Wednesday, February 17, 2010
Occasionally, I will check online to see the reviews for our book. It is now almost 4 years old and a bit outdated with respect to the changes that came with .NET 3.5. The website and forums however has been trucking along (thanks Joe!) these years. We never sold a ton of books about this particular niche topic, but for the audience size, it wasn't too shabby. Joe and I are not about to retire on our royalties, however.
I was a bit surprised to see this online however at Amazon:
Now, it is a bit silly for two reasons, a.) our book as a collectible, really? Who would actually collect it? and b.) It says it was signed by both authors. Now, there is a slight chance it is authentic as I think Joe and I signed maybe 2 books together ever. However, the odds of it being authentic are exceedingly slim. Who knows. it's funny regardless.
Thursday, June 5, 2008
A member in the book's forum mentioned some code I had originally posted here in the blog for asynchronous, paged searches in System.DirectoryServices.Protocols (SDS.P). He questioned whether or not it was thread safe. I honestly don't know - it might not be as I didn't test it extensively.
Regardless, I had actually moved on from that code and started using anonymous delegates for callbacks instead of events. I liked this pattern a bit better because it also got rid of the shared resources.
After reading Stephen Toub's article on asynchronous stream processing, I learned about the AsyncOperationManager which was something I was missing in my implementation. I have been doing a lot lately with .NET 3.5, LINQ, and lambda expressions, so I also decided to rewrite the anonymous delegates to lambda expressions. That is not as big a change, but it is more concise.
I actively investigated using async iterators, but ultimately I decided closures seemed to be more intuitive for me. I might revisit this at some time and change my mind. Here is my outcome:
public class AsyncSearcher
{
LdapConnection _connect;
public AsyncSearcher(LdapConnection connection)
{
this._connect = connection;
this._connect.AutoBind = true; //will bind on first search
}
public void BeginPagedSearch(
string baseDN,
string filter,
string[] attribs,
int pageSize,
Action<SearchResponse> page,
Action<Exception> completed
)
{
if (page == null)
throw new ArgumentNullException("page");
AsyncOperation asyncOp = AsyncOperationManager.CreateOperation(null);
Action<Exception> done = e =>
{
if (completed != null) asyncOp.Post(delegate
{
completed(e);
}, null);
};
SearchRequest request = new SearchRequest(
baseDN,
filter,
System.DirectoryServices.Protocols.SearchScope.Subtree,
attribs
);
PageResultRequestControl prc = new PageResultRequestControl(pageSize);
//add the paging control
request.Controls.Add(prc);
AsyncCallback rc = null;
rc = readResult =>
{
try
{
var response = (SearchResponse)_connect.EndSendRequest(readResult);
//let current thread handle results
asyncOp.Post(delegate
{
page(response);
}, null);
var cookie = response.Controls
.Where(c => c is PageResultResponseControl)
.Select(s => ((PageResultResponseControl)s).Cookie)
.Single();
if (cookie != null && cookie.Length != 0)
{
prc.Cookie = cookie;
_connect.BeginSendRequest(
request,
PartialResultProcessing.NoPartialResultSupport,
rc,
null
);
}
else done(null); //signal complete
}
catch (Exception ex) { done(ex); }
};
//kick off async
try
{
_connect.BeginSendRequest(
request,
PartialResultProcessing.NoPartialResultSupport,
rc,
null
);
}
catch (Exception ex) { done(ex); }
}
}It can be consumed very easily using something like this:
class Program
{
static ManualResetEvent _resetEvent = new ManualResetEvent(false);
static void Main(string[] args)
{
//set these to your environment
string servername = "server.yourdomain.com";
string baseDN = "dc=yourdomain,dc=com";
using (LdapConnection connection = CreateConnection(servername))
{
AsyncSearcher searcher = new AsyncSearcher(connection);
searcher.BeginPagedSearch(
baseDN,
"(sn=Dunn)",
null,
100,
f => //runs per page
{
foreach (var item in f.Entries)
{
var entry = item as SearchResultEntry;
if (entry != null)
{
Console.WriteLine(entry.DistinguishedName);
}
}
},
c => //runs on error or when done
{
if (c != null) Console.WriteLine(c.ToString());
Console.WriteLine("Done");
_resetEvent.Set();
}
);
_resetEvent.WaitOne();
}
Console.WriteLine();
Console.WriteLine("Finished.... Press Enter to Continue.");
Console.ReadLine();
}
static LdapConnection CreateConnection(string server)
{
LdapConnection connect = new LdapConnection(
new LdapDirectoryIdentifier(server),
null,
AuthType.Negotiate
);
connect.SessionOptions.ProtocolVersion = 3;
connect.SessionOptions.ReferralChasing = ReferralChasingOptions.None;
connect.SessionOptions.Sealing = true;
connect.SessionOptions.Signing = true;
return connect;
}
}
The important thing to note is that because everything is running asynchronously, it is totally possible for the end delegate to be invoked before the paging delegate has a chance to finish processing results (depending on how complicated your code is). You would need to compensate for this yourself.
This client is a console application, so I am using a ManualResetEvent just to prevent it from closing before finishing. You wouldn't need to do this in a WinForms or WPF app.
I am sure there are other optimizations you could make to pass in parameters or even other directory controls. However, the general pattern should apply.
Tuesday, October 30, 2007
There are three ways of figuring out things that have changed in Active Directory (or ADAM). These have been documented for some time over at MSDN in the aptly titled "Overview of Change Tracking Techniques". In summary:
- Polling for Changes using uSNChanged. This technique checks the 'highestCommittedUSN' value to start and then performs searches for 'uSNChanged' values that are higher subsequently. The 'uSNChanged' attribute is not replicated between domain controllers, so you must go back to the same domain controller each time for consistency. Essentially, you perform a search looking for the highest 'uSNChanged' value + 1 and then read in the results tracking them in any way you wish.
- Benefits
- This is the most compatible way. All languages and all versions of .NET support this way since it is a simple search.
- Disadvantages
- There is a lot here for the developer to take care of. You get the entire object back, and you must determine what has changed on the object (and if you care about that change).
- Dealing with deleted objects is a pain.
- This is a polling technique, so it is only as real-time as how often you query. This can be a good thing depending on the application. Note, intermediate values are not tracked here either.
- Polling for Changes Using the DirSync Control. This technique uses the ADS_SEARCHPREF_DIRSYNC option in ADSI and the LDAP_SERVER_DIRSYNC_OID control under the covers. Simply make an initial search, store the cookie, and then later search again and send the cookie. It will return only the objects that have changed.
- Benefits
- This is an easy model to follow. Both System.DirectoryServices and System.DirectoryServices.Protocols support this option.
- Filtering can reduce what you need to bother with. As an example, if my initial search is for all users "(objectClass=user)", I can subsequently filter on polling with "(sn=dunn)" and only get back the combination of both filters, instead of having to deal with everything from the intial filter.
- Windows 2003+ option removes the administrative limitation for using this option (object security).
- Windows 2003+ option will also give you the ability to return only the incremental values that have changed in large multi-valued attributes. This is a really nice feature.
- Deals well with deleted objects.
- Disadvantages
- This is .NET 2.0+ or later only option. Users of .NET 1.1 will need to use uSNChanged Tracking. Scripting languages cannot use this method.
- You can only scope the search to a partition. If you want to track only a particular OU or object, you must sort out those results yourself later.
- Using this with non-Windows 2003 mode domains comes with the restriction that you must have replication get changes permissions (default only admin) to use.
- This is a polling technique. It does not track intermediate values either. So, if an object you want to track changes between the searches multiple times, you will only get the last change. This can be an advantage depending on the application.
- Change Notifications in Active Directory. This technique registers a search on a separate thread that will receive notifications when any object changes that matches the filter. You can register up to 5 notifications per async connection.
- Benefits
- Instant notification. The other techniques require polling.
- Because this is a notification, you will get all changes, even the intermediate ones that would have been lost in the other two techniques.
- Disadvantages
- Relatively resource intensive. You don't want to do a whole ton of these as it could cause scalability issues with your controller.
- This only tells you if the object has changed, but it does not tell you what the change was. You need to figure out if the attribute you care about has changed or not. That being said, it is pretty easy to tell if the object has been deleted (easier than uSNChanged polling at least).
- You can only do this in unmanaged code or with System.DirectoryServices.Protocols.
For the most part, I have found that DirSync has fit the bill for me in virtually every situation. I never bothered to try any of the other techniques. However, a reader asked if there was a way to do the change notifications in .NET. I figured it was possible using SDS.P, but had never tried it. Turns out, it is possible and actually not too hard to do.
My first thought on writing this was to use the sample code found on MSDN (and referenced from option #3) and simply convert this to System.DirectoryServices.Protocols. This turned out to be a dead end. The way you do it in SDS.P and the way the sample code works are different enough that it is of no help. Here is the solution I came up with:
public class ChangeNotifier : IDisposable
{ LdapConnection _connection;
HashSet<IAsyncResult> _results = new HashSet<IAsyncResult>();
public ChangeNotifier(LdapConnection connection)
{ _connection = connection;
_connection.AutoBind = true;
}
public void Register(string dn, SearchScope scope)
{ SearchRequest request = new SearchRequest(
dn, //root the search here
"(objectClass=*)", //very inclusive
scope, //any scope works
null //we are interested in all attributes
);
//register our search
request.Controls.Add(new DirectoryNotificationControl());
//we will send this async and register our callback
//note how we would like to have partial results
IAsyncResult result = _connection.BeginSendRequest(
request,
TimeSpan.FromDays(1), //set timeout to a day...
PartialResultProcessing.ReturnPartialResultsAndNotifyCallback,
Notify,
request
);
//store the hash for disposal later
_results.Add(result);
}
private void Notify(IAsyncResult result)
{ //since our search is long running, we don't want to use EndSendRequest
PartialResultsCollection prc = _connection.GetPartialResults(result);
foreach (SearchResultEntry entry in prc)
{ OnObjectChanged(new ObjectChangedEventArgs(entry));
}
}
private void OnObjectChanged(ObjectChangedEventArgs args)
{ if (ObjectChanged != null)
{ ObjectChanged(this, args);
}
}
public event EventHandler<ObjectChangedEventArgs> ObjectChanged;
#region IDisposable Members
public void Dispose()
{ foreach (var result in _results)
{ //end each async search
_connection.Abort(result);
}
}
#endregion
}
public class ObjectChangedEventArgs : EventArgs
{ public ObjectChangedEventArgs(SearchResultEntry entry)
{ Result = entry;
}
public SearchResultEntry Result { get; set;}}
It is a relatively simple class that you can use to register searches. The trick is using the GetPartialResults method in the callback method to get only the change that has just occurred. I have also included the very simplified EventArgs class I am using to pass results back. Note, I am not doing anything about threading here and I don't have any error handling (this is just a sample). You can consume this class like so:
static void Main(string[] args)
{ using (LdapConnection connect = CreateConnection("localhost")) { using (ChangeNotifier notifier = new ChangeNotifier(connect))
{ //register some objects for notifications (limit 5)
notifier.Register("dc=dunnry,dc=net", SearchScope.OneLevel); notifier.Register("cn=testuser1,ou=users,dc=dunnry,dc=net", SearchScope.Base);
notifier.ObjectChanged += new EventHandler<ObjectChangedEventArgs>(notifier_ObjectChanged);
Console.WriteLine("Waiting for changes..."); Console.WriteLine();
Console.ReadLine();
}
}
}
static void notifier_ObjectChanged(object sender, ObjectChangedEventArgs e)
{ Console.WriteLine(e.Result.DistinguishedName);
foreach (string attrib in e.Result.Attributes.AttributeNames)
{ foreach (var item in e.Result.Attributes[attrib].GetValues(typeof(string)))
{ Console.WriteLine("\t{0}: {1}", attrib, item); }
}
Console.WriteLine();
Console.WriteLine("===================="); Console.WriteLine();
}
And there you have it... change notifications in .NET. You can also download my project file for Visual Studio 2008.
