Monday, March 28, 2011

Active Directory LDAP Query by sAMAccountName and Domain

How do you do a query of an LDAP store by sAMAccountName and Domain? What is the "domain" property named in Active Directory or LDAP terms?

This is what I have for the filter so far. I'd like to be able to add in the domain:

(&(objectCategory=Person)(sAMAccountName=BTYNDALL))
From stackoverflow

  • You have to perform your search in the domain:

    http://msdn.microsoft.com/en-us/library/ms677934(VS.85).aspx So, basically your should bind to a domain in order to search inside this domain.

  • If you're using .NET, use the DirectorySearcher class. You can pass in your domain as a string into the constructor.

    // if you domain is domain.com...
string username = "user"
string domain = "LDAP://DC=domain,DC=com";
DirectorySearcher search = new DirectorySearcher(domain);
search.Filter = "(SAMAccountName=" + username + ")";
    tyndall : So lets say my login is COMPANY\BTYNDALL how do I just assume that the LDAP string is going to be LDAP://DC=company,DC=com because in my case this would be wrong the last DC is DC=net. Is there any way to lookup "short domains" in AD and get the longer LDAP one?
    tyndall : or do I just have to build a lookup table in my app?
    Dscoduc : See my answer below...

  • "Domain" is not a property of an LDAP object. It is more like the name of the database the object is stored in.

    So you have to connect to the right database (in LDAP terms: "bind to the domain/directory server") in order to perform a search in that database.

    Once you bound successfully, your query in it's current shape is all you need.

    BTW: Choosing "ObjectCategory=Person" over "ObjectClass=user" was a good decision. In AD, the former is an "indexed property" with excellent performance, the latter is not indexed and a tad slower.

    benPearce : For querying of Users in AD I like to use sAMAccountType=805306368 as this narrows your search specifically and is fast

  • First, modify your search filter to only look for users and not contacts:

    (&(objectCategory=person)(objectClass=user)(sAMAccountName=BTYNDALL))

    You can enumerate all of the domains of a forest by connecting to the configuration partition and enumerating all the entries in the partitions container. Sorry I don't have any C# code right now but here is some vbscript code I've used in the past:

    Set objRootDSE = GetObject("LDAP://RootDSE")
AdComm.Properties("Sort on") = "name"
AdComm.CommandText = "<LDAP://cn=Partitions," & _
    objRootDSE.Get("ConfigurationNamingContext") & ">;" & _
        "(&(objectcategory=crossRef)(systemFlags=3));" & _
            "name,nCName,dnsRoot;onelevel"
set AdRs = AdComm.Execute

    From that you can retrieve the name and dnsRoot of each partition:

    AdRs.MoveFirst
With AdRs
  While Not .EOF
    dnsRoot = .Fields("dnsRoot")

    Set objOption = Document.createElement("OPTION")
    objOption.Text = dnsRoot(0)
    objOption.Value = "LDAP://" & dnsRoot(0) & "/" & .Fields("nCName").Value
    Domain.Add(objOption)
    .MoveNext 
  Wend 
End With
    Dscoduc : The 'With' and 'While' statements look hideous. I think I wrote this a long time ago and haven't needed to update it since it just worked...
    tyndall : +1 and answer. This is the kind of thinking I was looking for. Thanks.
    Dscoduc : Thanks, I'm glad it helped...
Posted by Ku XI at 7:26 PM

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)