I am very new to C# and I'm using LDAP to 1) validate a user's login credentials and 2) obtain additional information about the user for my app. Our LDAP server doesn't allow some of the data I'm requesting to be given out anonymously, so I have to wait until I bind with the user's full credentials to pull the data. However, even then I have not been able to obtain simple fields like sn, and givenName. Using JXplorer I can see where these values are hidden during an anonymous connection, but with a full user/SSL/password combination I can see everytning in JXplorer. I just can't seem to do the same via my code.
If I loop through the properties after my first FindOne(), there are 9 properties found (none of which are the ones I'm looking for). If I loop through the properties after my second FindOne(), there are only 4 properties available. Neither results seems to be impacted by PropertiesToAdd.Add("...").
Any suggestions would be appreciated.
public string[] Authenticate(string user, string password)
{
string[] results = new string [2];
//Concatenate serverpath + username + container
//I.e. "LDAP://ldap.disney.com:636/CN=donaldDuck,ou=people,dc=la,dc=disney,dc=com"
DirectoryEntry de = new DirectoryEntry(_ldapserver + "cn=" + user + "," + _topContainer);
//User's password for initial verification
de.Password = password;
//initate anonymous bind
de.AuthenticationType = System.DirectoryServices.AuthenticationTypes.SecureSocketsLayer;
DirectorySearcher searcher = new DirectorySearcher(de);
searcher.SearchScope = System.DirectoryServices.SearchScope.Base;
//Search for first record
SearchResult result = searcher.FindOne();
//Check results
if (result == null) throw new Exception(ERR_NOT_FOUND);
de = result.GetDirectoryEntry();
//Return search results
//results[0] = (string)de.Properties["mail"].Value;
// results[1] = (string)de.Properties["givenName"].Value + " " + (string)de.Properties["sn"].Value;
// Distingushed Name of the found account
string DN = de.Path.Substring(de.Path.ToUpper().IndexOf("CN="));
// Close search connection
de.Close();
// now bind and verify the user's password,
de = new DirectoryEntry(_ldapserver + _topContainer);
de.Username = DN;
de.Password = password;
de.AuthenticationType = System.DirectoryServices.AuthenticationTypes.SecureSocketsLayer;
//Obtain additional information
searcher = new DirectorySearcher(de);
searcher.PropertiesToLoad.Add("sn");
searcher.PropertiesToLoad.Add("givenName");
SearchResult r = searcher.FindOne();
de = r.GetDirectoryEntry();
foreach (string property in de.Properties.PropertyNames)
{
Console.WriteLine("\t{0} : {1} ", property, de.Properties[property][0]);
}
//End obtain additional information
//Validate password
Object obj = de.NativeObject;
de.Close();
//if we made it here, we successfully authenticated
return results;
}
If you're on .NET 3.5 and up, you should check out the System.DirectoryServices.AccountManagement (S.DS.AM) namespace. Read all about it here:
Managing Directory Security Principals in the .NET Framework 3.5
MSDN docs on System.DirectoryServices.AccountManagement
Basically, you can define a domain context and easily find users and/or groups in AD:
// set up domain context
using (PrincipalContext ctx = new PrincipalContext(ContextType.Domain))
{
// validate given user credentials
bool isValid = ctx.ValidateCredentials(user, password);
// find a user
UserPrincipal user = UserPrincipal.FindByIdentity(ctx, "SomeUserName");
if(user != null)
{
string surname = user.Surname;
string givenName = user.GivenName;
}
}
The new S.DS.AM makes it really easy to play around with users and groups in AD!
Related
Is it possible to get a user's email from Active Directory using employeenumber as the query term?
I am using C#'s System.DirectoryServices and am a little bit lost. The previous developer at my company was using this process, but he had an email and was querying for the employee number. I have changed it to what I believe it should be, but to be honest, I don't understand the code that well.
Is there something wrong with my code? every time i run it, I get a Null Reference error on the DirectoryEntry up_user = line. I assume it is because the previous line is not getting any entities.
Also, is there any good documentation on this topic? Everywhere I look, the posts are from 2011 or 2013.
