Re: LDAP returns wrong members

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

On Feb 11, 3:47 pm, "Joe Kaplan"
<joseph.e.kap...@xxxxxxxxxxxxxxxxxxxxxxxx> wrote:
The problem is most likely that the other members of the group are members
via primary group membership.  That is not stored in the member attribute of
the group.  Instead, the RID of the group is stored in the primaryGroupID
attribute on the users.  As such, you must use a different technique to find
users who are  members of the group via primary group membership.

In general, you don't want to implement logic like this by reading the
members of the group.  Instead, you should calculate the user's full group
membership.  This fits more neatly with the standard .NET
IPrincipal.IsInRole approach to authorization.  Additionally, it is easier
to get the user's full security membership via LDAP by reading the
tokenGroups attribute.  This is fairly well-documented and is demonstrated
in several different ways in ch 10 of my book which is a free download from
the website in my sig.  This type of approach can be turned into an ASP..NET
role provider as well.  My co-author started one of these at
codeplex.com/adrp

HTH,

Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"http://www.directoryprogramming.net

Basically what I wanted to get is why it is not working in general. We
have few internal web based applications that used AD membership to
authorize intranet users (using LDAP queries) and recently we
recognized that this is working properly for some of our groups. So, I
want to fix this for all applications, including LDAP Browser.

Our AD has been recently migrated to Win2008. I think before this (on
Win2000) it was working correct.

Joe, I appreciate your help, thank you. I changed my code to a
tokenGroups attribute and it is working properly now. Regarding LDAP
and "memberof" values: why it shows 60 users then? As far as I see
they also have that group as a primary group and according to your
answer this should not work. Is it a kind of obsolete information,
which is not updated, or it is an error in our directory? Is there any
tool to look for errors in AD / or refresh LDAP? :-)
.

Relevant Pages

  • Re: Primary Group
    ... The LDAP provider does not reveal membership in the primary group in most ... For example, the memberOf attribute of user objects, the member ... Hilltop Lab - http://www.rlmueller.net ...
    (microsoft.public.windows.server.active_directory)
  • Re: Primary Group
    ... The LDAP provider does not reveal membership in the primary group in most ... For example, the memberOf attribute of user objects, the member ... The default primary group for computers is "Domain Computers". ...
    (microsoft.public.windows.server.active_directory)
  • Re: Changing a Users Primary Group Causes Mail to Stop
    ... >(we are using server 2003 sp1 for domain controllers and are using exchange ... >we recently changed two users' primary group membership, ... >the users received mail for this security group. ...
    (microsoft.public.exchange2000.admin)
  • Re: Member attribute of Domain Users.
    ... So anyone who has say Domain Admins as their primary group will not be listed in the member attribute of the group. ... functional level AD can only contain 5,000 members. ... Therefore Domain Users is defined via primaryGroupID. ... The GUI knows this and show it to you as normal group membership. ...
    (microsoft.public.windows.server.active_directory)
  • Re: role/group authorization not recognizing user groups.
    ... Theres no Membership entry in our application web config, ... Joe Kaplan-MS MVP Directory Services Programming ... Co-author of "The .NET Developer's Guide to Directory Services Programming"http://www.directoryprogramming.net ...
    (microsoft.public.dotnet.framework.aspnet.security)