very much like a two-way trust issue. Ask your AD Administrators if both domains trust each other and if that user in question is allowed to query both domains.
bostjanc
Member
8 Points
5 Posts
Re: ASP page, LDAP query in two domains
Nov 22, 2011 02:56 PM|LINK
I have just checked on our DC under Active directory domains and trust on both domains and two-way trust is enabled.
And user who is running this ASP site is domain admin from primary domain, which is a member in every administrator group in child domain.
bbcompent1
All-Star
32994 Points
8509 Posts
Moderator
Re: ASP page, LDAP query in two domains
Nov 22, 2011 03:03 PM|LINK
Right off here it looks like your Ldap connection string ldapStrUsers is commented out. not sure if that is intentional...
bbcompent1
All-Star
32994 Points
8509 Posts
Moderator
Re: ASP page, LDAP query in two domains
Nov 22, 2011 03:07 PM|LINK
Try this asp.net alternative. I have used this before and it worked really well for me.
http://wiki.asp.net/page.aspx/462/how-to-query-active-directory-without-hard-coding-the-domain-name/
bostjanc
Member
8 Points
5 Posts
Re: ASP page, LDAP query in two domains
Nov 22, 2011 03:08 PM|LINK
That comment is intentional there.
Is there any way to combin domainContainer = "two domains?" for example domain1.local and domain2.company.local?
bbcompent1
All-Star
32994 Points
8509 Posts
Moderator
Re: ASP page, LDAP query in two domains
Nov 22, 2011 03:11 PM|LINK
Esentially, if you query against the rootDSE, that accesses the entire forest. Since these two exist under the forest named local, you should have no problem querying against both.
bostjanc
Member
8 Points
5 Posts
Re: ASP page, LDAP query in two domains
Nov 22, 2011 03:13 PM|LINK
First, thank you for your help and replies.
Secondly excuse me for my stupidity (the script was not made by me I'm just trying to edit it to work with two domains), where can I put
Dim defaultNamingContext As String
Using rootDSE As New
DirectoryEntry("LDAP://RootDSE")
defaultNamingContext =
rootDSE.Properties("defaultNamingContext").Value.ToString()
End
Using
Console.WriteLine("Accessing domain: {0}",
defaultNamingContext)
should I just put at the end?
If I put the hole script here, are you able to determine how to edit it properly ...