I have the following:
try
{
string email = string.Empty;
ContextType authenticationType = ContextType.Domain;
PrincipalContext principalContext = new PrincipalContext(authenticationType, "MATRIC");
UserPrincipal userPrincipal = null;
userPrincipal = UserPrincipal.FindByIdentity(principalContext, empnum);
DirectoryEntry up_User = (DirectoryEntry)userPrincipal.GetUnderlyingObject();
DirectorySearcher deSearch = new DirectorySearcher(up_User);
SearchResultCollection results = deSearch.FindAll();
if (results != null && results.Count > 0)
{
ResultPropertyCollection rpc = results[0].Properties;
foreach (string rp in rpc.PropertyNames)
{
if (rp == "mail")
{
email = rpc["mail"][0].ToString();
}
}
if (email != string.Empty)
{
return email;
}
return null;
}
return null;
}
catch (Exception ex)
{
throw ex;
}
UserPrincipal.FindByIdentity only works for finding a user by what AD considers an identifying attribute. These are listed in the IdentityType enumeration. The employee number isn't one of those.
Are you using employeeId or employeeNumber in AD? They are different attributes, although both are just strings with no special meaning or restrictions in AD.
The employeeId attribute is exposed in the UserPrincipal class, so you can search by it with UserPrincipal as described in the answer here:
UserPrincipal searchTemplate = new UserPrincipal(principalContext);
searchTemplate.EmployeeID = employeeId;
PrincipalSearcher ps = new PrincipalSearcher(searchTemplate);
UserPrincipal user = (UserPrincipal)ps.FindOne();
Then you can use the EmailAddress property of the account you find (you don't need to do what you're doing with the DirectorySearcher).
var emailAddress user?.EmailAddress;
If you're using employeeNumber, then you will need to use DirectorySearcher to find it. Something like this:
var search = new DirectorySearcher(new DirectoryEntry("LDAP://yourdomain.com"));
search.Filter = $"(&(ObjectClass=user)(employeeNumber={employeeNumber}))";
search.PropertiesToLoad.Add("mail");
var result = search.FindOne();
string emailAddress = null;
if (result.Properties.Contains("mail")) {
emailAddress = result.Properties["mail"][0].Value as string;
}
I'm trying to write a code that retrieves a user's email from the LDAP server. The user's email is in the 'mail' property, however, everytime I run it, the email returns "System.DirectoryServices.ResultPropertyValueCollection" instead of the user's email. Here is my code:
using (HostingEnvironment.Impersonate())
{
string server = "hello.world.com:389";
string email = null;
DirectoryEntry dEntry = new DirectoryEntry("LDAP://" + server + "/DC=hello,DC=world,DC=com");
DirectorySearcher dSearch = new DirectorySearcher(dEntry);
dSearch.SearchScope = SearchScope.Subtree;
dSearch.Filter = "(&(objectClass=users)(cn=" + lanID + "))";
dSearch.PropertiesToLoad.Add("mail");
SearchResult result = dSearch.FindOne();
if (result != null)
{
email = result.Properties["mail"].ToString();
return email;
}
else return email = null;
}
The code takes a user's employee id (lanID) and returns that userID's email (the value under 'mail' property). How should I do so I don't get System.DirectoryServices.ResultPropertyValueCollection but an actual email?
You need to use SearchResult.GetDirectoryEntry() Method to get the directory entry which corresponds to this SearchResult.
Retrieves the DirectoryEntry that corresponds to the SearchResult from
the Active Directory Domain Services hierarchy. Use GetDirectoryEntry when you want to look at the live entry instead of the entry that was returned through DirectorySearcher, or when you want to invoke a method on the object that was returned.
--emphasis mine.
Use the below code:
DirectoryEntry user = result.GetDirectoryEntry();
string distinguishedName = user.Properties["mail"].Value.ToString();
Use this:
(String)user.Properties["mail"][0];
This means you are trying to convert an entire object to a string.
Change
email = result.Properties["mail"].ToString();
To this
email = result.Properties["mail"].Value.ToString();
This:
email = result.getdirectoryentry.properties("mail").value
I am trying to access "msDS-ResultantPSO" attribute value of AD user using C#,I applied the Password Policy on a user, and its showing the value in "msDS-ResultantPSO" attribute.Now, I am trying to get this value using C# in the same way to get Normal attributes of AD user such as "FirstName, LastName,Email...".I added ResulantPSO attribute along with other normal attributes to load.My code bringing all normal attributes values except "msDS-ResultantPSO".
