ansaurus

Question

Active Directory LDAP Query by sAMAccountName and Domain

Answer 1

+2 A:

You have to perform your search in the domain:

http://msdn.microsoft.com/en-us/library/ms677934(VS.85).aspx So, basically your should bind to a domain in order to search inside this domain.

lkurts 2009-02-03 17:26:15

Answer 2

+2 A:

If you're using .NET, use the DirectorySearcher class. You can pass in your domain as a string into the constructor.

// if you domain is domain.com...
string username = "user"
string domain = "LDAP://DC=domain,DC=com";
DirectorySearcher search = new DirectorySearcher(domain);
search.Filter = "(SAMAccountName=" + username + ")";

Aaron Daniels 2009-02-03 17:30:04

So lets say my login is COMPANY\BTYNDALL how do I just assume that the LDAP string is going to be LDAP://DC=company,DC=com because in my case this would be wrong the last DC is DC=net. Is there any way to lookup "short domains" in AD and get the longer LDAP one?

tyndall 2009-02-03 18:48:48

or do I just have to build a lookup table in my app?

tyndall 2009-02-03 18:49:22

See my answer below...

Dscoduc 2009-02-04 22:27:20

Answer 3

+4 A:

"Domain" is not a property of an LDAP object. It is more like the name of the database the object is stored in.

So you have to connect to the right database (in LDAP terms: "bind to the domain/directory server") in order to perform a search in that database.

Once you bound successfully, your query in it's current shape is all you need.

BTW: Choosing "ObjectCategory=Person" over "ObjectClass=user" was a good decision. In AD, the former is an "indexed property" with excellent performance, the latter is not indexed and a tad slower.

Tomalak 2009-02-03 18:13:53

For querying of Users in AD I like to use sAMAccountType=805306368 as this narrows your search specifically and is fast

benPearce 2009-02-04 22:40:32

Answer 4

+2 A:

First, modify your search filter to only look for users and not contacts:

(&(objectCategory=person)(objectClass=user)(sAMAccountName=BTYNDALL))

You can enumerate all of the domains of a forest by connecting to the configuration partition and enumerating all the entries in the partitions container. Sorry I don't have any C# code right now but here is some vbscript code I've used in the past:

Set objRootDSE = GetObject("LDAP://RootDSE")
AdComm.Properties("Sort on") = "name"
AdComm.CommandText = "<LDAP://cn=Partitions," & _
    objRootDSE.Get("ConfigurationNamingContext") & ">;" & _
        "(&(objectcategory=crossRef)(systemFlags=3));" & _
            "name,nCName,dnsRoot;onelevel"
set AdRs = AdComm.Execute

From that you can retrieve the name and dnsRoot of each partition:

AdRs.MoveFirst
With AdRs
  While Not .EOF
    dnsRoot = .Fields("dnsRoot")

    Set objOption = Document.createElement("OPTION")
    objOption.Text = dnsRoot(0)
    objOption.Value = "LDAP://" & dnsRoot(0) & "/" & .Fields("nCName").Value
    Domain.Add(objOption)
    .MoveNext 
  Wend 
End With

Dscoduc 2009-02-04 22:27:00

The 'With' and 'While' statements look hideous. I think I wrote this a long time ago and haven't needed to update it since it just worked...

Dscoduc 2009-02-04 22:50:29

+1 and answer. This is the kind of thinking I was looking for. Thanks.

tyndall 2009-02-08 04:08:30

Thanks, I'm glad it helped...

Dscoduc 2009-02-08 05:26:06

ansaurus

tags:

views:

answers:

Active Directory LDAP Query by sAMAccountName and Domain

related questions