Monday, October 29, 2007
This is just a reminder that you should not use server-side sorting with your queries in Active Directory or ADAM. This situation was reinforced when a reader asked me why a particular ASQ (attribute scope query) was failing with an error when querying a rather large group (more than 20,000 members). The customer was getting a fairly nondescript error, "The server does not support the requested critical extension" about halfway through his results.
After checking the network trace, and handing the DSID error back to my buddy Eric - we (more he, than me) determined it was failing in the code path for sorting. It turns out that sorting this much data on the server requires temp table space. If you run out of space before the sorting is complete you get this type of error. This is not particular to ASQ by any means, but all sorting.
The moral of story is don't sort on the server. This is a very real example of why this is the case. You can always easily sort once you have results on the client.
Friday, August 10, 2007
Link pair attributes in Active Directory and ADAM can be quite big. I don't know the official limit, but needless to say, for practical purposes you can assume they are quite large indeed. By default, AD and ADAM will not return the entire attribute if it contains more than a certain number of values (1000 for Windows 2000 and 1500 for Windows 2003+ by default). As such, if you truly want robust code, you need to always use what is called range retrieval for link value paired attributes.
Range retrieval is a process similar to paging in directory services, whereby you ask the directory for a certain range of particular attribute. You know that you are using range retrieval when you see the attribute being requested in the following format:
"[attribute];range=[start]-[end]"
As an example, in the case of the 'member' attribute, you might ask for the first 1500 values like so:
"member;range=0-1499"
Notice, it is zero based so you need to take this into account. The general algorithm as such is:
- Ask for as big as you can get. This means use the "*" for the ending range to ask for it all.
- The directory will respond with either the actual max value (some integer), or with a "*" indicating you got everything. If you got everything, you are done.
- If not, using the max value now as your step, repeatedly ask for larger and larger values inside a loop until the directory responds with a "*" as the end range.
We covered how to use range retrieval in SDS in our book, and you can download sample code that shows how from the book's website. What we didn't cover was how to do it in SDS.P.
SDS.P is a layer closer the the metal than our ADSI based System.DirectoryServices (SDS). As such, if you are expected to do range retrieval for SDS, you can be assured that you need to do it for SDS.P as well. Adopting the code SDS, you get something like this (but modified to some extent):
static List<string> RangeRetrieve(
LdapConnection connect, string dn, string attribute)
{
int idx = 0;
int step = 0;
List<string> list = new List<string>();
string range = String.Format(
"{0};range={{0}}-{{1}}",
attribute
);
string currentRange = String.Format(range, idx, "*");
SearchRequest request = new SearchRequest(
dn,
String.Format("({0}=*)", attribute),
SearchScope.Base,
new string[] { currentRange }
);
SearchResultEntry entry = null;
bool lastSearch = false;
while (true)
{
SearchResponse response =
(SearchResponse)connect.SendRequest(request);
if (response.Entries.Count == 1) //should only be one
{
entry = response.Entries[0];
//this might be optimized to find full step or just use 1000 for
//compromise
foreach (string attrib in entry.Attributes.AttributeNames)
{
currentRange = attrib;
lastSearch = currentRange.IndexOf("*", 0) > 0;
step = entry.Attributes[currentRange].Count;
}
foreach (string member in
entry.Attributes[currentRange].GetValues(typeof(string)))
{
list.Add(member);
idx++;
}
if (lastSearch)
break;
currentRange = String.Format(range, idx, (idx + step));
request.Attributes.Clear();
request.Attributes.Add(currentRange);
}
else
break;
}
return list;
}
Happy coding... of course, if you are clever you will realize you can avoid all this range retrieval mess by using an attribute scope query (ASQ). :)
*edit: tried to fix the style for code to render in Google Reader correctly
Wednesday, August 1, 2007
I have previously covered pretty extensively the options for getting a user's group membership in Active Directory or ADAM (soon to be Active Directory LDS (Lightweight Directory Services)) here on the blog, in the forum, and in the book. However, there is a new option for users of .NET 3.5 that should be of interest.
The Directory Services group at Microsoft has released in beta form a new API for dealing with a lot of the common things we need to do with users, groups, and computers in Active Directory, ADAM, and the local machine. This API is called System.DirectoryServices.AccountManagement (or SDS.AM). Here is a simple example of how to get a users groups (including nested, and primary):
static void Main(string[] args)
{
PrincipalContext ctx = new PrincipalContext(ContextType.Domain);
using (ctx)
{
Principal p = Principal.FindByIdentity(ctx, "ryandunn");
using (p)
{
var groups = p.GetGroups();
using (groups)
{
foreach (Principal group in groups)
{
Console.WriteLine(group.SamAccountName + "-" + group.DisplayName);
}
}
}
}
Console.ReadLine();
}
That's not too bad - in fact, it looks worse than it is because I am trying to make sure everything is wrapped in a 'using' statement where necessary. The equivalent code to do this would be many times more (using DsCrackNames or LDAP searches) and would yield far less information being returned (just the DN in most cases).
Over the next few weeks and months, I intend to dig more deeply into this namespace and put some samples up here for everyone. This is just a taste for now, but it should show you how powerful this namespace really is.
*Updated to fix CSS renderings in Google Reader
Sunday, April 15, 2007
Fellow MVP, Ethan Wilansky has a new article on MSDN outlining the System.DirectoryServices.Protocols stack. I haven't had a chance to read every last word in it yet (it's a huge article!), but it appears to show roughly 80% of everything you might want to do with SDS.P. Check it out.
Link to Introduction to System.DirectoryServices.Protocols (S.DS.P)
Thursday, April 5, 2007
If hot-LDAP-filter-action is your thing, but you were let down in my last post since it required SP2 and Longhorn, then this should get you all hot and bothered again: Hotfix for SP1.
I know, it's a hotfix - which means you have to contact Microsoft to get it. But if you want to take advantage of the new LDAP_MATCHING_RULE_IN_CHAIN without upgrading to SP2 or Longhorn, then this is it.
Tuesday, March 20, 2007
I was speaking with Eric Fleischman at the MVP summit this year and he told me about a neat feature you will find in Window Server 2003 SP2 and Longhorn server. It is a new type of matching rule ID filter that allows for transitive link value evaluation. This is one filter type that is incredibly useful and you will want to know about.
First some background: a matching rule ID filter is a special syntax filter that allows for an arbitrary search behavior as defined by the matching rule. Active Directory and ADAM only shipped with two matching rules until recently: LDAP_MATCHING_RULE_BIT_AND (1.2.840.113556.1.4.803) and LDAP_MATCHING_RULE_BIT_OR (1.2.840.113556.1.4.804). We commonly used these matching rules to check our bitwise flag values. For instance, here is the key portion of the filter that specifies an account is disabled:
(userAccountControl:1.2.840.113556.1.4.803:=2)
Notice that we have the attribute name we are searching on, the rule OID we want to use (the AND rule), and the value to check (in decimal). Pretty simple, right?
The new matching rule is called LDAP_MATCHING_RULE_IN_CHAIN and it has an OID of 1.2.840.113556.1.4.1941. This new rule allows us to search across all DN-syntax attributes recursively and evaluate the entire tree of relationships (hence the transitive name).
Evaluating Group Membership
Where we will typically see this used is in group membership evaluation. Specifically, it answers two questions that are constantly asked by developers: What groups are my user a member of? and What users are in this group?
It is really simple to use this filter, so here we go. The first question is, what groups is my user a member of?
(member:1.2.840.113556.1.4.1941:=CN=User1,OU=X,DC=domain,DC=com)
The next question, what users are in this group?
(memberOf:1.2.840.113556.1.4.1941:=CN=A Group,OU=Y,DC=domain,DC=com)
If we place base this search on the main partition and use a subtree search, it will return for us all the matches across the domain. However, if we scope the second search to a specific user object and use a base search, it is a quick and dirty way of telling us if the user is a member of the group. Hence, this would also work for a type of IsInRole() function:
public bool IsUserMember(DirectoryEntry user, string groupDN)
{
string filter = String.Format(
"(memberOf:1.2.840.113556.1.4.1941:={0})", groupDN);
DirectorySearcher ds = new DirectorySearcher(
user,
filter,
null,
SearchScope.Base);
return (ds.FindOne() != null);
}
Now, I want to also point out that this sort of code also makes me cringe a little bit thinking about the abuse that can occur... Remember, it is performing a search each and every time you want to check group membership. It is still a better idea to build the entire group membership of a user and store it in one of the IPrincipal classes and use the .IsInRole() functionality to keep network access to a minimum.
Creating an Org Chart
The other area where we will find this filter being pretty handy is when we want to find all the users that directly and indirectly report to a single person. This is the typical situation when building org charts or trying to find the users for a mailing list. Here is one such example:
public static void GetOrgChart(DirectoryEntry entry, string bossDN)
{
string filter = String.Format(
"(&(mail=*)(manager:1.2.840.113556.1.4.1941:={0}))",
bossDN);
DirectorySearcher ds = new DirectorySearcher(
entry,
filter
);
using (SearchResultCollection src = ds.FindAll())
{
foreach (SearchResult sr in src)
{
Console.WriteLine(sr.Properties["mail"][0]);
}
}
}
Performance
The next question we will want to answer for this new filter type is the performance relative to the code required to process this recursively. I will use the code I presented here to test the recursive case and compare it to a simple filter of:
(memberOf:1.2.840.113556.1.4.1941:=CN=BigNestedGroup,OU=X,DC=Y)
So, to cut to the chase, how does the new filter compare to recursively chasing DN link pairs yourself? Short answer... it doesn't. The code I wrote for the book and here on the blog blows it away by a factor of 10. I have to admit that before I ran the tests, I expected the new filter to run circles around my code and I was pretty shocked when the reverse was actually true. I tested this using 3 nested groups each with 100 members and running both the recursive search and the transitive search 100 times and averaging the results. To expand the lead group with 300 direct and indirect members took roughly half a second using a transitive filter (409ms) as compared to only (41ms) using the recursive search. This would have a big impact on server apps serving many of these searches, but would probably not be a huge factor in client side apps or where a smallish number of these searches are performed.
Summary
The transitive filter is a great new addition and can greatly simplify the code that you have to write. This new filter is not without pitfalls however. Make sure you are cognizant of the performance tradeoffs that are inherent in choosing this filter as it is considerably slower to use.
Friday, February 9, 2007
One of the neater abstractions we get using ASP.NET 2.0 is the ObjectDataSource. Essentially it allows us to specify our own objects or some arbitrary object graph as a datasource for databinding operations. Combined with the new GridView class it can be very powerful. Built in to both of these objects are methods for Selecting, Updating, Deleting, and Inserting. This allows you to plug-in your own code to manage each of these operations.
If we want to adapt this to support reading and updating (including adds and deletes) from AD or ADAM, we just need to put a few methods in place and hook them into the ObjectDataSource abstraction. The nice thing here is that it includes parameter support pretty easily. This allows us to add new values or update existing values. By specifying a data key (DataKeyNames) on the Gridview, it also allows us to uniquely index which object we are modifying.
I chose for this example to show a simple Select, Update, and Delete using a GridView and the ObjectDataSource. It only required me to configure 3 methods (one for each) and declaratively setup the parameters I would be using. I chose to use the 'objectGuid' for the key name since this is guaranteed to be unique and will always point me to the right object. However, I could also have used the DN as the key value in this case as well. If I had done that, it would have saved me a little bit of complication due to the need to rebind when using the GUID value for certain operations.
Keep in mind that this is just a simple sample of how this can be done and is not something that should be put into production as-is. The whole point of this is to show how the GridView gives us easy updating and reading of values, while the ObjectDataSource is used as our abstraction for operations on data. In the past, this would not have worked well because the DataGrid was so geared towards relational data like SQL. It would have been much more convoluted to get the same functionality. Being able to write only 3 methods and have working ASP.NET viewing and editing application is pretty neat.
You can download the sample here.
Wednesday, January 24, 2007
The task of figuring out your Active Directory NETBIOS domain name comes up now and again. This is the process of turning something like "DC=yourdomain,DC=com" into something like "YOURDOMAIN". This is important if you want to do things like prefix this name on the 'sAMAccountName' of a user for instance. There are three ways of doing this (perhaps more). I will cover each broadly.
