Example of ASP LDAP query string? 14

[MikeBronner]

Could someone post an example of ASP code used to query LDAP without any proprietary components?

Thanks! Take Care,
Mike

 

[pReverend]

How secure is this method? I'm using it for an intranet site that might have a need to move through an approval proceedure and I want to make sure it will be secure. Is there any way to spoof that server variable. I can't see how...but I want to check.

Thanks

 

[zcolton]

I believe GC access is read only

 

[pReverend]

no...I meant is there any way to spoof the server variables...like "auth_user". I can't hink of any but I'm not an expert.

 

[zcolton]

What do you mean by "spoof the server variables"?

 

[pReverend]

I mean is there any way to send false identification to the server so that the server variable "auth_user" is read as another account?

 

[peacecorp]

Zcolton i have a question.

the code that u gave me if i try to run locally on my computer it says

Error Type:
Provider (0x80040E37)
Table does not exist.

what does this mean? im such a newb

 

[zcolton]

pReverend: I am not sure if that can be done.

peacecorp: These pages need to run on a web server. If you have a web server running on your machine and the machine is a domain member it should work.

 

[peacecorp]

i turned off anonymous authentication and checked on intergrated windows authentication.

i still get a error

Error Type:
Provider (0x80040E37)
Table does not exist.

its erroring on the line:
Set rs = Com.Execute

 

[zcolton]

Try this code first:
If your webserver can access your domain this should show you your domain name

<%@ Language=VBScript %>
<%
Option Explicit
Dim objADsPath,objDomain
%>
<html>
<head>
</head>
<body>
<%
Set objDomain = GetObject ("GC://RootDSE")
objADsPath = objDomain.Get("defaultNamingContext")
Set objDomain = Nothing
Response.Write objADsPath & "<BR>"
%>
</body>
</html>

 

[peacecorp]

domain works, and username sorta i did a test on it and that is fine. i even outputed teh com.CommandText and it looks flawless. just when it tries to do execute it doesnt work

sample output of ur original code minus the com.execute and on. i also changed it to output the commandText

output
---------------------------------------------
NTam
DC=sandc,DC=ws
select name,telephonenumber,mail from 'GC://DC=sandc,DC=ws' where sAMAccountname='NTam'

 

[zcolton]

Are you running the latest version of MDAC on the server?

 

[peacecorp]

what version would i need to have? and how can i check?

 

[zcolton]

I found your problem. Turn off Integergrated Windows authentication and try basic. Let me know if that works.

 

[zcolton]

OR --- You will need to hard code a domain account and password that has access to active directory:
That is what I usually do. I created a very low level domain account that as no access real network access except reading the active directory. If you plan on using this web pages in an intranet, with domain users logged in the access theses pages, that might be the easiest method for you.

<%@ Language=VBScript %>
<%
Option Explicit
Dim strUsername,con,rs,Com,objADsPath,objDomain,name,telephonenumber,mail
%>
<html>
<head>
</head>
<body>
<%
strUsername = Request.ServerVariables("auth_user")
strUserName = Right(strUserName, Len(strUserName) - InStrRev(strUserName, "\"))
Set objDomain = GetObject ("GC://rootDSE")
objADsPath = objDomain.Get("defaultNamingContext")
Set objDomain = Nothing
Set con = Server.CreateObject("ADODB.Connection")
con.provider ="ADsDSOObject"
 con.Properties("User ID") = "some user name"
 con.Properties("Password") = "the password"
 con.Properties("Encrypt Password") = False
con.open "Active Directory Provider"
Set Com = CreateObject("ADODB.Command")
Set Com.ActiveConnection = con
Com.CommandText ="select name,telephonenumber,mail FROM 'GC://"+objADsPath+"' where sAMAccountname='"+strUsername+"'"
Set rs = Com.Execute
name=rs("name")
telephonenumber=rs("telephonenumber")
mail=rs("mail")
rs.Close
con.Close
Set rs = Nothing
Set con = Nothing
response.write name&"<br>"
response.write telephonenumber&"<br>"
response.write mail&"<br>"
%>
</body>
</html>

