Last post May 02, 2011 04:42 PM by gww
Apr 29, 2011 09:27 AM|Gindy39|LINK
Good day community, this is my situation:
Currently I'm developing a web application (ASP) for the agency I work for. The purpose of the web app is to go into the LDAP, get the values of some particular attributes and show them on the browser so the user can update or input the information
that we require. Due to the nature and size of the agency people come and go and half of the time their supervisors don't report it to the IT department so they can deactive that account, also there is a lot of information missing because when they jumped
to using this system the group that was working with the proyect barely input any information and the attributes for the accounts is mostly empty :-s.
The question: I wanted to ask for your opinion and knowledge as to, how do I go about identifying the people that actually input or update the web app? I explain myself, there will be a 2 month window for user to update their ldap profile ( since some might
be on vacation) and this will be a mandatory policy or they will loose access. I'm taking that whoever didn't update it, is a inactive user and need to be disable. I was thinking of writting a code that compared the last update of the ldap vs a time window
and if it falled under it, it means they updated it. Working with date is painfull sometimes but oh well. I was thinking also, of adding another attribute to the schema with w/e name with a default value of 0 that will change to a value of 1 once the profile
as been update, and later on when I do the query agains the ldap I will use that attribute to identify the active ones. And my third idea, I'm trying to find a attribute that I could use as my bin, such as the "keywords" attribute or any other that any of
you might know that allows me to input some value and is not a very significant one. Like I know I could use the displayname attribute for that, but lol, this is the one for name soo might not be a good idea.
I would like to hear any thought on which metodology to use, or any other idea, just to see if I'm on the right track and what attribute field (if we resot to that) to use. I'm the new guy here and I this is my first time working with Ldap, so far so good.
All I'm missing now if a way to segregate the active from inactive since I got a lot of active account and the users have been fired or retired ,lol. Thank you for your time
Apr 29, 2011 10:19 AM|smirnov|LINK
Why simply not to use built-in attributes:
See example on VBS
Another attriubute that can help is
If for some reasons you cannot use it, and the question is only to know when user has been online/modified on a web application, then you could have your own log within the application. It can be a database, or a simple text, or xml file. If you use integrated
Windows Authentication for your web application, then you can also get this information out of IIS log (e.g. using Log Parser tool).
May 02, 2011 04:42 PM|gww|LINK
As smirnov mentioned you can user the timestamp properties of the accounts to check to see when they were last in use. You can create a script and run it as a task to check the directory and exmpire any accounts that have not been access for X amount of
days. You can also setup a query in ADUC Saved Queries to filter for accounts as well. Or if you have an intranet your employees would normally use regularlly then add some code to the session start to add a record to a database with their samaccountname and
The update property will be updated any time any change is made to a user account, such as an administrator adding them to a group. If you want to keep specific track of the user and when he has updated his account and what was updated you can just create
a function that sends that information to a database to be viewed. I have a similar app setup that does just this. Shows what has been updated and what their old information was. Dropdowns on the account update page ensure consistency for fields such as Department