Guess
Yes, that's right. You can pretty much guess what it is by parsing the DN of the defaultNamingContext. If you had something like "DC=yourdomain,DC=com", it seems a pretty good guess that the NETBIOS name is "YOURDOMAIN". However, this method of course is not foolproof. For whatever reason, your Active Directory admins might have decided to do something stupid - like say add a big dash (-) and some other random nonsense into the NETBIOS name. Who knows why they do this, but hey, they can and do (I suspect they hate their users). So, in this case, "DC=yourdomain,DC=com" might have a NETBIOS name of "YOURDOMAIN-CORP" for instance (it also means you have to type this every damn time you need to supply credentials as well in NT4 domain\user format).
DsCrackNames
You can simply use DsCrackNames to convert from DN format to NT4 format and it will work fine. Pass the DN (e.g. "DC=yourdomain,DC=com") and you will get back the NETBIOS name. This includes IADsNameTranslate if that is up your alley too. Since there is no easy way to use either from .NET unless you build your own, this might not be your first choice.
LDAP Query
Finally, we get to the last method. First, we connect to the RootDSE of the domain and inspect the following two properties: "configurationNamingContext" and "defaultNamingContext". Then we bind to the configuration partition (using the first of these properties) and perform the following search: (&(objectCategory=crossRef)(nCName={0})) where {0} is the value you just got from the RootDSE for the 'defaultNamingContext'. You should get one result. Now, just read back the 'nETBIOSName' attribute and there you have it.
If you are shipping software that needs to do this, obviously you should use one of the last two methods. Guessing probably will just not cut it for anything that is just not quick and dirty.
Monday, October 30, 2006
I have been hanging on to this post for some time now and never getting around to polishing it up and putting it out. Eric Fleischman’s recent posting on SDS.P has inspired me to get some more content out there, however. For whatever reason, this is a poorly documented topic that probably deserves a series of postings on it. We neglected this topic mostly in the book because we had concerns about exceeding a certain # of pages on an already pretty dense topic. I wonder if there would be any demand for a book on this subject?
Previously, I demonstrated how you need to perform paging in SDS.P using the cookie and the paging control. There is a lot more to take care of here than how it is done with ADSI and System.DirectoryServices (SDS). Now, what if we really wanted to perform this type of search asynchronously? We actually wrote a sample in the book to show how asynchronous searching is done in SDS.P, but to keep it simple I left out the whole problem of paging. Let’s be honest, any useful searching is probably going to need to handle paging as well.
SDS.P supports asynchronous searching directly, unlike SDS. It is entirely possible to emulate this behavior in SDS by leveraging a general asynchronous pattern supported in .NET (e.g. by way of delegates, background thread workers, or the thread pool), but there is nothing in SDS to support asynchronously searching directly. Hold on you say! What about .NET 2.0 and the fancy new property on the DirectorySearcher called Asynchronous? That is what we call a very misleading property. While it actually sets the underlying ADS_SEARCHPREF_ASYNCHRONOUS option on the IDirectorySearch interface, the SDS model consumes the results synchronously, netting you exactly nothing. I honestly wish they (the SDS .NET team) would just not have exposed that one if you couldn’t really use it.
Let’s look at the most basic pattern for how this can be accomplished:
- Create a connection to the LDAP directory (LdapConnection).
- Create a searching request operation (SearchRequest)
- Add a paging control to the SearchRequest to control paging
- Invoke the method asynchronously using LdapConnection.BeginSendRequest
- Provide a callback method to handle the results.
Simple, no? It actually looks harder than it is.
When I set out creating this sample, I had a particular use in mind. Specifically, I wanted to create an easy searching object – something where I wouldn’t have to worry about paging and that could also handle performing multiple searches on the same instance. That last point, as you will see makes for additional complication. I started with my usage model or how I visualized that I wanted to use it:
using (LdapConnection connection = CreateConnection(servername))
{ AsyncSearcher searcher = CreateSearcher(connection);
//this call is asynch, so we need to keep this main
//thread alive in order to see anything
//we can use the same searcher for multiple requests - we just have to track which one
//is which, so we can interpret the results later in our events.
_firstSearch = searcher.BeginPagedSearch(baseDN, "(sn=d*)", null, 500);
_secondSearch = searcher.BeginPagedSearch(baseDN, "(sn=f*)", null, 500);
//we will use a reset event to signal when we are done (using Sleep() on
//current thread would work too...)
_resetEvent.WaitOne(); //wait for signal;
}
I also knew that I would want to be notified of a couple key events that would occur with my object. Specifically, whenever a page was returned and when the final search was complete:
static AsyncSearcher CreateSearcher(LdapConnection connection)
{ AsyncSearcher searcher = new AsyncSearcher(connection);
//assign some handlers for our events
searcher.PageCompleted += new EventHandler<AsyncEventArgs>(searcher_PageCompleted);
searcher.SearchCompleted += new EventHandler<AsyncEventArgs>(searcher_SearchCompleted);
return searcher;
}
This would allow me to hook up a couple handlers that would be invoked each time a page came back or my search was finished.
static void searcher_SearchCompleted(object sender, AsyncEventArgs e)
{ //this is volatile, so we need check it first or another thread
//could change this from under us
bool lastSearch = (((AsyncSearcher)sender).PendingSearches == 0);
Console.WriteLine(
"{0} Search Complete on thread {1}", e.RequestID.Equals(_firstSearch) ? "First" : "Second",
Thread.CurrentThread.ManagedThreadId
);
if (lastSearch)
_resetEvent.Set();
}
static void searcher_PageCompleted(object sender, AsyncEventArgs e)
{ //or do something with e.Results here...
Console.WriteLine(
"Found {0} results on thread {1} for {2} search", e.Results.Count,
Thread.CurrentThread.ManagedThreadId,
e.RequestID.Equals(_firstSearch) ? "first" : "second"
);
}
The complication with this model has to do with the fact that I wanted to be able to use the same object to search multiple times. I could have limited my AsyncSearcher class to disallow more than one search at a time, but I thought that would be lame if I had to spin up a new instance and set of handlers for each search I wanted to perform. Since I could only register for one paging and one completion event and yet multiple searches could be firing it, I needed a way to distinguish one search from another. I decided to return a unique Guid for each search that could be matched up later to determine which search was activating the event. With more time, I suppose I could have wrapped the Guid in something a little prettier or easier to use, but it suffices for this sample.
I also decided that I wanted to return results by pages as I got them as well as the huge block of them on completion of the search. To do this, I created a simple class to hold the results called AsyncEventArgs:
/// <summary>
/// Just a simple class to hold some results
/// </summary>
public class AsyncEventArgs : EventArgs
{ Guid _id;
List<SearchResultEntry> _entries;
public AsyncEventArgs(List<SearchResultEntry> entries, string requestID)
{ _entries = entries;
_id = new Guid(requestID);
}
public List<SearchResultEntry> Results
{ get
{ return _entries;
}
}
public Guid RequestID
{ get
{ return _id;
}
}
}
I could have created a different EventArg class depending on the type of event being fired, but I didn’t think it was worth it as this point. Now that I had how I wanted to use the object nailed down a bit, I created the actual implementation. The logic goes something like this in:
- Setup initial search and kick it off (steps 1–5 above), register a callback and pass my SearchRequest as state.
- Callback now picks up request and unwraps the SearchRequest (which also tells me which unique search I am after here) and calls LdapConnection.EndSendRequest()
- Pull the results from the resulting SearchResponse and fire the PageCompleted event – passing them as EventArgs
- Next, determine if the SearchResponse has a cookie and if it does, call BeginSendRequest again with updated paging cookie and point it back to my original callback (#2). This means there is a lot of 2 through 4 going on here as each page gets processed and the PageCompleted event fires.
- If the cookie in #4 is empty, then I am done and I fire the SearchCompleted event and pass as EventArgs all the results I have been collecting internally in a hashtable keyed to the original request Guid.
Here is what that class looks like:
public class AsyncSearcher
{ LdapConnection _connect;
Hashtable _results = new Hashtable();
public event EventHandler<AsyncEventArgs> SearchCompleted;
public event EventHandler<AsyncEventArgs> PageCompleted;
public AsyncSearcher(LdapConnection connection)
{ this._connect = connection;
this._connect.AutoBind = true; //will bind on first search
}
/// <summary>
/// Volatile count of outstanding searches in process
/// </summary>
public int PendingSearches
{ get
{ return _results.Count;
}
}
private void InternalCallback(IAsyncResult result)
{ SearchResponse response = this._connect.EndSendRequest(result) as SearchResponse;
ProcessResponse(response, ((SearchRequest)result.AsyncState).RequestId);
//find the returned page response control
foreach (DirectoryControl control in response.Controls)
{ if (control is PageResultResponseControl)
{ //call paged search again
NextPage((SearchRequest)result.AsyncState, ((PageResultResponseControl)control).Cookie);
break;
}
}
}
private void ProcessResponse(SearchResponse response, string guid)
{ //only 1 thread at a time gets here...
List<SearchResultEntry> entries = new List<SearchResultEntry>();
foreach (SearchResultEntry entry in response.Entries)
{ entries.Add(entry);
}
//signal our caller that we have a page
EventHandler<AsyncEventArgs> OnPage = PageCompleted;
if (OnPage != null)
{ OnPage(
this,
new AsyncEventArgs(entries, guid)
);
}
//add to the main collection
((List<SearchResultEntry>)_results[guid]).AddRange(entries);
}
public Guid BeginPagedSearch(
string baseDN,
string filter,
string[] attribs,
int pageSize
)
{ Guid guid = Guid.NewGuid();
SearchRequest request = new SearchRequest(
baseDN,
filter,
System.DirectoryServices.Protocols.SearchScope.Subtree,
attribs
);
PageResultRequestControl prc = new PageResultRequestControl(pageSize);
//add the paging control
request.Controls.Add(prc);
//we will use this to distinguish multiple searches.
request.RequestId = guid.ToString();
//create a temporary placeholder for the results
_results.Add(request.RequestId, new List<SearchResultEntry>());
//kick off async
IAsyncResult result = this._connect.BeginSendRequest(
request,
PartialResultProcessing.NoPartialResultSupport,
new AsyncCallback(InternalCallback),
request
);
return guid;
}
private void NextPage(SearchRequest request, byte[] cookie)
{ //our last page is when the cookie is empty
if (cookie != null && cookie.Length != 0)
{ //update the cookie and preserve page size
foreach (DirectoryControl control in request.Controls)
{ if (control is PageResultRequestControl)
{ ((PageResultRequestControl)control).Cookie = cookie;
break;
}
}
//call it again to get next page
IAsyncResult result = this._connect.BeginSendRequest(
request,
PartialResultProcessing.NoPartialResultSupport,
new AsyncCallback(InternalCallback),
request
);
}
else
{ List<SearchResultEntry> results = (List<SearchResultEntry>)_results[request.RequestId];
//decrement our collection when we are done
_results.Remove(request.RequestId);
//we have finished, signal the caller
EventHandler<AsyncEventArgs> OnComplete = SearchCompleted;
if (OnComplete != null)
{ OnComplete(
this,
new AsyncEventArgs(results, request.RequestId)
);
}
}
}
}
I originally toyed with the idea of having the AsyncSearcher manage the connection to the directory, but ultimately decided that it was a bad idea for two main reasons. First, not everyone will construct the connection the same. Some people will use SSPI, others SSL, perhaps different ports, even certificates or otherwise. The other reason is that the lifetime of the connection is harder to control from inside another class. Wrapping it in a “using” statement won’t work because the connection must be open the whole time during the callbacks. Cleaning it up in a Dispose() method is sloppy as well because it leads to the client needing to know that they should keep this object around until all their events fire. By pulling the LdapConnection out, I am implicitly telling clients they need to manage the connection themselves.
You can download this class along with a sample client as an attachment to this post. Next time, perhaps we will delve into retrieving partial results.
File Attachment: AsynchClient.zip (5 KB).
