I'm trying to write an LDAP query which will discover if a user is a member of a group which matches a wildcard query and I'm trying to use the LDAP_MATCHING_RULE_IN_CHAIN OID to do this. I'm basically following example 2 on this page:
http://support.microsoft.com/kb/914828
I've found that this method works well within a domain i.e. if user1 is in group1 and group1 is in group2 then I can write a query matching "*2" and the LDAP query will find the nested relationship and match the user against the group.
However, now I've been asked to support relationships between domains in the same forest. So now I've got:
- user1 is a member of group1 in domain 1
- group1 in domain 1 is a member of group2 in domain 2
And I want to be able to match user1 against group2.... I can't work out how to make LDAP_MATCHING_RULE_IN_CHAIN do this:
I've tried setting the base of the query to the following:
- Domain 1, but this just returns groups in domain 1
- The parent domain of domain 1 and domain 2, but this returns no results.
- The GC, found by querying "rootDSE" property but this just returns groups inside the domain 1 (which is the GC server)
Anyone know how I can make this work?
As far as I understand, one way of doing that is :
- From the RootDSE, look for the configuration NamingContext.
- In the configuration NamingContext looking for objects of class
crossRef with an attribute nETBIOSName existing.
- From these entries use the algorithm you are discribing by using
dnsRoot and nCName attributs. A working forest DNS allows you to join a domain controler of dnsRoot. nCName allows to search from the root.
Be careful to do this as a member of the enterpreise administrators group.
Here is an example of the code.
/* Retreiving RootDSE
*/
string ldapBase = "LDAP://WM2008R2ENT:389/";
string sFromWhere = ldapBase + "rootDSE";
DirectoryEntry root = new DirectoryEntry(sFromWhere, "dom\\jpb", "PWD");
string configurationNamingContext = root.Properties["configurationNamingContext"][0].ToString();
/* Retreiving the root of all the domains
*/
sFromWhere = ldapBase + configurationNamingContext;
DirectoryEntry deBase = new DirectoryEntry(sFromWhere, "dom\\jpb", "PWD");
DirectorySearcher dsLookForDomain = new DirectorySearcher(deBase);
dsLookForDomain.Filter = "(&(objectClass=crossRef)(nETBIOSName=*))";
dsLookForDomain.SearchScope = SearchScope.Subtree;
dsLookForDomain.PropertiesToLoad.Add("nCName");
dsLookForDomain.PropertiesToLoad.Add("dnsRoot");
SearchResultCollection srcDomains = dsLookForDomain.FindAll();
foreach (SearchResult aSRDomain in srcDomains)
{
/* For each root look for the groups containing my user
*/
string nCName = aSRDomain.Properties["nCName"][0].ToString();
string dnsRoot = aSRDomain.Properties["dnsRoot"][0].ToString();
/* To find all the groups that "user1" is a member of :
* Set the base to the groups container DN; for example root DN (dc=dom,dc=fr)
* Set the scope to subtree
* Use the following filter :
* (member:1.2.840.113556.1.4.1941:=cn=user1,cn=users,DC=x)
*/
/* Connection to Active Directory
*/
sFromWhere = "LDAP://" + dnsRoot + "/" + nCName;
deBase = new DirectoryEntry(sFromWhere, "dom\\jpb", "PWD");
DirectorySearcher dsLookFor = new DirectorySearcher(deBase);
// you cancomplete the filter here (&(member:1.2.840.113556.1.4.1941:=CN=user1 Users,OU=MonOu,DC=dom,DC=fr)(cn=*2)
dsLookFor.Filter = "(member:1.2.840.113556.1.4.1941:=CN=user1 Users,OU=MonOu,DC=dom,DC=fr)";
dsLookFor.SearchScope = SearchScope.Subtree;
dsLookFor.PropertiesToLoad.Add("cn");
SearchResultCollection srcGroups = dsLookFor.FindAll();
foreach (SearchResult srcGroup in srcGroups)
{
Console.WriteLine("{0}", srcGroup.Path);
}
}
This is just a proof of concept, you have to complete with :
using using(){} form for disposing DirectoryEntry objects
Exception management
Edited (2011-10-18 13:25)
Your comment about the way you solve the problem can be found in a method given in System.DirectoryServices.AccountManagement Namespace. It's a kind of recursive solution. This time, I test with a user belonging to group1 (in an other domain) which belongs to group2 (in a third domain) and it seems to work.
/* Retreiving a principal context
*/
Console.WriteLine("Retreiving a principal context");
PrincipalContext domainContext = new PrincipalContext(ContextType.Domain, "WM2008R2ENT:389", "dc=dom,dc=fr", "jpb", "PWD");
/* Look for all the groups a user belongs to
*/
UserPrincipal aUser = UserPrincipal.FindByIdentity(domainContext, "user1");
PrincipalSearchResult<Principal> a = aUser.GetAuthorizationGroups();
foreach (GroupPrincipal gTmp in a)
{
Console.WriteLine(gTmp.Name);
}
{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://img.manongdao.com/sparkler-677774__340.jpg', '推荐 够拽才男人 的文章《Can I match a user to a group accross different do》','https://www.manongdao.com/article-129878.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}