 

[peacecorp]

ok im gonna work with these 2 possible solutions and i will tell u how it goes later today thanks

 

[peacecorp]

Hey,

ok i tested things in steps:
STEP 1: WORKS fine
<%@ Language=VBScript %>
<%
Option Explicit
Dim strUsername,con,rs,Com,objADsPath,objDomain,name,telephonenumber,mail
%>
<html>
<head>
</head>
<body>
<%
strUsername = Request.ServerVariables("auth_user&quot
response.write strUsername&"<br>"
strUserName = Right(strUserName, Len(strUserName) - InStrRev(strUserName, "\&quot)
Set objDomain = GetObject ("GC://rootDSE&quot
objADsPath = objDomain.Get("defaultNamingContext&quot
Set objDomain = Nothing
Set con = Server.CreateObject("ADODB.Connection&quot
con.provider ="ADsDSOObject"
con.open "Active Directory Provider"
Set Com = CreateObject("ADODB.Command&quot
Set Com.ActiveConnection = con

response.write strUsername&"<br>"
response.write objADsPath&"<br>"

Com.CommandText ="select name,telephonenumber,mail FROM 'GC://"+objADsPath+"'

where sAMAccountname='"+strUsername+"'"


%>
</body>
</html>

STEP 2: i get a 500 http error

<%@ Language=VBScript %>
<%
Option Explicit
Dim strUsername,con,rs,Com,objADsPath,objDomain,name,telephonenumber,mail,WshShell
%>
<html>
<head>
</head>
<body>
<%

strUsername = Request.ServerVariables("auth_user&quot
response.write strUsername&"<br>"
strUserName = Right(strUserName, Len(strUserName) - InStrRev(strUserName, "\&quot)
Set objDomain = GetObject ("GC://rootDSE&quot
objADsPath = objDomain.Get("defaultNamingContext&quot
Set objDomain = Nothing
Set con = Server.CreateObject("ADODB.Connection&quot
con.provider ="ADsDSOObject"
con.open "Active Directory Provider"
Set Com = CreateObject("ADODB.Command&quot
Com.ActiveConnection = con
Set rs = Server.CreateObject("ADODB.Recordset&quot


response.write strUsername&"<br>"
response.write objADsPath&"<br>"

Com.CommandText ="select name,telephonenumber,mail from 'GC://"+objADsPath+"'where sAMAccountname='"+strUsername+"'"

response.write Com.CommandText&"<br>"


Set rs = Com.Execute
name=rs("name&quot
telephonenumber=rs("telephonenumber&quot
mail=rs("mail&quot
rs.Close
con.Close
Set rs = Nothing
Set con = Nothing

response.write name&"<br>"
response.write telephonenumber&"<br>"
response.write mail&"<br>"

%>
</body>
</html>


Is it possible that the com.CommandText = "..."
is some how not correct?

 

[zcolton]

There should be a space before the "WHERE" in the Com.Commandtext

 

[peacecorp]

i tried it again....but it still gives teh same error.

Is it possible that the com.CommandText = "..."
is some how not correct?

like my domain is correct i asked my network admin and it contains all teh correct data could it be the values its trying to get like name, telephonenumber, mail?

 

[zcolton]

To get a more specific error message turn off friendly error messages in IE. It's under the advanced tab. That might give us better insight as to why it is not working.

 

[peacecorp]

this is my error message:

TORONTO\NTam
NTam
DC=sandc,DC=ws
select name,telephonenumber,mail from 'GC://DC=Toronto,DC=sandc,DC=ws' where sAMAccountname='NTam'

Provider error '80040e37'

Table does not exist.

/helpdesk/test2.asp, line 34


the first 4 lines are just output....i had to hardcode part of the domain name