Friday, August 4, 2006
So, this is really a lesson learned about putting together a book and code samples. Namely, refactoring your code just before the final cut is generally not a good idea. Or perhaps I should say, refactoring your code and not thoroughly testing it is not a good idea.
In Chapter 12 of the book, we had a number of examples for how to perform authentication. One of them was using System.DirectoryServices.Protocols (SDS.P). The sample tried a number of techniques – first a secure SSL bind using Fast Concurrent Binding (FCB), then it tried either a secure SPNEGO bind or a Digest bind (if ADAM). Well, initially these were all different samples. I thought it might be nice to tie them all together a bit more comprehensively – hence the refactoring. I figured that a bigger sample that did more in a practical manner was more useful than a few line snippets that showed each one.
Anyhow, what ended up happening is that I broke the FCB authentication during the refactoring. Because of unforseen testing environment meltdown a week earlier I did not have the proper Win2k3 clients to test again (it used to work, really!). So… I borked it because the FCB code never got tested again.
One of my Avanade co-workers was actually implementing something like this and asked why it was not working. At first I chalked it up to an environment thing, but after a closer inspection I noticed what the issue was. Namely, in my attempt to bring all the samples together I had attempted to reuse the same connection for authentication as the bootstrapping. Well, you can’t do that with FCB – you have to enable it before you bind and cannot turn it off until you close the connection.
The good news is that it is a fairly simple fix and I have already refactored (yet again) to support it. I will be posting that code in another week or so when I get back from vacation. Then poor Joe gets to convert it yet again to VB.NET. Mea Culpa…
My co-author
Joe Kaplan is finally online and blogging now. I have asked him for more Wix content since he knows a bunch more than me on it. More LDAP blogging goodness to come I am sure…
Thursday, July 27, 2006
You learn something new everyday. I had been under the mistaken belief that the new ‘msDs-User-Account-Control-Computed’ attribute was a sexier and more accurate version of the older, non-constructed ‘userAccountControl’. In fact, I believe it might have been me that wrote words to that effect in the book.
Yeah… well… whoops. An errata post is coming.
If we recap what we did not like about ‘userAccountControl’ it was that it did not accurately reflect all the user flags (PasswordExpired, PasswordCannotChange, and AccountLockout specifically) for the LDAP provider. It would seem natural that the ‘msDs-User-Account-Control-Computed’ attribute was identical to the ‘userAccountControl’ attribute, but also accurately reflected those 3 flags. At least for Active Directory, this is just not true. It turns out that this sucker will be zero for everything except AccountLockout and PasswordExpired. Boo, hiss…
So, what seemed like a promising replacement for an all-in-one user flags smorgasbord, is in fact a bit of an anorexic turd. Why MS chose this particular behavior is beyond me…
The moral of the story? You are still stuck with using both attributes – and even then you can’t get an accurate PasswordCannotChange flag. Bummer.
Monday, July 24, 2006
I am revisiting this particular topic once again to finish it up. Last time, we established a general pattern for searching any DN syntax attribute in Active Directory or ADAM and chasing down all the nested results in either direction (i.e. forward link to back link or vice versa). The solution worked well with one caveat: intermediate values. We often do not want to capture the intermediate values, but only the end results. As an example, if we were to expand the group membership for a group object (the ‘member’ attribute) to discover the users, we would not want to include the other nested groups as values in our results, but we would only want to include the users in those nested groups. In other words, we would want to exclude the intermediate values. This is different than another example, say of discovering an org chart by expanding the ‘directReports’ attribute where we would clearly want to know all the intermediate reports.
For the specific example of expanding a group object to get membership, I posted an example in the book that used recursion and specifically excluded the result if the ‘objectClass’ was ‘group’. I posed the question, “was this necessary?”. Or more specifically, “can we create a general solution that will deal with both cases for intermediate values?”
The answer, of course, is yes. We can pretty easily create a solution that will allow us to keep the intermediate values or discard them if we want. In the general case, we do not need to know the object types. In our example in the book, I think it was more clear what was happening by putting knowledge of the object type. However, it also could have been solved with a simple boolean and no knowledge of the objects themselves. Here is the revised solution. I am omitting the IADsPathname interface this time, but you can easily pull it from the last post.
public class RecursiveLinkPair
{
DirectoryEntry entry;
ArrayList members;
Hashtable processed;
string attrib;
bool includeAll;
public RecursiveLinkPair(DirectoryEntry entry, string attrib, bool includeIntermediate)
{
if (entry == null)
throw new ArgumentNullException("entry");
if (String.IsNullOrEmpty(attrib))
throw new ArgumentException("attrib");
this.includeAll = includeIntermediate;
this.attrib = attrib;
this.entry = entry;
this.processed = new Hashtable();
this.processed.Add(
this.entry.Properties[
"distinguishedName"][0].ToString(),
null
);
this.members = Expand(this.entry);
}
public ArrayList Members
{
get { return this.members; }
}
private ArrayList Expand(DirectoryEntry group)
{
ArrayList al = new ArrayList(5000);
DirectorySearcher ds = new DirectorySearcher(
entry,
"(objectClass=*)",
new string[] {
this.attrib,
"distinguishedName",
"objectClass" },
SearchScope.Base
);
ds.AttributeScopeQuery = this.attrib;
ds.PageSize = 1000;
using (SearchResultCollection src = ds.FindAll())
{
string dn = null;
foreach (SearchResult sr in src)
{
dn = (string)
sr.Properties["distinguishedName"][0];
if (!this.processed.ContainsKey(dn))
{
this.processed.Add(dn, null);
if (sr.Properties.Contains(this.attrib))
{
if (this.includeAll)
al.Add(dn);
SetNewPath(this.entry, dn);
al.AddRange(Expand(this.entry));
}
else
al.Add(dn);
}
}
}
return al;
}
//we will use IADsPathName utility function instead
//of parsing string values. This particular function
//allows us to replace only the DN portion of a path
//and leave the server and port information intact
private void SetNewPath(DirectoryEntry entry, string dn)
{
IAdsPathname pathCracker = (IAdsPathname)new Pathname();
pathCracker.Set(entry.Path, 1);
pathCracker.Set(dn, 4);
entry.Path = pathCracker.Retrieve(5);
}
}
This simple class uses the AttributeScopeQuery option to enumerate the attribute and then uses the utility interface IADsPathname to reset the entry as we recurse the results. So, we now finally have a generic solution that will work on all DN syntax attributes in both directions and with or without intermediate values.
Wednesday, May 31, 2006
A common task that any Active Directory developer will face is to expand group membership for a given group. This is a trivially simple task if we are only interested in finding direct group membership. Things can get much more complicated when nested or indirect group membership is also involved. Consider the following:
Group A: members – “Timmy”, “Alice”, “Bob”, “Group B”
Group B: members – “Jake”, “Jimmy”, “Nelson”
If we wanted to fully expand the group membership of Group A, we would expect to see 6 users in this case. The issue of course is that the membership for a group is held on the ‘member’ attribute. If we were to inspect this attribute directly, we would see only 4 members, with one of them being ‘Group B’. The problem of course is that we cannot tell just by looking at the ‘member’ attribute which one is a group and which ones are the object types we are interested in (in this case user objects). Short of a naming convention to indicate which is a group, we would have to bind or search for each object and determine if it was a group in order to continue the search. This is how it is done today using .NET 1.x. In fact – you can find an example of this by reading Chapter 11 and specifically viewing Listing 11.7. I am also glossing over a couple details for 1.x regarding large DN-syntax attributes – but you can read about that of course in Chapter 11 
. I also won’t post the code for expanding group membership using recursion in 2.0 because that code is already available for download from the book’s companion website (Listing 11.6). However, I will talk about this as a basis to discover a more general pattern.
Introduced with Windows 2003 and available to .NET 2.0 users is a new type of search called Attribute Scoped Query (ASQ). An ASQ allows us to scope our searches to any DN-syntax attribute. This powerful feature is ideal for things like membership expansion, or indeed, any DN-syntax attribute that should be expanded. By scoping our search on the DN, we can easily overcome some of the limitations in other methods (such as range retrieval), which leads to a simpler conceptual model.
Another example where we would want to expand DN-syntax attributes occurs when we are checking for employees managed directly and indirectly by a particular individual. For instance, we might have an employee that manages 1 employee that in turn manages 15 other employees. It is fair to say in most organizations that the first employee really manages 16 employees rather than just one. We have to use recursion however to fully expand this relationship. The employee carries their manager’s DN on the attribute ‘manager’, while the manager has a backlink to the employee on the ‘directReports’ attribute. This is a similar class of problem as the group membership expansion.
If we look at these two examples, we should notice some similarities and some key differences. In both cases, we have the DN of another object to describe the relationship. In both cases, we need to chase that DN to see if it in turn references other DNs. However, there are two key differences. First, in the case of group membership, we don’t care to see the intermediate results (e.g. Group B), but only the fully expanded members. Next, for group membership, we are chasing a multi-valued forward link (the ‘member’ attribute), while in the employee example, we are chasing the backlink (the ‘directReports’ attribute). The question we should consider is whether these differences will change our pattern. They would be almost identical problems if the employee was trying to figure out all their bosses, or the user was trying to determine all their group memberships.
<Jeopardy music playing> So, do the two differences matter? What if the forward link is single-valued (‘manager’ as opposed to ‘member’ for example)? </Jeopardy music playing>
The answer is yes and no. The problem with excluding intermediate results certainly must be accounted for, but whether or not it is the backlink or forward link actually has no bearing on the problem. It turns out that ASQ searches work just fine with DN-syntax attributes of either type – even when the forward link is single-valued.
Ignoring the intermediate value issue for now, we can produce a generalized solution for any DN-syntax recursion:
public class RecursiveLinkPair
{
DirectoryEntry entry;
ArrayList members;
Hashtable processed;
string attrib;
public RecursiveLinkPair(DirectoryEntry entry, string attrib)
{
if (entry == null)
throw new ArgumentNullException("entry");
if (String.IsNullOrEmpty(attrib))
throw new ArgumentException("attrib");
this.attrib = attrib;
this.entry = entry;
this.processed = new Hashtable();
this.processed.Add(
this.entry.Properties[
"distinguishedName"][0].ToString(),
null
);
this.members = Expand(this.entry);
}
public ArrayList Members
{
get { return this.members; }
}
private ArrayList Expand(DirectoryEntry group)
{
ArrayList al = new ArrayList(5000);
DirectorySearcher ds = new DirectorySearcher(
entry,
"(objectClass=*)",
new string[] {
this.attrib,
"distinguishedName"
},
SearchScope.Base
);
ds.AttributeScopeQuery = this.attrib;
ds.PageSize = 1000;
using (SearchResultCollection src = ds.FindAll())
{
string dn = null;
foreach (SearchResult sr in src)
{
dn = (string)
sr.Properties["distinguishedName"][0];
if (!this.processed.ContainsKey(dn))
{
this.processed.Add(dn, null);
al.Add(dn);
if (sr.Properties.Contains(this.attrib))
{
SetNewPath(this.entry, dn);
al.AddRange(Expand(this.entry));
}
}
}
}
return al;
}
//we will use IADsPathName utility function instead
//of parsing string values. This particular function
//allows us to replace only the DN portion of a path
//and leave the server and port information intact
private void SetNewPath(DirectoryEntry entry, string dn)
{
IAdsPathname pathCracker = (IAdsPathname)new Pathname();
pathCracker.Set(entry.Path, 1);
pathCracker.Set(dn, 4);
entry.Path = pathCracker.Retrieve(5);
}
}
[ComImport, Guid("D592AED4-F420-11D0-A36E-00C04FB950DC"), InterfaceType(ComInterfaceType.InterfaceIsDual)]
internal interface IAdsPathname
{
[SuppressUnmanagedCodeSecurity]
int Set([In, MarshalAs(UnmanagedType.BStr)] string bstrADsPath, [In, MarshalAs(UnmanagedType.U4)] int lnSetType);
int SetDisplayType([In, MarshalAs(UnmanagedType.U4)] int lnDisplayType);
[return: MarshalAs(UnmanagedType.BStr)]
[SuppressUnmanagedCodeSecurity]
string Retrieve([In, MarshalAs(UnmanagedType.U4)] int lnFormatType);
[return: MarshalAs(UnmanagedType.U4)]
int GetNumElements();
[return: MarshalAs(UnmanagedType.BStr)]
string GetElement([In, MarshalAs(UnmanagedType.U4)] int lnElementIndex);
void AddLeafElement([In, MarshalAs(UnmanagedType.BStr)] string bstrLeafElement);
void RemoveLeafElement();
[return: MarshalAs(UnmanagedType.Interface)]
object CopyPath();
[return: MarshalAs(UnmanagedType.BStr)]
[SuppressUnmanagedCodeSecurity]
string GetEscapedElement([In, MarshalAs(UnmanagedType.U4)] int lnReserved, [In, MarshalAs(UnmanagedType.BStr)] string bstrInStr);
int EscapedMode { get; [SuppressUnmanagedCodeSecurity] set; }
}
[ComImport, Guid("080d0d78-f421-11d0-a36e-00c04fb950dc")]
internal class Pathname
{
}
Notice I am using the IADsPathName utility interface here. Since recursion requires us to re-base our search each time, we need to robustly update our DirectoryEntry instance’s .Path each time. This interface does a much better job than trying to write your own string parsing routines - especially when you need to preserve server and port information for things like ADAM. Whenever you see interfaces like this, check to make sure someone hasn’t already done the setup work for you. You can check the .NET framework or ActiveDs interop assembly using Reflector and find the declaration oftentimes.
