Re: General questions about LDAP, GC and access permissions
- From: "Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 10 Jul 2007 11:11:44 -0500
There is a lot of detail on this topic in my book that might be helpful to
you. See the link in the sig.
I'd also suggest asking follow up questions in the
microsoft.public.adsi.general group, as that is where most of the dev/AD
questions go. Also, it isn't clear to me if you need to write to AD (do
provisioning work) or if your app is read only. If read only, what do you
really need to read?
I'll try to answer your questions below inline:
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"UncleRedz" <UncleRedz@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:6E64CAD5-4C7E-4412-BF5A-77798E1BCD4D@xxxxxxxxxxxxxxxx
Hi,
I'm a .NET C# developer so I haven't had the opportunity to get my hands
dirty in the details of how AD actully works, but now that I have to make
a
service communicate with AD, I need to figure some things out... resulting
in
a number of newbie questions.
The scenario is this, our service will likely be running as "LOCAL
SYSTEM",
on a machine that is part of a domain. When a user access the service
(using
Windows Communication Foundation) they are authenticated with the regular
windows authentication. The service then needs to lookup what permisions
this
user have, this is done by examing what groups the user is a member of.
Since the regular windows authentication is used, I know that the user
accessing the service is a valid user, either a local machine user, a
domain
user or a user from a trusted domain. If invalid username, password or
domain
were used, the windows authentication would prevent the user from
accessing
the service.
This results in a number of questions,
1. Can anyone access the Active Directory? Or must the accessing user be a
member of the domain?
Generally, AD 2003 does not allow unauthenticated users to perform any
operations (you'll get an "operations error" message if you try), so that
basically means that only users who can be authenticated can perform
operations. This means that the user must be in the same forest or a
trusted domain in an external forest.
Typically, authenticated users have permissions to see most of the objects
in AD by default, although this can be changed.
2. Is the "LOCAL SYSTEM" user a part of the domain or only a local user?
Local System and Network Service use the machine account when accessing the
network, so on a domain member machine they will use the domain account of
the machine in AD for accessing the directory. It typically has permissions
to read most objects as well.
(Related to question 1.)
3. Should I use LDAP or GC (Global Catalog)? (Provided that the GC entries
contains the required information.)
It depends. If you need to find stuff in multiple domains in the same
forest, the GC is probably the way to go (although phantom root queries are
useful here as well). If there is only one domain in the forest, you might
as well use LDAP. If you do need to search across multiple domain but the
data you need isn't in the GC, then you'll probably need to use both (or use
phantom root).
4. Is LDAP and/or GC something that may or may not be enabled in Active
Directory?
All DCs support LDAP. Any given DC may or may not be a GC. The best thing
to do is to do is to use the locator support in
System.DirectoryServices.ActiveDirectory to find DCs and GCs.
5. How do I deal with trusted domains? Will using GC instead of LDAP solve
this?
It can be complicated and it depends on what you mean by this. What about
trusted domains do you need to do?
6. If the local machine is running in domain X and the user is from the
trusted domain Y, should I still use the X domain when constructing the
LDAP/GC query? Or should I use the Y domain instead?
Are these domains in the same forest or an external forest?
7. How do I determine what domains exists? Do I even need to know this? Or
is it enough to know the domain the machine is a part of? (And then use
GC?)
The configuration partition on any DC contains this information and you can
also use the features in SDS.AD to enumerate domains in a forest if you need
to.
8. Does any of these questions make any sense in this scenario? Am I
missing
something?
Don't forget that when you are using Windows auth, Windows itself will
calculate a user's group membership in the user's logon token. It is best
to not try to get the user's group membership via LDAP if Windows is going
to do it for you.
I would be thankfull for any information that can answer these questions.
Cheers,
UncleRedz
.
- Follow-Ups:
- Re: General questions about LDAP, GC and access permissions
- From: UncleRedz
- Re: General questions about LDAP, GC and access permissions
- Prev by Date: Re: General questions about LDAP, GC and access permissions
- Next by Date: Re: Active Dir and Domain creations
- Previous by thread: Re: General questions about LDAP, GC and access permissions
- Next by thread: Re: General questions about LDAP, GC and access permissions
- Index(es):
Relevant Pages
|
