I am writing a web app that when finished only certain users should have access too. Originally I was going to build a db table with uName and passwd fields but have been asked to pull that information from our AD server. I have never done anything like this
before and was wondering where to start? Is there any necessary configuration I need to do on our AD server? What rights are needed to query the AD server? How can I, through a web interface, enable an administrator (the admin user, not a computer person)
using the website to dynamically add/remove users that can access the site?
Is there any necessary configuration I need to do on our AD server? What rights are needed to query the AD server? How can I, through a web interface, enable an administrator (the admin user, not a computer person) using the website to dynamically add/remove
users that can access the site? There is nothing you should need to do on your AD server (unless it is also your IIS server, which I hope it isn't). Typically, any domain user has the appropriate rights to query AD (and see most attributes). It takes admin
or assigned rights to be able to write to AD however and see any attributes that have been set in the schema as more priviledged. In terms of a web interface, I am not quite sure what you mean. Can you explain more? Do you mean remove them from AD, from a
group that is accessing the site, or from the web.config?
dunnry - Thanks for the response. To clarify ... I plan on creating a new group in ad. Only members of this group will have access to a certain website. To make my life easier, I would like to designate certain people in this group admin's of the group. These
people should be able to add/remove users to their group at any time. I don't want them loging into the server and pulling up the active directory utility to add/remove users. I would like to build an interface on the website that gives them the ability to
see all users in ad, then select a user, click submit and that account should be added to the group, giving that person access to the website. I know exactly what I want but I don't have a clue on how to do it. Do you have any experience with doing this? If
so, code or references would be greatly appreciated.
Ok, I think that would be fairly easy to accomplish. Imagine you have one text box on a webform along with and indicator (maybe a radio button list) that indicates if you want to add or remove the user. Here is how you would do it:
string login = txtUsername.Text; //grab this from the page
bool remove = rdoRemoveUser.Checked; //from radio button selection
string groupPath = "LDAP://CN=SomeGroup,DC=domain,DC=com"; //specify group to add or remove from
string domainPath = LDAP://DC=domain,DC=com"; //point this to where you want to start looking for users
string qry = String.Format("(sAMAccountName={0})", login); //this is syntax how to find user
DirectorEntry de = new DirectoryEntry(domainPath);
//de.Username = "DOMAIN\\Username"; //optionally provide creds
//de.Password = "password";
de.AuthenticationType = AuthenticationTypes.Secure;
DirectorySearcher ds = new DirectorySearcher(de, qry);
//this is done because of a memory leak using .FindOne() method from DirectorySearcher
SearchResult sr = FindOne(ds);
if(sr != null)
{
DirectoryEntry group = new DirectoryEntry(groupPath);
de.Username = "DOMAIN\\Username"; //bind with creds that can add or remove from group
de.Password = "password";
bool bExists = bool bExists = (bool)group.Invoke("IsMember", new object[]{sr.Path});
if(remove) //remove them
{
if(bExists) //gotta be in the group to remove them!
group.Invoke("Remove", new object[]{sr.Path});
}
else //we are trying to add them
{
if(!bExists) //make sure they are not in the group already
group.Invoke("Add", new object[]{sr.Path});
}
}
private SearchResult FindOne(DirectorySearcher searcher)
{
SearchResult sr = null;
SearchResultCollection src = searcher.FindAll();
if(src.Count>0)
{
sr = src[0];
}
src.Dispose();
return sr;
}
If you use VB.NET you
can translate it with a variety of services around. This should otherwise search and find the user, and depending on whether or not you want to add or remove the user, do it depending on whether or not they are members of the group already.
jwdenny
Member
235 Points
47 Posts
AD User Lookup
Jan 20, 2004 12:52 PM|LINK
dunnry
Star
9098 Points
1806 Posts
Re: AD User Lookup
Jan 22, 2004 02:48 PM|LINK
Weblog
The Book
LDAP Programming Help
jwdenny
Member
235 Points
47 Posts
Re: AD User Lookup
Jan 23, 2004 01:24 PM|LINK
dunnry
Star
9098 Points
1806 Posts
Re: AD User Lookup
Jan 23, 2004 04:03 PM|LINK
string login = txtUsername.Text; //grab this from the page bool remove = rdoRemoveUser.Checked; //from radio button selection string groupPath = "LDAP://CN=SomeGroup,DC=domain,DC=com"; //specify group to add or remove from string domainPath = LDAP://DC=domain,DC=com"; //point this to where you want to start looking for users string qry = String.Format("(sAMAccountName={0})", login); //this is syntax how to find user DirectorEntry de = new DirectoryEntry(domainPath); //de.Username = "DOMAIN\\Username"; //optionally provide creds //de.Password = "password"; de.AuthenticationType = AuthenticationTypes.Secure; DirectorySearcher ds = new DirectorySearcher(de, qry); //this is done because of a memory leak using .FindOne() method from DirectorySearcher SearchResult sr = FindOne(ds); if(sr != null) { DirectoryEntry group = new DirectoryEntry(groupPath); de.Username = "DOMAIN\\Username"; //bind with creds that can add or remove from group de.Password = "password"; bool bExists = bool bExists = (bool)group.Invoke("IsMember", new object[]{sr.Path}); if(remove) //remove them { if(bExists) //gotta be in the group to remove them! group.Invoke("Remove", new object[]{sr.Path}); } else //we are trying to add them { if(!bExists) //make sure they are not in the group already group.Invoke("Add", new object[]{sr.Path}); } } private SearchResult FindOne(DirectorySearcher searcher) { SearchResult sr = null; SearchResultCollection src = searcher.FindAll(); if(src.Count>0) { sr = src[0]; } src.Dispose(); return sr; }If you use VB.NET you can translate it with a variety of services around. This should otherwise search and find the user, and depending on whether or not you want to add or remove the user, do it depending on whether or not they are members of the group already.Weblog
The Book
LDAP Programming Help