The final issue we must deal with now is the problem of intermediate values – specifically how to exclude them. I am going to leave that exercise to the reader with just a hint:
- I only included 2 attributes in each search. If you have already seen my solution for Group Expansion in the book (Listing 11.6), you will notice that I make use of a 3rd attribute (objectClass). Did I need to?
Well, this is a long enough post for now. Signing off…
Thursday, May 11, 2006
With very little fanfare, I am announcing that the companion site for ‘The .NET Developer’s Guide to Directory Services Programming’ is available now. We have managed to snag a fairly relevant domain name for it and rushed to put out a Community Server based site (a review on this tool later perhaps). You can find it here:
Directory Programming .NET
Our first order of business is to get the code samples out there. Right now, we have released what I term the ‘raw’ samples as they are verbatim from the book (available here). The samples are still a great start even though they are slightly truncated in some cases. The truncation will only affect the more sophisticated examples we have in the book that would have taken pages of code to print in entirety.
My next order of business is to finish converting all the book samples into a more easy to consume test harness release. I say ‘test-harness’ in a loose manner as TDD guys will probably not be satisfied. I have put together ad-hoc test cases for each of the non-trivial samples in the book and modified them to work with configuration (so you don’t have to hardcode your domain over and over again, for instance). This is taking some time, but should be done shortly. Once this is done, you can use TestDriven.NET or NUnit to run these guys pretty easily.
Future plans for the site include more and more samples (not from the book necessarily) as well as a place for us to publish errata and updates as we find them. We have enabled the forums feature as of now and will gauge its usefulness as we go.
My co-author Joe is on the hook to convert all the samples to VB.NET. I don’t particularly envy him – we didn’t realize how many frickin samples we had until we tried to put them all together. He has his work cut out for him.
As for when you can get your hands on a copy of the book. The answer is… now. It is in stock at Addison-Wesley and Amazon and other retailers should have it stocked any time now. Brick and mortar stores will be last, but should be in the next week or so. Of course, purchasing it through my Amazon link on this site or the companion site would be appreciated since we are running this companion site out of our own pockets.
Friday, May 5, 2006
Sometimes AD Administrators would like to allow end users to update and maintain their own information in the directory. Of course, this is not without risk – more adventurous users will change their title to “Chief Code Monkey” or something perhaps even less professional. I was an ‘Executive Vice-President’ myself for some period of time and it made for some interesting phone conversations with co-workers that did not know me personally (it turns out people are pretty fearful of talking directly to EVPs).
However, by default, users have permission over a property set in the schema that allows them to update attributes on their own user object. If these permissions have not been updated from the default, the user will generally have free reign to update their own personal information. Which attributes, you ask? Earlier I demonstrated a way to determine what attributes are available on a given class. This involved finding the object we wanted in the directory and programmatically inspecting the schema. It turns out there is another way to achieve the same thing, and with a twist – allow us to see which attributes we can update ourselves.
Active Directory (and ADAM) contain a couple attributes called ‘allowedAttributes’ and ‘allowedAttributesEffective’ that tell us all of the attributes on a given object and all of the attributes on a given object that we are allowed to update, respectively. The first one, ‘allowedAttributes’ produces the exact output as inspecting the OptionalProperties and MandatoryProperties together (without distinction, however). It gets more interesting with the second one, because it opens the possibility that we can easily generate a dynamic UI to allow the user to update any attributes where their permission allows.
Here is one such example:
<%@ Assembly Name="System.DirectoryServices, Version=2.0.0000.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" %>
<%@ Import Namespace="System.DirectoryServices" %>
<%@ Import Namespace="System.Text" %>
<html>
<head>
<script language="c#" runat="server">
static string adsPath = "LDAP://dc=yourdomain,dc=com";
private void Page_Load(object sender, System.EventArgs e)
{
if (!Page.IsPostBack)
{
SearchResult sr = FindCurrentUser(new string[] { "allowedAttributesEffective" });
if (sr == null)
{
msg.Text = "User not found...";
return;
}
int count = sr.Properties["allowedAttributesEffective"].Count;
if (count > 0)
{
int i = 0;
string[] effectiveAttributes = new string[count];
foreach (string attrib in sr.Properties["allowedAttributesEffective"])
{
effectiveAttributes[i++] = attrib;
}
sr = FindCurrentUser(effectiveAttributes);
foreach (string key in effectiveAttributes)
{
string val = String.Empty;
if (sr.Properties.Contains(key))
{
val = sr.Properties[key][0].ToString();
}
GenerateControls(key, val, parent);
}
}
}
else
{
UpdateControls();
}
}
private SearchResult FindCurrentUser(string[] attribsToLoad)
{
//parse the current user's logon name as search key
string sFilter = String.Format(
"(&(objectClass=user)(objectCategory=person)(sAMAccountName={0}))",
User.Identity.Name.Split(new char[] { '\\' })[1]
);
DirectoryEntry searchRoot = new DirectoryEntry(
adsPath,
null,
null,
AuthenticationTypes.Secure
);
using (searchRoot)
{
DirectorySearcher ds = new DirectorySearcher(
searchRoot,
sFilter,
attribsToLoad,
SearchScope.Subtree
);
ds.SizeLimit = 1;
return ds.FindOne();
}
}
private void GenerateControls(string attrib, string val, Control parent)
{
parent.Controls.Add(new LiteralControl("<div>"));
TextBox t = new TextBox();
t.ID = "c_" + attrib;
t.Text = val;
t.CssClass = "txt";
Label l = new Label();
l.Text = attrib;
l.AssociatedControlID = t.ID;
l.CssClass = "lbl";
parent.Controls.Add(l);
parent.Controls.Add(t);
parent.Controls.Add(new LiteralControl("</div>"));
}
private void UpdateControls()
{
SearchResult sr = FindCurrentUser(new string[] { "cn" });
if (sr != null)
{
using (DirectoryEntry user = sr.GetDirectoryEntry())
{
foreach (string key in Request.Form.AllKeys)
{
if (key.StartsWith("c_"))
{
string attrib = key.Split(new char[] { '_' })[1];
string val = Request.Form[key];
if (!String.IsNullOrEmpty(val))
{
Response.Output.Write("Updating {0} to {1}<br>", attrib, val);
user.Properties[attrib].Value = val;
}
}
}
user.CommitChanges();
}
}
btnSubmit.Visible = false;
Response.Output.Write("<br><br><a href=\"{0}\">< Back</a>", Request.Url);
}
</script>
<style>
.lbl
{
margin-left: 25px;
clear: left;
width: 250px;
}
.txt
{
width: 250px;
}
</style>
</head>
<body>
<form id="main" runat="server">
Data for user:
<%=User.Identity.Name%>
<br>
<br>
<asp:Label ID="msg" runat="server" />
<asp:Panel ID="parent" runat="server" />
<asp:Button ID="btnSubmit" runat="server" Text="Update" />
</form>
</body>
</html>
Pretty easy, eh? Sure, this one was whacked together in about 20 minutes, but you could create something similar that takes care of the single- vs. multi-value attribute treatment and make it a whole lot prettier with a little more effort.
This should be fairly obvious – but it bears mentioning: This requires you to use Integrated Windows Authentication with impersonation and your IIS server must be set for delegation. The whole point of this exercise was to allow the user to update their own information using their own credentials. Using a service account will show you what attributes the service account has permission to update on the object.
(thanks Paul for the css – yeah, I am teh suck on UI)
Friday, March 31, 2006
Joe and I had a great time on Wednesday presenting our talk on Directory Services Programming in .NET. Being the first time that we have ever presented together, we did no know exactly how it would work out. All in all, we felt it went pretty well. Thanks to everyone that attended!
One of the cool parts for us was that our publisher sent over some draft copies of the book. We knew our publisher was sending something, but we had thought it was a sample chapter or two. It was quite surprising to open the box and find the full text! Seeing your hard work in print for the first time almost gives you goose bumps.
As promised, I am attaching the presentation material to this post. It includes the updated presentation that we used as well as all the samples that we used during it. We actually did not get to one of the samples called Dirsync, which allows us to poll the directory periodically for updates, so check it out.
If anyone has questions on these samples or the topic itself, Joe and I can be reached through the MS newsgroups or the ASP.NET Forums. I would also suggest checking out what I consider useful System.DirectoryServices resources. I will try to keep that updated as I find more.
I had a great time in Las Vegas this last week at the DEC 2006 conference. It was great connecting with so many of the participants as well as the personalities involved in the presentations. There were some really good presentations that I attended (e.g. Guido, Dean & Joe, and Stuart’s), and getting to speak one-on-one with so many of the product manager’s of the involved technologies was great. The conference was big, but not TechEd big, so the interactions were of much better quality in my opinion.
I was surprised to run into only a couple people from Avanade there, however. Being a large Microsoft consulting company, I would have thought we would have more folks from our infrastructure practice there learning, if not speaking themselves.
The last day of the conference was fun. We had a nice dinner with a bunch of folks – Katherine Coombs, Joe Richards, Dean Wells, Paul Williams, Don Wells (Dean’s dad), and Eric. Listening to the different accents and slang (Dutch, Welsh, English, and Aussie/English mix) was a trip. On a side note – if Paul Williams is any indicator – Welshmen eat entire cakes for dinner and prefer their cow-flesh raw. When asked, “what temperature” he would like his burger cooked, Paul looked around quizzically and said, “warm?”. This was after, of course, he had devoured a 10 lb. brownie (not joking here) for lunch – we are talking a dense pile of chocolate that could cause serious injury if dropped on a man’s foot.
I did not have a hotel room for the last night before my 7am flight back to Cleveland. Initially, I had planned to stay up the night and just go to the airport nice and early. However, after Gil, Katherine, Dean, Jorge, Paul, and Ulf decided one after another to go to bed, I would have been left alone with the hardcore gamblers/insomniacs/general freaks in Vegas at that hour. Ulf was kind enough to let me have his extra bed for 3 invigorating hours of sleep before departing for the airport.
If Gil would have me back next year, I would definitely do it again.
Friday, March 17, 2006
One of the new features of .NET 2.0 is the System.DirectoryServices.Protocols (SDS.P) namespace that gives us access to the native LDAP api without relying on ADSI. We can accomplish pretty much anything now in LDAP using managed code and we get around some of the wonkiness of ADSI.
