What is the attribute I should use as an object ID in a web interface to display detailed information about the object? I will want to pass this ID as a GET variable.
For example, a list of all AD groups present in some container is displayed on a web page:
Authors
Readers
Admins
Let's say I will also want to display all the users of each group.
I can use each group's CN as a value of the GET variable "group" (as I have done in the example above) but I'm not sure if this the way to go since CN may contain language-specific chars and in that case the URLs will become ugly (those %'s). Are there other
attributes that I could use for the same identification purposes? An integer/alphanum attribute would be best. I didn't find anything really useful on MSDN though.
You have some choices for this that depend on how you want to handle it. You can use the 'sAMAccountName' as that is guaranteed unique per domain. You may have issues with characters however, so you need to test that for edge cases. Alternatively, you can
use the SID or the objectGuid to get the user. The DN is a poor choice since objects tend to move a bit and will break your code (as well as the character issues you mentioned).
Both the GUID and SID support special types of binds that won't require you to search either (<GUID=> and <SID=> respectively). Of the two, the objectGuid is globally unique and probably better suited. I personally think it is easier to use than the SID as
well, but that has become less of a factor with .NET 2.0's SecurityIdentifier class.
To use the 'objectGuid' just cast the attribute to a Guid class. That, or use the .NativeGuid in its munged format as a substitute (just don't forget which one you used).
I forgot to mention I will be doing this with PHP, so it was actually a non-platform-specific question.
Yes, I did find objectGUID as well as objectSID attributes in Microsoft's AD class documentation. I have set a Win2k machine up with AD on it for my tests, and it seems like those two attributes aren't actually alphanum and this makes them problematic to pass
in query strings.
Does .NET convert them in some usable format for you automatically after you read the attributes from AD?
Hmmm... I am confused a little - how are you using .NET in PHP? Or are you using ADSI?
They are marshalled as byte[] arrays in .NET and you can very easily turn them into strings. Unfortunately, I have no idea about PHP and what you can or cannot do. The 'objectGuid' is still the way to go, but if you are using ADSI here I think you can get
it still. Check the IADsUser interface and it's GUID property.
Hmmm... I am confused a little - how are you using .NET in PHP? Or are you using ADSI?
I am not... I use PHP's LDAP API to communicate with Active Directory server.
Anyway, I seem to have found a solution. I can easily encode objectGUID with base64, pass the encoded value in a query string and decode it on another page.
That should work great for you it sounds. Just remember that you can also use the GUID bind to get the user directly without a search. This is not a feature of ADSI or .NET, so it should be available through any API to AD (or ADAM).
None
0 Points
8 Posts
AD object ID
May 30, 2006 06:14 AM|ReeD|LINK
What is the attribute I should use as an object ID in a web interface to display detailed information about the object? I will want to pass this ID as a GET variable.
For example, a list of all AD groups present in some container is displayed on a web page:
Let's say I will also want to display all the users of each group.
I can use each group's CN as a value of the GET variable "group" (as I have done in the example above) but I'm not sure if this the way to go since CN may contain language-specific chars and in that case the URLs will become ugly (those %'s). Are there other attributes that I could use for the same identification purposes? An integer/alphanum attribute would be best. I didn't find anything really useful on MSDN though.
What would you pass a GET var in a similar case?
Member
135 Points
1801 Posts
Re: AD object ID
May 30, 2006 11:29 AM|dunnry|LINK
Both the GUID and SID support special types of binds that won't require you to search either (<GUID=> and <SID=> respectively). Of the two, the objectGuid is globally unique and probably better suited. I personally think it is easier to use than the SID as well, but that has become less of a factor with .NET 2.0's SecurityIdentifier class.
To use the 'objectGuid' just cast the attribute to a Guid class. That, or use the .NativeGuid in its munged format as a substitute (just don't forget which one you used).
Weblog
The Book
LDAP Programming Help
None
0 Points
8 Posts
Re: AD object ID
Jun 02, 2006 07:43 AM|ReeD|LINK
Yes, I did find objectGUID as well as objectSID attributes in Microsoft's AD class documentation. I have set a Win2k machine up with AD on it for my tests, and it seems like those two attributes aren't actually alphanum and this makes them problematic to pass in query strings.
Does .NET convert them in some usable format for you automatically after you read the attributes from AD?
Member
135 Points
1801 Posts
Re: AD object ID
Jun 02, 2006 07:38 PM|dunnry|LINK
They are marshalled as byte[] arrays in .NET and you can very easily turn them into strings. Unfortunately, I have no idea about PHP and what you can or cannot do. The 'objectGuid' is still the way to go, but if you are using ADSI here I think you can get it still. Check the IADsUser interface and it's GUID property.
Weblog
The Book
LDAP Programming Help
None
0 Points
8 Posts
Re: AD object ID
Jun 05, 2006 04:55 AM|ReeD|LINK
I am not... I use PHP's LDAP API to communicate with Active Directory server.
Anyway, I seem to have found a solution. I can easily encode objectGUID with base64, pass the encoded value in a query string and decode it on another page.
Member
135 Points
1801 Posts
Re: AD object ID
Jun 05, 2006 11:10 AM|dunnry|LINK
Weblog
The Book
LDAP Programming Help