can a user be part of multiple subtree in a (Ldap based) Directory Service instance ?

Question

Hi, I am pretty new to the ldap based directory service programming using .net framework; hence have a basic silly question.

I would like to find out the all sub trees a particular user belongs to using System.DirectoryServices.Protocol.

First of all , Can a User be part of the multiple Sub Trees in “a” directory service instance? If yes, then how can I find all the sub trees that a particular user belongs to using “System.DirectoryServices.Protocol “ namespace?

If a user belongs to “only” a particular sub tree, then I guess I can find all the DN of the sub tree from the DN of the user. Please let me know if there is any other efficient way?

Update:

Thanks you guys for your quick replies. To be specific about my question , given this is DN of my user object - “uid=DaffyD,OU=Ducks,OU=People,O=A “ , whether can it exist in other OU directly or indirectly? E.g. can “OU=Ducks” be part of any other OU than “People”?

Then my next question, without doing some kind of string manipulation of user’s DN , can I somehow find the names of parent nodes’ DN that this user using System.DirectoryService.Protocol efficiently?

Regards,

Adil

Answer 1

I'm not sure what you mean by a user "belonging" to a subtree. A user object will exist in a single path in the directory, and its DN will tell you what that path is (in practice, it's vice versa: you know the DN and then find the object). This is the whole point of the DN == distinguished name: to uniquely name objects.

Of course, a user can belong to multiple groups (as a feature of Active Directory); those groups are spread over the directory. Not sure whether you also referred to groups when using the word "belong".

Edit: as any kind of user object can only have a single parent OU, likewise, each OU can have only a single parent container (typically O or OU). The entire directory forms a tree, no node can have two parents.

The framework only processes DNs as strings. However, there are third-party DN parser libraries available.

Answer 2

This is based solely on my experience with Active Directory - but I would assume other LDAP directories will handle it similarly:

No, a user exists only once and therefore can only be located in one single container (typically an OrganizationalUnit). There's no concept of "symbolic links" to users, as far as I know.

And why would you really want a user to exist in multiple places anyway??

If you want the user to be part of several subtrees in order to handle permissions, you're doing it all wrong - you shouldn't base your decisions whether or not to permit some user a given operation on his "location" in the LDAP hierarchy, but rather on group membership.

LDAP groups are what are intended to handle permissions, and a user can be member of any number of groups - there you have your 1:n relationship - user can be member of groups, and those groups are responsible for handling permissions.

Marc