Performing a simple search in SDS.P is pretty straightforward actually. We just create a connection to the directory using the LdapConnection class, bind to the connection and then make request/response pairs on the connection. One of the request/response pairs is SearchRequest and SearchResponse. Without going into too many details, using these two classes in a synchronous manner is pretty easy. What might be surprising however is that developers will often run into the following error:
System.DirectoryServices.Protocols.DirectoryOperationException : The size limit was exceeded
This departs from System.DirectoryServices (SDS) and ADSI where we do not get errors for simple searches even if we have not enabled paging. In SDS, a similar query with DirectorySearcher would just return the MaxPageSize for the directory (usually 1000). We know from SDS that to get more than the MaxPageSize, we need to use paging. That is as simple as setting DirectorySearcher.PageSize > 0.
So, what about SDS.P. It turns out that one of the really nice things that ADSI did for us was make paging so seamless. If we wanted to use it, we simply asked for a specific page size and it just worked. Now, since we are at a lower level, we need to take care of these details ourselves (native LDAP programmers already know this of course).
How do we do this in SDS.P? Here is some sample code that implements paging and returns a collection of SearchResultEntry objects.
private List<SearchResultEntry> PerformPagedSearch(
LdapConnection connection,
string baseDN,
string filter,
string[] attribs)
{
List<SearchResultEntry> results = new List<SearchResultEntry>();
SearchRequest request = new SearchRequest(
baseDN,
filter,
System.DirectoryServices.Protocols.SearchScope.Subtree,
attribs
);
PageResultRequestControl prc = new PageResultRequestControl(500);
//add the paging control
request.Controls.Add(prc);
while (true)
{
SearchResponse response = connection.SendRequest(request) as SearchResponse;
//find the returned page response control
foreach (DirectoryControl control in response.Controls)
{
if (control is PageResultResponseControl)
{
//update the cookie for next set
prc.Cookie = ((PageResultResponseControl)control).Cookie;
break;
}
}
//add them to our collection
foreach (SearchResultEntry sre in response.Entries)
{
results.Add(sre);
}
//our exit condition is when our cookie is empty
if (prc.Cookie.Length == 0)
break;
}
return results;
}
Monday, February 13, 2006
A major milestone was reached today. My co-author, Joe Kaplan, and I have finally finished the copyedit process for our book. This has been a very long book in the making and we are both pretty excited that the end is near. We still have a few more rounds to go with proofs and what not, but for the most part, it is all done. The next big focus for us will be to get the companion web site in order. I won’t share the URL for it yet, but it should have some great code that we developed for this book to share.
If anyone was wondering why I have not been in the forums as much as normal these last few weeks, its because we have been heads down trying to get this all wrapped up.
Thursday, December 22, 2005
I did not get to put all the material I wanted to into the book, so I figure some of the stuff we have left out will make good material for a blog entry here and there.
Active Directory and ADAM both have a special container called “CN=Deleted Objects” that can only be viewed by administrators by default. When we delete objects in either of these directories, the entries are typically moved there and most of their attributes are stripped off. This is done such that other replication partners know which items were deleted. These objects are now referred to as ‘tombstones’. The system will hold these objects for a set period of time (60 days or so IIRC) before purging them completely.
Now, occasionally we run into situations where we want to resurrect one of the tombstones. This is typically when we need an object to have the identical GUID or SID it had while alive as simply recreating the object would generate new values for these attributes. There is an example on MSDN on how to resurrect these objects, but it is in C++. I thought it would be fun to show how to do this in System.DirectoryServices.Protocols as it has the capabilities to do this while System.DirectoryServices (ADSI) does not. We have to use the LDAP replace method in this case which is supported in the new Protocols namespace.
Instead of just posting a link to my code, I thought I would post it in whole here. Notice that my Lazarus (resurrected, get it?) class is using Well-known GUID binding. You should have your RootDSE return a defaultNamingContext for ADAM if you have not already done so.
class Lazarus : IDisposable
{
const string WK_TOMBSTONE = "18e2ea80684f11d2b9aa00c04f79f805";
string _defaultNC;
string _server;
DirectoryEntry _entry;
public Lazarus()
: this(null)
{
}
public Lazarus(string server)
{
_server = server;
DirectoryEntry root = new DirectoryEntry(
String.Format(
"LDAP://{0}RootDSE",
_server != null ? _server + "/" : String.Empty
)
);
using (root)
{
_defaultNC = root.Properties["defaultNamingContext"][0].ToString();
}
_entry = new DirectoryEntry(
String.Format(
"LDAP://{0}<WKGUID={1},{2}>",
_server != null ? _server + "/" : String.Empty,
WK_TOMBSTONE,
_defaultNC
),
null,
null,
AuthenticationTypes.Secure
| AuthenticationTypes.FastBind
);
}
public void ShowAllTombStones()
{
DirectorySearcher ds = new DirectorySearcher(
_entry,
"(isDeleted=TRUE)",
null,
System.DirectoryServices.SearchScope.OneLevel
);
ds.PageSize = 1000;
ds.Tombstone = true;
using (SearchResultCollection src = ds.FindAll())
{
foreach (SearchResult sr in src)
{
foreach (string key in sr.Properties.PropertyNames)
{
foreach (object o in sr.Properties[key])
{
Console.WriteLine("{0}: {1}", key, o);
}
}
Console.WriteLine("====================");
}
}
}
private SearchResult GetTombstone(string name)
{
DirectorySearcher ds = new DirectorySearcher(
_entry,
String.Format("(&(isDeleted=TRUE)(name={0}*))", name),
new string[] { "cn", "lastKnownParent", "distinguishedName" },
System.DirectoryServices.SearchScope.OneLevel
);
ds.Tombstone = true;
return ds.FindOne();
}
public void RaiseFromTheDead(string name)
{
SearchResult deadGuy = GetTombstone(name);
if (deadGuy == null)
throw new ArgumentException("No object exists");
LdapConnection conn = new LdapConnection(
new LdapDirectoryIdentifier(_server),
System.Net.CredentialCache.DefaultNetworkCredentials,
AuthType.Negotiate
);
using (conn)
{
conn.Bind();
conn.SessionOptions.ProtocolVersion = 3;
//we have to remove the isDELETED attribute
DirectoryAttributeModification dam = new DirectoryAttributeModification();
dam.Name = "isDELETED";
dam.Operation = DirectoryAttributeOperation.Delete;
//and set a new dn string - a bit of a copout because
//I am always assuming a CN prefix.
string newDN = String.Format(
"CN={0},{1}",
deadGuy.Properties["cn"][0].ToString().Split(new char[]{'\n'})[0],
deadGuy.Properties["lastKnownParent"][0]
);
//word of warning... 'lastKnownParent' is only guaranteed good
//on Windows Server 2003 and ADAM.
DirectoryAttributeModification dam2 = new DirectoryAttributeModification();
dam2.Name = "distinguishedName";
dam2.Operation = DirectoryAttributeOperation.Replace;
dam2.Add(newDN);
//kinda bizzare that a collection is not used
ModifyRequest mr = new ModifyRequest(
deadGuy.Properties["distinguishedName"][0].ToString(),
new DirectoryAttributeModification[] { dam, dam2 }
);
//we need to have the ShowDeletedControl to find this DN
mr.Controls.Add(new ShowDeletedControl());
//optionally, we must put any required attributes on the object
//as well. For user/computer, this might be 'sAMAccountName'
ModifyResponse resp = (ModifyResponse)conn.SendRequest(mr);
if (resp.ResultCode != ResultCode.Success)
{
//we should also check to see if it was already
//existing here (same DN).
Console.WriteLine(resp.ErrorMessage);
}
}
}
#region IDisposable Members
public void Dispose()
{
if (_entry != null)
_entry.Dispose();
}
#endregion
}
This is definitely sample code, but it should give a working idea of how to accomplish this. I think that as I used the .Protocols namespace, there were some usability issues that I question, however it is definitely a neat addition. I decided to mix using System.DirectoryServices with using .Protocols because I wanted to show how to do a Tombstone search using SDS as well.
Finally, this was tested on ADAM, but should work fine on AD. The usual warnings apply: This is not production code, don’t expect it to be and don’t cry to me if it breaks your machine horribly or your dog dies.
Enjoy, your comments are always welcome.
Keith beat me to it, but Joe and I have finally submitted the final manuscript. We have some copy editing left, but the book is mostly baked. It has been a long time in the making and we are very fortunate to have had some great reviewers like Keith giving us advice along the way.
There were a lot of things that we wished we could have covered (perhaps in another book) more in depth. It was a balancing act between trying to dump everything in our brains and not publishing a 900 page book. The final page count is around 450 pages right now, which is big, but not too intimidating.
All in all, this was a good experience. I did not know Joe very well when we started, but needless to say, we know each pretty well at this point and are good friends. I think the partnership worked pretty darn well for two first-time authors collaborating mostly over email and wiki. Joe knows his Directory Services very well and it would not nearly be the same book without him. Keith was slightly off in his description (it was over a year ago), but I knew about Joe from the newsgroups (where he was dropping some serious knowledge) and had suggested to Keith to contact him as the second author of this book. It was a great decision and I am glad Joe took it.
So, what is in the book? Pretty much all the basics for System.DirectoryServices, like binding, searching, reading and writing attributes. We cover the more advanced searches and data type marshaling as well as schema considerations and a discussion of security as well. Finally, we cover a more scenario, or ‘cookbook’ approach for the more popular topics like user and group management as well as authentication. We know what problems most users have and we try to address them in the scenarios.
Most of the samples in the book are going to be using System.DirectoryServices, though we do cover in places how to do things using the .Protocols namespace. Additionally, we have one chapter that gives developers a view of what is there in the .ActiveDirectory namespace that they might use (it is mostly for administrators).
It is important to know that this is truly a guide and we could not cover every single scenario. As part of the book’s website (or this blog), we will be adding new scenarios and how they can be accomplished as well. Additionally, we are going to release some very cool code that developers will be able to use in their own applications.
As always, we can be found in either the forums (http://forums.asp.net) or the newsgroups (microsoft.public.adsi.general). I am not usually on the newsgroups, but Joe camps there.
Wednesday, October 19, 2005
The question arises occasionally on how to dynamically determine what attributes are available for a given object in Active Directory (typically the user object). This is a different question than what attributes are actually populated with a value on an instance of the object. We can find what attributes are defined for an object by naturally looking into the schema for the object. This can be by inspecting the schema partition and searching for the class, or by taking an instance of the object and accessing the schema.
I will present the latter method in which we have an instance of an object and we wish to determine the available attributes (again, not necessarily populated).
using System;
using System.DirectoryServices;
using System.Reflection;
DirectoryEntry searchRoot = new DirectoryEntry(
adsPath,
null,
null,
AuthenticationTypes.Secure
);
using (searchRoot)
{
DirectorySearcher ds = new DirectorySearcher(
searchRoot,
"(sAMAccountName=Ryan_Dunn)"
);
ds.SizeLimit = 1;
SearchResult sr = null;
using (SearchResultCollection src = ds.FindAll())
{
if (src.Count > 0)
sr = src[0];
}
if (sr != null)
{
using (DirectoryEntry user = sr.GetDirectoryEntry())
using (DirectoryEntry schema = user.SchemaEntry)
{
Type t = schema.NativeObject.GetType();
object optional = t.InvokeMember(
"OptionalProperties",
BindingFlags.Public | BindingFlags.GetProperty,
null,
schema.NativeObject,
null
);
if (optional is ICollection)
{
foreach (string s in ((ICollection) optional))
{
WL("Optional: {0}", s);
}
}
object mand = t.InvokeMember(
"MandatoryProperties",
BindingFlags.Public | BindingFlags.GetProperty,
null,
schema.NativeObject,
null
);
if (mand is ICollection)
{
foreach (string s in ((ICollection) mand))
{
WL("Mandatory: {0}", s);
}
}
}
}
}
This code will take the user object I find and then iterate through all the attributes defined for this object type (in this case the user object).
Tuesday, September 20, 2005
We have some new options available to us in .NET 2.0 to discover a user’s group membership. I ran into an entry on Dominick’s blog about expanding group membership using the new IdentityReference class. This technique assumes you can get a WindowsIdentity for the user you wish to expand. I previously covered two other techniques here and here.
I use yet another 3rd technique similar to this in the book that actually takes the ‘tokenGroups’ attribute for any user in AD and expands the membership using the IdentityReference. It is the most elegant of the 3 methods, IMO.
