Search Active Directory for Membership (LDAP?)

[ahmun]

I currently have a secure section oJohn Doef my intranet, protected by an Active Directory Security Group, that I only want a select few users to even know it exists (the members of that group). One way I've been keeping others out is a little bit of script at the beginning of the file that redirects the user away if their name isn't found in a hard-coded list compared against the current REMOTE_USER Server Variable.

I'd like to integrate this with Active Directory so I don't have to keep going back to that hard-coded list to add/delete users as the list of admins changes.

I have found some GREAT resources on the web as well as Tek-tip posts that led me to trying to query Active Directory to check for group membership, but I'm still stuck.

Here's my bottleneck:
The only input I have is the windows logon ID from the REMOTE_USER Server Variable (say in this case, the person's name is John Doe and our company standardizes with lastnameFirstInitial as the user name convention: [blue]doej[/blue]).

The following Code accesses Active Directory and looks up the user:

Set objADUser = GetObject("LDAP://CN=John Doe,CN=Users,DC=MyDomain,DC=com")

I'm stuck at how I can use [blue]doej[/blue] which I got from the Request.ServerVariables command. I never ask for a user's first and last name (and I don't want to depend on them to spell it right), and when I try to use [blue]doej[/blue] instead of the full name (John Doe), I get an error.

Does anybody have more experience in accessing Active Directory via ASP who can help me out here?

Here are some resources I've used to get me where I am now... Look here first, and if you think you need to see my code, I can copy paste that later. (just wanted to keep the post lenght down...)

thread333-532861

http://www.rlmueller.net/Programs/IsMember6.txt

Earnie Eng

 

[ahmun]

heh... sorry about the typo... must have been my eyes fuzzing out when copy/pasting...



Earnie Eng

 

[ahmun]

Ok... You experts and guru's out there probably think this is a small victory... but I'm dancin...

I've figured out how to access objects from Active Directory with ASP 3.0 on IIS 5 and here are the results (the comments should unfold the story):

For those who will take the time to look things over, I do have a few questions:
[ul][li]The process seemed slow when I ran it... is there a way to directly query Active Directory with the username as criteria instead of the common name (First Last)?[/li]
[li]I don't know how to catch errors in VBscript... any resources on that?[/li]
[li]Would it be safe to say this is the right track to more in-depth manipulation/querying of Active Directory elements via ASP?[/li]
[li]What kind of resources can I find out there that are helpful?[/li][/ul]

[blue][gray]
'*******************************************************************************************
'Function isMember
'Author: Earnie Eng
'Date: Feb 15, 2005
'Purpose: Determins if a user (windows logon account) is a member of a 
'         Windows Security Group
'
'Inputs:  Windows Logon Account User ID, Windows Security Group Name
'
'Version 1.0, 2/15/05: There is no error handling if the given Security Group
'         does not exist.  This function is designed to use the 
'         sAMAccountName attribute of an Active Directory User for comparison
'         since this is the variable readily available from 
'         Request.ServerVariables("REMOTE_USER") under IIS 5.0 with annonymous
'         access to the file turned off in IIS settings.[/gray]
Function isMember(strUser, strGroup)
  Dim objGroup, objUser, blnIsMember

  blnIsMember = False
  [gray]'Retrieve the group from Active Directory[/gray]
  set objGroup = GetObject("LDAP://CN=" & strGroup & ",CN=Users,DC=hswcc,DC=com")
	
  [gray]'iterate through the group's members[/gray]
  for each objMember in objGroup.Member
    [gray]'Retrieve the User from Active Directory by using the Common name (usually First Last)[/gray]
    Set objUser = _
      GetObject("LDAP://CN=" & ExtractCommonName(objMember) & ",CN=Users,DC=hswcc,DC=com")
    [gray]'compare the unique sAMAccountName with the username given[/gray]
    if objUser.sAMAccountName = strUser then
      blnIsMember = True
      exit for
    end if
    Set objUser = nothing
  next
	
  [gray]'return true or false[/gray]
  isMember = blnIsMember
End Function

[gray]'*******************************************************************************************
'Function ExtractCommonName
'Author: Earnie Eng
'Date: Feb 15, 2005
'Purpose: Extracts the actual user name (First Last) from the members property 
'         in an Active Directory Group[/gray]
Function ExtractCommonName(strCN)
  ExtractCommonName = Mid(strCN, 4, InStr(strCN, ",CN")-4)
End Function

[gray]'usage, I test for three different security groups[/gray]
strRemoteUser = _
  mid(request.ServerVariables("REMOTE_USER"),(InStrRev(request.ServerVariables("REMOTE_USER"),"\") + 1))
if isMember(strRemoteUser, "PhonelistAdmins") then response.Redirect("Admin_PhoneList.asp)
if isMember(strRemoteUser, "ContentAdmins") then response.Redirect("Admin_Content.asp)
if isMember(strRemoteUser, "ClaimsAdmins") then response.Redirect("/Claims/Secure/")

[/blue]

Earnie Eng

 

[ahmun]

Arrrggg... I ran some windows updates to the web server, and now the code doesn't work...

