Question : Getting group membership from LDAP


I use the below code to find out an user is a part of the admin group . I have to authenticate two types of users one is member and dealer. It works with member domain and does not work with dealer domain and does not return a value.  Can somebody help in this code.


Is there a way to do this in alternative way to authenticate users by finding a memberof certain group. 
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:

public string GetGroups()
        {
            DirectorySearcher search = new DirectorySearcher(_path);
            search.Filter = "(cn=" + _filterAttribute + ")";
            search.PropertiesToLoad.Add("memberOf");
            StringBuilder groupNames = new StringBuilder();

            try
            {
                SearchResult result = search.FindOne();
                int propertyCount = result.Properties["memberOf"].Count;
                string dn;
                int equalsIndex, commaIndex;

                for (int propertyCounter = 0; propertyCounter < propertyCount; propertyCounter++)
                {
                    dn = (string)result.Properties["memberOf"][propertyCounter];
                    equalsIndex = dn.IndexOf("=", 1);
                    commaIndex = dn.IndexOf(",", 1);
                    if (-1 == equalsIndex)
                    {
                        return null;
                    }
                    groupNames.Append(dn.Substring((equalsIndex + 1), (commaIndex - equalsIndex) - 1));
                    groupNames.Append("|");
                }
            }
            catch (Exception ex)
            {
                throw new Exception("Error obtaining group names. " + ex.Message);
            }
            return groupNames.ToString();
        }

Answer : Getting group membership from LDAP


Ahh okay I see.

So you're testing LDAP auth here:

            DirectoryEntry entry = new DirectoryEntry(_path, domainAndUsername, pwd);

And that's fine, you establish the authenticated connection. But then you try and build the searcher for groups like this:

            DirectorySearcher search = new DirectorySearcher(_path);

You've dropped the authenticated connection and now you're trying to pass in _path, creating a second unauthenticated connection, instead an authenticated DirectoryEntry.

Ideally you would store "entry" and use that.

e.g.

namespace FormsAuth
{
    public class LdapAuthentication
    {
        public DirectoryEntry _entry;

       <snip>

        public bool IsAuthenticated(string domain, string username, string pwd)
        {
                <snip>
 
                //Update the new path to the user in the directory.
                _filterAttribute = (string)result.Properties["cn"][0];
                _entry = result.GetDirectoryEntry();
         }


Then if you're authenticated you can pull the memberOf attribute from the DirectoryEntry rather than searching again in GetGroups:

// I think... not tested
String[] memberOf = _entry.Properties["memberof"]

Chris
Random Solutions  
 
programming4us programming4us