One note on Dominick’s code: a way to further optimize this is to use .Translate on the IdentityReferenceCollection so that the call is batched under the hood.
Friday, July 22, 2005
(Updated 12/11/06)
A common question often raised by new .NET developers is : what resources are available for me to learn how to program against Active Directory or other LDAP sources?
There are a number of resources available for .NET developers:
General Resources
- Directory Programming .NET - contains all the sample code from DotNevDevGuide to DS Programming and useful tools. This is probably your best bet for any .NET related questions. Check out the forums where you can get in touch with both Joe and me. Tons of sample code for .NET can found here as well in both C# and VB.NET.
- microsoft.public.adsi.general – This is a great resource and well trafficked. This is also where you should post your non-.NET related questions. C++, scripting, and *blech* VB are all fair game here. Newsgroups might not be your bag for posting… so read on.
- ADSI Yahoo Group – This discussion group has slowed down quite a bit, but is still a good avenue to find some help for ADSI and LDAP related questions. The focus tends to be on .NET, but 3rd party LDAP and other technologies are fair game.
Other Resources
Books
Tools
- It takes a little getting used to, but ldp.exe is probably the most useful tool for working with AD or ADAM. It is a no-frills and ugly tool, but definitely powerful. You can find this on most Windows 2003 servers or with the AdminPak.msi. Probably an even easier way to get it is to download ADAM and just install the tools. I rely on this tool to test my LDAP queries and bind operations first.
- Softerra makes a nice LDAP browser for free that is useful. I have not tried the commercial version that allows you to edit things, so I can’t comment on that. I wish it would support more types of binds so we can bind with our current credentials, but it works well otherwise. It does not use ADSI at all and might not support paging correctly, but it has some slick features like the ability to export objects to LDIF files with a click.
- Wireshark - formerly Ethereal - this is an awesome tool to use to sniff the underlying traffic when you just don't know what is going on. It does a great job of decoding the Kerberos and LDAP traffic into human-readable format. Highly recommended when other troubleshooting steps fail.
- Microsoft’s Err.exe tool. Used in conjunction with ldp.exe, you can very easily pinpoint the true error. No more COMException: An unknown exception has occurred.
- Beavertail – An open-source LDAP browser written in C# by Marc Scheuner. A strange name perhaps for a browser, but definitely worth a look if you want to see C# and LDAP in action.
- ADSI Browser– Another LDAP Browser, this time written in Delphi by Marc Scheuner. This one has a few more features than the Beavertail offering, but it is not open-source.
- Joe Richards has a number of free tools available that worth checking out. In particular ADFind is a must see for the command line junkie in all of us.
Friday, July 15, 2005
There is an interesting email conversation going on over on the ADSI listgroup regarding the best way to determine if an account is locked out. One of the contributors has pointed out that Microsoft has updated the schema in ADAM and Windows 2003 to include a new constructed attribute called ‘msDS-User-Account-Control-Computed’. This attribute can accurately reflect the UF_LOCKOUT flag, unlike the standard ‘userAccountControl’ using the LDAP provider. The question comes out, which is the better method?
From my last post on this topic, I introduced a method of determining if an account was locked out when we only have the user’s DirectoryEntry. This method works on all platforms, including Windows 2000. It was correctly pointed out that this particular code also had some shortcomings. Key amongst these were that it used recursion to find the ‘lockoutDuration’ for the domain. I never liked that bit of code and I originally hesitated to use it. I did it anyway just so users could see where it was located. Now, I am going to revisit this again and perhaps show a better way of finding locked accounts that works on all platforms.
//get this from RootDSE or other...
string adsPath = _defaultNamingSyntax;
//Explicitly create our SearchRoot
DirectoryEntry searchRoot = new DirectoryEntry(
adsPath,
null,
null,
AuthenticationTypes.Secure
);
//default for when accounts stay locked indefinitely
string qry = "(lockoutTime>=1)";
if (searchRoot.Properties.Contains("lockoutDuration"))
{
long lockoutDuration = LongFromLargeInteger(
searchRoot.Properties["lockoutDuration"].Value
);
DateTime lockoutThreshold = DateTime.Now.AddTicks(lockoutDuration);
Console.WriteLine(
"Threshold Lockout: {0}",
lockoutThreshold.ToString()
);
qry = String.Format(
"(lockoutTime>={0})",
lockoutThreshold.ToFileTime()
);
}
using (searchRoot)
{
DirectorySearcher ds = new DirectorySearcher(
searchRoot,
qry
);
using (SearchResultCollection src = ds.FindAll())
{
Console.WriteLine(qry);
foreach (SearchResult sr in src)
{
Console.WriteLine(
"{0} locked out at {1}",
sr.Properties["name"][0],
DateTime.FromFileTime((long)sr.Properties["lockoutTime"][0])
);
}
}
}
//decodes IADsLargeInteger objects into a FileTime format (long)
private long LongFromLargeInteger(object largeInteger)
{
System.Type type = largeInteger.GetType();
int highPart = (int)type.InvokeMember("HighPart", BindingFlags.GetProperty, null, largeInteger, null);
int lowPart = (int)type.InvokeMember("LowPart", BindingFlags.GetProperty, null, largeInteger, null);
return (long)highPart << 32 | (uint)lowPart;
}
This is just sample code here, but it should give you an idea of what to do. I put in a lot of .WriteLine statements to hopefully make clear what is occurring. This dynamically determines the lockout duration policy and performs a simple search to determine which users are still locked out. This is done is only one call to the directory and is pretty efficient (add more indices to the filter and it gets better). If you were looking for only one user, you could obviously add that into the query and depending on whether or not you got a result back, you would know if they were locked out!
Here are the caveats:
- Domain time skew can throw you off. If you need millisecond precision this might not be for you. If you can live with a few minutes drift depending on the local time where the user was locked out (any more and Kerberos would have some issues as would replication) then this is darn accurate.
- I have not tested this against ADAM – assuming that ADAM keeps its ‘lockoutDuration’ on the root of the application partition and you have set the defaultNamingContext (or manually point to it) it should work fine.
Now, what about using the ‘msDS-User-Account-Control-Computed’ attribute? It works great when you have the DirectoryEntry and you know that you are using ADAM or Windows 2003. It is also decisive, i.e. if the bit is flipped you are locked out - no questions. It has the following limitations however:
- Limited Platform support (no Windows 2000)
- Cannot be searched for directly since it is constructed attribute (bummer!)
- Requires a second call to the directory in a .RefreshCache() for each object to inspect since it is constructed. If you are checking lockout status a lot this adds up quickly.
So… which one should you use? That is completely up to you. Keep in mind the limitations of each and just pick one.
Standard Disclaimer: In the event this does not work for you… or utterly destroys your machine, I take no responsibility. This is sample code and not production ready. It has been through only limited testing, so test it yourself as well.
Monday, July 11, 2005
As I alluded to some time ago in my previous post, entitled “Enumerating Token Groups (tokenGroups) in .NET” there is another method to converting the collection of SIDs obtained from the ‘tokenGroups’ attribute.
An API is available to us that can conveniently convert all the SIDs in one call to a number of different formats for us. There is a bit of pre-work involved to define the signature, setup some structures and whatnot, but it is very slick once you have it working.
I decided that a sample would be in order to demonstrate this one. So here it is.
The usual caveats apply – this is not production code and I am an embarrassingly bad WinUI designer so give me a break. The point of this exercise is to show you how to use this particular API in a somewhat practical sample.
Enjoy. Feedback is welcomed.
Thursday, June 2, 2005
One of the great things about .NET 2.0 is the new System.DirectoryServices.ActiveDirectory namespace. It contains a plethora of previously either obscure or difficult things to do using Ds* or NetApi* API calls. I was troubleshooting a trust relationship at a client and was digging how easy this was to do in 2.0:
public static void ShowAllTrusts()
{
Domain domain = Domain.GetCurrentDomain();
int i = 0;
foreach (TrustRelationshipInformation tri in domain.GetAllTrustRelationships())
{
Console.WriteLine("Trust #{0}", ++i);
Console.WriteLine("=============================================");
Console.WriteLine(
"Source Name: {0}",
tri.SourceName
);
Console.WriteLine(
"Target Name: {0}",
tri.TargetName
);
Console.WriteLine(
"Trust Direction: {0}",
tri.TrustDirection
);
Console.WriteLine(
"Trust Type: {0}",
tri.TrustType
);
string verifiedMsg = "true";
try
{
domain.VerifyTrustRelationship(
Domain.GetDomain(
new DirectoryContext(
DirectoryContextType.Domain,
tri.TargetName
)
),
tri.TrustDirection
);
}
catch (Exception ex)
{
verifiedMsg = ex.Message;
}
Console.WriteLine(
"Verified: {0}",
verifiedMsg
);
Console.WriteLine("=============================================");
Console.WriteLine();
}
}
That took all of 5 minutest to code and test using SnippetCompiler. Very cool.
Friday, April 1, 2005
I have seen a number of techniques for enumerating a user's group in Active Directory and .NET. Here is one that seems to crop up every now and then (note, I cleaned this up so at least we were calling Dispose() on our DirectoryEntrys):
ArrayList al = new ArrayList();
using (DirectoryEntry user = new DirectoryEntry(_adsPath, _username, _password, AuthenticationTypes.Secure))
{ object adsGroups = user.Invoke("Groups");
foreach (object adsGroup in (IEnumerable)adsGroups)
{ using (DirectoryEntry group = new DirectoryEntry(adsGroup))
{ al.Add(group.Name);
}
}
}
As we can see, this one uses Reflection to grab the native IADsMembers interface. We then enumerate the groups by placing each native object into a DirectoryEntry and consuming it as we wish.
What's wrong with this method? At first glance, nothing really. Sure, it seems a little more complex than just retrieving the 'memberOf' property from the user to begin with. We also know that this will not expose the nested group relationships like enumerating the 'tokenGroup' attribute will.
No, the real issue with this is that we are at risk for a memory leak. What would happen if an error occurred right after we .Invoke() and before the foreach loop finishes? We would have left a bunch of native IADs objects in limbo. Only the DirectoryEntry has the .Dispose() pattern that will calls the appropriate Marshal.ReleaseComObject() on the native IADs object.
Developers make mistakes and this one is fraught with peril. Don't use it. Instead, enumerate the 'memberOf' attribute or 'tokenGroups' and avoid the issue.
Wednesday, March 9, 2005
The 'tokenGroups' attribute is a calculated attribute (we must use .RefreshCache() to get it) that exists for all users in Active Directory. It contains a collection of SIDs for each security group that the user is a member of. The advantage of this collection is that it only contains security groups, and it contains all security groups including nested and primary groups. The disadvantage is that it is a little bit more complicated to do anything with this attribute.
There are two methods of enumerating the tokenGroups and returning the security groups for a user. The first method is to use DsCrackNames on collection of SIDs and have the Win32 api return the groups in your choice of name formats. This is a powerful and fast method, but you will need to rely on p/invoke and setting up some structures. The other method is to build an LDAP query filter and then use the DirectorySearcher to find all the groups. This method returns a SearchResult for each group which means you could additionally retrieve more information about the group as well as does not require any p/invoke code, so it is usually more palatable for users.
Here are the steps we would take to enumerate the groups:
1.Create a DirectoryEntry to serve as the SearchRoot for our DirectorySearcher
2.Bind to our user object with another DirectoryEntry and pull the 'tokenGroups' attribute
3.Iterate over each SID in the tokenGroup and build the LDAP filter (formatting the SID bytes correctly)
4.Search the Directory with the constructed filter
5.Iterate each returned SearchResult for your information.
Here is a sample VS.NET solution in C# that demonstrates this: Enumerate Token Groups
The code for how to do this using DsCrackNames I will leave for another post. (UPDATE: See here for DsCrackNames)
Updated 3/16/2005 - I realize that not everyone feels like digging around to find their GUID to use this sample (I initially created it for someone that only had their GUID), so I revisited this so it also accepts the user's login name as well. Download the updated example
Updated 7/13/2005 – Reader “Daniel” was kind enough to point out some errors that I had in my code. I seem to have deleted my original code at some point and was recreating it from scratch… so I apparently forgot some very key things in the code. My bad! I should have tested it better. These errors have been corrected.