Please can anyone help me in this regard.
I had to make sure the user running my program had the appropriate AD read permissions other than that this should get you close:
var ad = new PrincipalContext(ContextType.Domain, _domain, _ldapPathOu);
UserPrincipal user = UserPrincipal.FindByIdentity(ad, username);
DirectoryEntry entry = user.GetUnderlyingObject() as DirectoryEntry;
DirectorySearcher mySearcher = new DirectorySearcher(entry);
SearchResultCollection results;
mySearcher.PropertiesToLoad.Add("msDS-ResultantPSO");
results = mySearcher.FindAll();
if (results.Count >= 1)
{
string pso = results[0].Properties["msDS-ResultantPSO"][0].ToString();
//do something with the pso..
DirectoryEntry d = new DirectoryEntry(#"LDAP://corp.example.com/"+ pso);
var searchForPassPolicy = new DirectorySearcher(d);
searchForPassPolicy.Filter = #"(objectClass=msDS-PasswordSettings)";
searchForPassPolicy.SearchScope = System.DirectoryServices.SearchScope.Subtree;
searchForPassPolicy.PropertiesToLoad.AddRange(new string[] {"msDS-MaximumPasswordAge"});
var x = searchForPassPolicy.FindAll();
var maxAge = (Int64)x[0].Properties["msDS-MaximumPasswordAge"][0];
var maxPwdAgeInDays = ConvertTimeToDays(maxAge);
}
at the moment I am trying to write some code to help our support and having some problems. I am creating a user in the OU, setting all needed attributes and having trouble setting the flags.
string ADPath1 = "LDAP://127.0.0.1/OU=TEST,DC=abc,DC=def,DC=local";
string ADUser = "admin";
string ADPassword = "somepw";
DirectoryEntry de = new DirectoryEntry(ADPath1, ADUser, ADPassword, AuthenticationTypes.Secure);
I am connecting, and setting everything up
DirectoryEntries users = de.Children;
DirectoryEntry newuser = users.Add("CN=" + "Artemij Voskobojnikov", "user");
newuser.Properties["property"].Add("XXX");
Now I'd like to setup the userAccountControl-propery and am trying to do the following:
const int UF_PASSWD_CANT_CHANGE = 0x0040;
const int UF_DONT_EXPIRE_PASSWD = 0x10000;
int user_flags = UF_PASSWD_CANT_CHANGE + UF_DONT_EXPIRE_PASSWD;
newuser.Properties["userAccountControl"].Value = user_flags
I am getting an error, something like "Server cannot execute the operation". Is there any way to do this or do I have to use UserPrincipal?
Kind regards
If you're on .NET 3.5 and up, you should check out the System.DirectoryServices.AccountManagement (S.DS.AM) namespace. Read all about it here:
Managing Directory Security Principals in the .NET Framework 3.5
MSDN docs on System.DirectoryServices.AccountManagement
Basically, you can define a domain context and easily find users and/or groups in AD:
// set up domain context and bind to the OU=Test container
using (PrincipalContext ctx = new PrincipalContext(ContextType.Domain, "YOURDOMAIN", "OU=TEST"))
{
// create a new user
UserPrincipal user = new UserPrincipal(ctx);
// set first name, last name, display name, SAM Account Name and other properties easily
user.DisplayName = "Artemij Voskobojnikov";
user.GivenName = "Artemij";
user.Surname = "Voskobojnikov";
user.SamAccountName = "AVoskobojnikov";
// set some flags as appropriate for your use
user.UserCannotChangePassword = true;
user.PasswordNeverExpires = true;
// save user
user.Save();
}
The new S.DS.AM makes it really easy to play around with users and groups in AD!
I am querying information from Active Directory. I have code that works, but it's really slow.