Error Message:
Microsoft VBScript runtime error '800a01b6'

Object doesn't support this property or method: 'objUser.sAMAccountName'

/admin_redirector.asp, line 30

Line 30 is the very last If Statement in the isMember function of the code example in my previous post. I figured out a way around this by using the .mail property of objUser, which contains the same name as the REMOTE_USER and changed my if comparison to:

if instr(lcase(objUser.mail), lcase(strUser)) > 0 then

But now I'm worried and confused as to why it worked one time, and after a server reboot (twice) it doesn't work.

using the mail attribute worked but if anyone can shed some light on what caused the error I would appreciate that VERY much, as I don't want to have to get in and monkey around with the code at random hours of the day because one line of code decides to work one day and not the next...

Earnie Eng

 

[Tarwn]

Argh, If I had caught this earlier while I was still at work I could have pasted a script I wrote not to long ago that does this I can remember the .Net version off the top of my hea, but not the VBScript/COM method.

One method is to use a Recordset to do your search, as this will allow you to apply filters (for example against a particular SAMAccountName). Basically you set your Connection provider to ADsDSOObject then call the open command with the name of your actual AD server. At this point you can then use the Execute method to query, something like:
"SELECT samAccountName FROM 'yourPathHere' WHERE objectClass='user' AND samAccountName = '" & yourAcctNameVarHere & "'"

This of course returns a recordset that you can treat just as if you did a database query. Ther are several more layers available to this, i think MS has some articles on it, though you should probably get some good hits on a search for ADSI and ADO.

The other method is to append a filter to your GetObject call. I'm a little more fuzzy on this one as the COM and .net methods were close but not exact,m so without one or the other in front of me I can't remember off the top of my head where one starts and the other ends

I believe you should be able to put a more qualified search expression into your GetObject call, somehting like:
LDAP://CN=whatever,DC=wherever,DC=com;(&(objectClass=Person)(SAMAccountName=jsmith))
Unfortunatly what I don't remember is if this was only supported when I was using the .Net objects or also when I was using COm objects from VBScript (and to make things more confusing I also was doing some Python and OpenLDAP calls last week too )

Anyways, hope I may have procided a few directions to look or maybe sparked someone elses memory, sorry I couldnt be more helpful,

-T

 

[ahmun]

After some search of MSDN, I found some promising leads, but am having trouble with syntax:

http://msdn.microsoft.com/library/d...n-us/adsi/adsi/searching_active_directory.asp

Tarwin... or anyone out there who has attempted this... can you shed some light on my error here?

Dim myConnection, myRS, sSQL
Set myConnection = Server.CreateObject("ADODB.Connection")
myConnection.Provider = "ADsDSOObject"
myConnection.Properties("User ID") = "####"
myConnection.Properties("Password") = "####"
myConnection.open
sSQL = "SELECT sAMAccountName FROM 'LDAP://CN=" & _
  Request.Form("strGroup") & ",CN=Users,DC=domain,DC=com';"
set myRS = myConnection.execute(sSQL)

the Request.Form is the group name I'm qureying.

the error:
Provider error '80040e14'

One or more errors occurred during processing of command.

/temp/testActiveDirectoryisMember.asp, line 182

Line 182 is where I attempt to open the recordset.

Earnie Eng

 

[Tarwn]

I think you need to specify the LDAP/ADSI server's name in your Open call:

myConnection.open "myLDAPServer"

Otherwise there would have to be to much magic involved in finding it

-T

 

[ahmun]

I'm still having trouble...

The biggest challenge is not having any reference material to look at. Can someone point me to a good resources on how to interface with Windows 2k server to access its active directory in ASP 3.0 under IIS 5 where the web server is different than the domain controller w/ active directory?

Here are some sites I've been trying to rip code off of based on some google searches on LDAP, ADO... but I can't seem to make heads or tails of it or adapt the example code to what I'm trying...

http://www.4guysfromrolla.com/webtech/041800-1.shtml

http://www.computerperformance.co.uk/Logon/LDAP_attributes_active_directory.htm

http://www.rlmueller.net/

http://msdn.microsoft.com/library/d...i/searching_with_activex_data_objects_ado.asp

I'm coming from a flying-at-the-seat-of-your-pants approach with no formal knowlege of Active Directory... Is anyone willing to scratch their heads and point me in the right direction?


Earnie Eng

 

[bslintx]

Earnie,

This how I connect to AD db to auto populate forms...of course you have to be in the OU for it to work

<%
 set strSysInfo = CreateObject("ADSystemInfo")
 Set CrUser = GetObject("LDAP://" & strSysInfo.Username & "")
 set WShell = CreateObject("WScript.Shell")


 strFirstName = CrUser.givenName
 strLastName = CrUser.sn
 strEmail = CrUser.mail
%>