Friday, January 28, 2005
Experienced ADSI users might know the following fun fact about determining if a user is locked out in Active Directory: the 'userAccountControl' attribute is not the place to look. The 'userAccountControl' is a bunch of flags that determine a lot of settings on the user (or related class type) object. Here are a list of flags associated with it:
| const int UF_SCRIPT |
= 0x0001; |
| const int UF_ACCOUNTDISABLE |
= 0x0002; |
| const int UF_HOMEDIR_REQUIRED |
= 0x0008; |
| const int UF_LOCKOUT; |
= 0x0010 |
| const int UF_PASSWD_NOTREQD |
= 0x0020; |
| const int UF_PASSWD_CANT_CHANGE |
= 0x0040; |
| const int UF_TEMP_DUPLICATE_ACCOUNT |
= 0x0100; |
| const int UF_NORMAL_ACCOUNT |
= 0x0200; |
| const int UF_INTERDOMAIN_TRUST_ACCOUNT |
= 0x0800; |
| const int UF_WORKSTATION_TRUST_ACCOUNT |
= 0x1000; |
| const int UF_SERVER_TRUST_ACCOUNT |
= 0x2000; |
| const int UF_DONT_EXPIRE_PASSWD |
= 0x10000; |
| const int UF_MNS_LOGON_ACCOUNT |
= 0x20000; |
It would seem intuitive that you should use the UF_LOCKOUT and check to see if that flag was set on the 'userAccountControl'. Of course, that only works if you are using the WinNT provider. The next logical solution would be to .Invoke the ADSI 'AccountIsLocked' property using reflection. However, again, that won't work with the LDAP provider for the same reasons - internally it is using the UF_LOCKOUT flag. So the question becomes, how do I figure out if the account is locked out using the LDAP provider?
You can do this by a small calculation. You first need to inspect the user object's 'lockoutTime' attribute and determine if it is not '0' (meaning it was locked out, but reset). If it is not '0', then you need to covert that value to a DateTime object and calculate how much time has passed by inspecting the 'lockoutDuration' attribute on the 'domainDNS' class. This will tell you how long must pass before the account is automatically unlocked. Compare that to DateTime.Now and you can see if the account is still in the lockout period. Here is a sample:
private bool IsAccountLocked( DirectoryEntry user )
{
//if they have a lockoutTime
if (user.Properties.Contains("lockoutTime"))
{
long fileTicks = LongFromLargeInteger(user.Properties["lockoutTime"].Value);
//check to see if it's not already unlocked
if (fileTicks != 0)
{
//now check to see if it was automatically unlocked
DateTime lockoutTime = DateTime.FromFileTime(fileTicks);
DirectoryEntry parent = user.Parent;
while (parent.SchemaClassName != "domainDNS")
parent = parent.Parent;
long durationTicks = LongFromLargeInteger(parent.Properties["lockoutDuration"].Value);
return (DateTime.Now.CompareTo(lockoutTime.AddTicks(-durationTicks)) < 0);
}
}
return false;
}
//decodes IADsLargeInteger objects into a FileTime format (long)
private long LongFromLargeInteger( object largeInteger )
{
System.Type type = largeInteger.GetType();
int highPart = (int)type.InvokeMember("HighPart",BindingFlags.GetProperty, null, largeInteger, null);
int lowPart = (int)type.InvokeMember("LowPart",BindingFlags.GetProperty, null, largeInteger, null);
return (long)highPart << 32 | (uint)lowPart;
}The tricky part comes in when you need to basically recurse back to the domain object to find the 'lockoutDuration'. Of course, if you knew the 'lockoutDuration', and knew it would not change, you could skip this step and make the comparison directly.
Tuesday, January 18, 2005
The Primary Group in Active Directory is an interesting concept. You are assigned the 'Domain Users' group by default when your account is initially created. The Primary Group is somewhat treated differently than any other type of group in the domain.
Due to Windows 2000 Active Directory limitations, a group can hold up to 5000 members. This stems from the fact that membership is accounted for with the 'member' attribute on an AD group. Given that multi-valued attributes (MVAs) have a maximum limit of 5000 ('member' is a MVA), we can see why you typically cannot put more than 5000 users into a group. Since large domains can easily have over 5000 members, we can see that treating the Primary Group like any other type of group would not work. We would quickly run to the limit of the 'member' attribute for the Primary Group.
It was decided at some point that they would have to change how AD managed members for the Primary Group. Instead of keeping the membership on the group object itself, they would store an identifier on the user object that made it calculatable to figure out the Primary Group.
Because of the inconsistency of how the Primary Group was treated, it made it somewhat challenging to figure out what a user's Primary Group was. The WinNT: provider would enumerate all groups, but not tell you which one was the primary group. Just to be contrary, the LDAP: provider would enumerate all groups
except the Primary Group. Instead, you could enumerate the 'tokenGroups' attribute, but this would only enumerate the security groups and still not tell you which one was the Primary Group either.
To help ADSI developers, Microsoft released a couple support articles that outlined 3 ways of figuring out the Primary Group.
http://support.microsoft.com/default.aspx?scid=kb;en-us;321360 and
http://support.microsoft.com/default.aspx?scid=kb;en-us;297951These methods are still valid, but need to be adapted somewhat for .NET. The solution I will present here will be an all LDAP solution. The steps are quite simple:
1. Retrieve the user's SID in byte array format
2. Retrieve the user's Primary Group ID RID (Relative Identifier)
3. Overwrite the user's RID on their SID with the Primary Group RID
4. Construct a binding ADsPath and bind to the Directory.
In order:
1. Retrieve the user's SID in byte array format:
byte[] objectSid = user.Properties["objectSid"].Value as byte[];
2. Retrieve the user's Primary Group ID RID
//calculate the primaryGroupId
user.RefreshCache(new string[]{"primaryGroupId"});
3. Overwrite the user's RID on their SID with the Primary Group RID:
private byte[] CreatePrimaryGroupSID(byte[] userSid, int primaryGroupID)
{
//convert the int into a byte array
byte[] rid = BitConverter.GetBytes(primaryGroupID);
//place the bytes into the user's SID byte array
//overwriting them as necessary
for (int i=0; i < rid.Length; i++)
{
userSid.SetValue(rid[i], new long[]{userSid.Length - (rid.Length - i)});
}
return userSid;
}
4. Finally, construct a binding string from the returned byte[] array and bind
adPath = String.Format("LDAP://<SID={0}>", BuildOctetString(sidBytes));
DirectoryEntry de = new DirectoryEntry(adPath, null, null, AuthenticationTypes.Secure);
private string BuildOctetString(byte[] bytes)
{
StringBuilder sb = new StringBuilder();
for(int i=0; i < bytes.Length; i++)
{
sb.Append(bytes[i].ToString("X2"));
}
return sb.ToString();
}
I have created a small VS.NET 2003 project to demonstrate this. You can download the sample
here
Monday, January 3, 2005
Here is a quick and dirty way to figure out when your account (or anyone else's) will expire on the domain.
Prerequisites:
1. You must be running this from a computer joined to the domain.
2. You must be running this with valid domain credentials.
How does it work:
There is no attribute that directly holds when your password expires. It is a calculation done based on two factors - 1. When you last set your password (pwdLastSet), and 2. What your domain policy for the maximum password age (MaxPwdAge) is.
Here is a simple command line app to demonstrate how this is done:
using System;
using System.DirectoryServices;
using System.Reflection;
class Invoker
{
[STAThread]
static void Main(string[] args)
{
try
{
if (args.Length != 1)
{
Console.WriteLine("Usage: {0} username", Environment.GetCommandLineArgs()[0]);
return;
}
PasswordExpires pe = new PasswordExpires();
Console.WriteLine("Password Policy: {0} days", 0 - pe.PasswordAge.Days);
TimeSpan t = pe.WhenExpires(args[0]);
if(t == TimeSpan.MaxValue)
Console.WriteLine("{0}: Password Never Expires", args[0]);
else if(t == TimeSpan.MinValue)
Console.WriteLine("{0}: Password Expired", args[0]);
else
Console.WriteLine("Password for {0} expires in {1} days at {2}", args[0], t.Days, DateTime.Now.Add(t));
}
catch(Exception ex)
{
Console.WriteLine(ex.ToString()); //debugging info
}
}
}
class PasswordExpires
{
DirectoryEntry _domain;
TimeSpan _passwordAge = TimeSpan.MinValue;
const int UF_DONT_EXPIRE_PASSWD = 0x10000;
public PasswordExpires()
{
//bind with current credentials
using (DirectoryEntry root = new DirectoryEntry("LDAP://rootDSE", null, null, AuthenticationTypes.Secure))
{
string adsPath = String.Format("LDAP://{0}", root.Properties["defaultNamingContext"][0]);
_domain = new DirectoryEntry(adsPath, null, null, AuthenticationTypes.Secure);
}
}
public TimeSpan PasswordAge
{
get
{
if(_passwordAge == TimeSpan.MinValue)
{
long ldate = LongFromLargeInteger(_domain.Properties["maxPwdAge"][0]);
_passwordAge = TimeSpan.FromTicks(ldate);
}
return _passwordAge;
}
}
public TimeSpan WhenExpires(string username)
{
DirectorySearcher ds = new DirectorySearcher(_domain);
ds.Filter = String.Format("(&(objectClass=user)(objectCategory=person)(sAMAccountName={0}))", username);
SearchResult sr = FindOne(ds);
int flags = (int)sr.Properties["userAccountControl"][0];
if(Convert.ToBoolean(flags & UF_DONT_EXPIRE_PASSWD))
{
return TimeSpan.MaxValue; //password never expires
}
//get when they last set their password
DateTime pwdLastSet = DateTime.FromFileTime((long)sr.Properties["pwdLastSet"][0]);
if(pwdLastSet.Subtract(PasswordAge).CompareTo(DateTime.Now) > 0)
{
return pwdLastSet.Subtract(PasswordAge).Subtract(DateTime.Now);
}
else
return TimeSpan.MinValue; //already expired
}
private long LongFromLargeInteger(object largeInteger)
{
System.Type type = largeInteger.GetType();
int highPart = (int)type.InvokeMember("HighPart",BindingFlags.GetProperty, null, largeInteger, null);
int lowPart = (int)type.InvokeMember("LowPart",BindingFlags.GetProperty, null, largeInteger, null);
return (long)highPart << 32 | (uint)lowPart;
}
private SearchResult FindOne(DirectorySearcher searcher)
{
SearchResult sr = null;
using (SearchResultCollection src = searcher.FindAll())
{
if(src.Count>0)
{
sr = src[0];
}
}
return sr;
}
}
Wednesday, December 22, 2004
I remember Joe Kaplan telling me one time that there was a memory leak when using the .FindOne() method of the DirectorySearcher. I also believe Max Vaughn from MS told me the same thing, now that I think about it. I decided to dig a little bit more into this and figure out what was actually wrong. It turns out that this bug will only really affect you when you are doing a lot of searches and not finding any results. That's right, I said
not finding any results. A quick look using Reflector and we can see why this is:
public SearchResult FindOne()
{
SearchResultCollection collection1 = this.FindAll(false);
foreach (SearchResult result1 in collection1)
{
collection1.Dispose();
return result1;
}
return null;
}
As you can see, the .Dispose() is only called when at least one SearchResult is found. If no SearchResult is found, then the SearchResultCollection hangs onto its unmanaged resource. What's the fix? It is a pretty simple fix actually - just make sure you always call .Dispose() on your SearchResultCollection by using the .FindAll() method instead:
public static SearchResult FindOne( DirectorySearcher ds )
{
SearchResult sr = null;
using (SearchResultCollection src = ds.FindAll())
{
if (src.Count > 0)
{
sr = src[0];
}
}
return sr;
}
Note, for those unfamiliar with C# syntax, the 'using' statement will call .Dispose() in a try/finally manner at the last brace.