This is the code I currently use:
static void Main(string[] args)
{
SearchResultCollection sResults = null;
try
{
//modify this line to include your domain name
string path = "LDAP://EXTECH";
//init a directory entry
DirectoryEntry dEntry = new DirectoryEntry(path);
//init a directory searcher
DirectorySearcher dSearcher = new DirectorySearcher(dEntry);
//This line applies a filter to the search specifying a username to search for
//modify this line to specify a user name. if you want to search for all
//users who start with k - set SearchString to "k"
dSearcher.Filter = "(&(objectClass=user))";
//perform search on active directory
sResults = dSearcher.FindAll();
//loop through results of search
foreach (SearchResult searchResult in sResults)
{
if (searchResult.Properties["CN"][0].ToString() == "Adit")
{
////loop through the ad properties
//foreach (string propertyKey in
//searchResult.Properties["st"])
//{
//pull the collection of objects with this key name
ResultPropertyValueCollection valueCollection =
searchResult.Properties["manager"];
foreach (Object propertyValue in valueCollection)
{
//loop through the values that have a specific name
//an example of a property that would have multiple
//collections for the same name would be memberof
//Console.WriteLine("Property Name: " + valueCollection..ToString());
Console.WriteLine("Property Value: " + (string)propertyValue.ToString());
//["sAMAccountName"][0].ToString();
}
//}
Console.WriteLine(" ");
}
}
}
catch (InvalidOperationException iOe)
{
//
}
catch (NotSupportedException nSe)
{
//
}
finally
{
// dispose of objects used
if (sResults != null)
sResults.Dispose();
}
Console.ReadLine();
}
What would faster code look like to get user information from AD?
You can call UserPrincipal.FindByIdentity inside System.DirectoryServices.AccountManagement:
using System.DirectoryServices.AccountManagement;
using (var pc = new PrincipalContext(ContextType.Domain, "MyDomainName"))
{
var user = UserPrincipal.FindByIdentity(pc, IdentityType.SamAccountName, "MyDomainName\\" + userName);
}
The reason why your code is slow is that your LDAP query retrieves every single user object in your domain even though you're only interested in one user with a common name of "Adit":
dSearcher.Filter = "(&(objectClass=user))";
So to optimize, you need to narrow your LDAP query to just the user you are interested in. Try something like:
dSearcher.Filter = "(&(objectClass=user)(cn=Adit))";
In addition, don't forget to dispose these objects when done:
DirectoryEntry dEntry
DirectorySearcher dSearcher
Well, if you know where your user lives in the AD hierarchy (e.g. quite possibly in the "Users" container, if it's a small network), you could also bind to the user account directly, instead of searching for it.
DirectoryEntry deUser = new DirectoryEntry("LDAP://cn=John Doe,cn=Users,dc=yourdomain,dc=com");
if (deUser != null)
{
... do something with your user
}
And if you're on .NET 3.5 already, you could even use the vastly expanded System.DirectorySrevices.AccountManagement namespace with strongly typed classes for each of the most common AD objects:
// bind to your domain
PrincipalContext pc = new PrincipalContext(ContextType.Domain, "LDAP://dc=yourdomain,dc=com");
// find the user by identity (or many other ways)
UserPrincipal user = UserPrincipal.FindByIdentity(pc, "cn=John Doe");
There's loads of information out there on System.DirectoryServices.AccountManagement - check out this excellent article on MSDN by Joe Kaplan and Ethan Wilansky on the topic.
You can simplify this code to:
DirectorySearcher searcher = new DirectorySearcher();
searcher.Filter = "(&(objectCategory=user)(cn=steve.evans))";
SearchResultCollection results = searcher.FindAll();
if (results.Count == 1)
{
//do what you want to do
}
else if (results.Count == 0)
{
//user does not exist
}
else
{
//found more than one user
//something is wrong
}
If you can narrow down where the user is you can set searcher.SearchRoot to a specific OU that you know the user is under.
You should also use objectCategory instead of objectClass since objectCategory is indexed by default.
You should also consider searching on an attribute other than CN. For example it might make more sense to search on the username (sAMAccountName) since it's guaranteed to be unique.
I'm not sure how much of your "slowness" will be due to the loop you're doing to find entries with particular attribute values, but you can remove this loop by being more specific with your filter. Try this page for some guidance ... Search Filter Syntax