LDAP Query Group to AD LDS / ADAM (Not Active Directory)

Jul 1, 2009 at 10:58 PM
Edited Jul 1, 2009 at 11:00 PM

Hello,

We are trying out NetSqlAzMan and are having trouble setting up an LDAP Query Group.

Here is our setup:

  • Windows Server 2008 on DOMAIN "companyname"
    • Domain is controlled by Active Directory [RootDSE:DC=companyname,DC=local]
  • AD-LDS Instance running on server (port 3000)
    • [RootDSE:CN=STORENAME]
    • Our AD-LDS instance contains objectClass user and userProxy

We need the LDAP Query to run a query against the AD-LDS instance running on the server, not the domain the server is on.

We have attempted search filters:

  • [RootDSE:CN=STORENAME](&(rest of my query))
  • [RootDSE:ldap://SERVERNAME:3000/CN=STORENAME](&(rest of my query))
  • ldap://SERVERNAME:3000/CN=CONTAINERNAME,CN=Roles,CN=STORENAME

These have not worked - we get a popup with no results.


Your assistance would be greatly appreciated!

Coordinator
Jul 2, 2009 at 6:30 AM

Hi Raydr,

the correct syntax should be:

[RootDSE:SERVERNAME:3000/CN=STORENAME,DC=companyname,DC=local](&(rest of my query))

i.e.:

[RootDSE:SERVERNAME:3000/CN=STORENAME,DC=companyname,DC=local](&(displayName=*))

Let me know.

Regards,

Andrea.

__________________________________
Andrea Ferendeles
NetSqlAzMan - Project Coordinator

http://netsqlazman.codeplex.com

Jul 2, 2009 at 3:58 PM

Andrea,

Thank you for your reply.

We are querying ADAM/AD-LDS and while your syntax seems to get us closer, it still does not work.

I have downloaded your code to see if I could find the problem and this is what I found:


        private void RefreshActiveDirectoryObjectsList()
        {
            this.HourGlass(true);
            this.lsvObjectsSid.Items.Clear();
            if (this.searchResultCollection != null)
            {
                foreach (SearchResult sr in this.searchResultCollection)
                {
                    DirectoryEntry de = sr.GetDirectoryEntry();
                    ListViewItem lvi = new ListViewItem();
                    lvi.Tag = sr;
                    lvi.Text = (string)de.Properties["sAMAccountName"][0];
                    lvi.SubItems.Add((string)de.InvokeGet("displayname"));
                    lvi.SubItems.Add(de.SchemaClassName);
                    lvi.SubItems.Add(new SqlAzManSID((byte[])de.Properties["objectSid"].Value).StringValue);
                    this.lsvObjectsSid.Items.Add(lvi);
                }
            }
            this.HourGlass(false);
        }

 

There is no sAMAccountName in ADAM/AD-LDS, so the line in red above errors out with Index out of range.

The equivalent in ADAM/AD-LDS is userPrincipalName. I get many errors when trying to load the project in VS, so I'm unable to try and fix the code myself. What can we do to add support for AD-LDS?

 

Jul 2, 2009 at 6:15 PM

As a workaround, we have attempted to add sAMAccountName and displayname to the ADLDS schema. Now we have a new error:

http://www.matosconsulting.com/na/errorscreenshot2.JPG

Thoughts?

Thank you!

 

Coordinator
Jul 6, 2009 at 7:00 AM

Ummm..

Give me a couple of days to investigate better.

Regards,

Andrea.

Jul 6, 2009 at 9:01 PM

Sure thing. Looking forward to your reply!

Coordinator
Jul 6, 2009 at 9:25 PM

Hi,

this is the method in which the bug occurs: [\NetSqlAzMan.SnapIn\Forms\frmActiveDirectoryObjectsList.cs]

        private void RefreshActiveDirectoryObjectsList()

        {

            this.HourGlass(true);

            this.lsvObjectsSid.Items.Clear();

            if (this.searchResultCollection != null)

            {

                foreach (SearchResult sr in this.searchResultCollection)

                {

                    DirectoryEntry de = sr.GetDirectoryEntry();

                    ListViewItem lvi = new ListViewItem();

                    lvi.Tag = sr;

                    lvi.Text = (string)de.Properties["sAMAccountName"][0];

                    lvi.SubItems.Add((string)de.InvokeGet("displayname"));

                    lvi.SubItems.Add(de.SchemaClassName);

                    lvi.SubItems.Add(new SqlAzManSID((byte[])de.Properties["objectSid"].Value).StringValue);

                    this.lsvObjectsSid.Items.Add(lvi);

                }

            }

            this.HourGlass(false);

        }

As you can see … 3 properties are required:

- sAMAccountName

- displayname

- objectSid

Have you defined the objectSid property in your LDS ?

__________________________________
Andrea Ferendeles
NetSqlAzMan - Project Coordinator

http://netsqlazman.codeplex.com

Jul 6, 2009 at 9:39 PM

Yes, objectSid is in there by default.

 

http://matosconsulting.com/na/ldsschema.jpg

Coordinator
Jul 6, 2009 at 10:06 PM
May be that one of the 3 properties has an invalid data type.
lvi.Text = (string)de.Properties["sAMAccountName"][0];
sAMAccountName should be an array of objects.

Jul 7, 2009 at 5:04 PM
Edited Jul 7, 2009 at 5:05 PM

Nope, we have confirmed that all of the properties are valid.

We have moved on and are adding SID from AD-LDS to a group by using NetSQLAzman functions. We are:

1.) Retrieving SID from LDS
2.) Adding member to group by passing SID

This seems to be working (see this screenshot):
http://www.matosconsulting.com/na/azmansid.jpg

Now we have a new problem:

To CheckAccess, the functions only allow either a DBUser or a WindowsIdentity. We do not have a WindowsIdentity object for AD-LDS users. We need a CheckAccess function that allows us to pass an SID, something like this (in red):

AuthorizationType CheckAccess(string StoreName, string ApplicationName, string ItemName, string SID, DateTime ValidFor, bool OperationsOnly, params KeyValuePair<string, object>[] contextParameters);

Can you help us with this?

Coordinator
Jul 7, 2009 at 8:32 PM

Hi,

You can use the StorageCache.CheckAccess() instead of IAzManStorage.CheckAccess() method.

I.e.:

string cs = "data source=.;Initial Catalog=NetSqlAzManStorage;Integrated Security=SSPI";

StorageCache sc = new StorageCache(cs);

sc.BuildStorageCache();

//Preserve sc somewhere. i.e. into a Session variable or some static variable

AuthorizationType auth = sc.CheckAccess("My Store", "My Application", "My item", "S-1-XXXXXXX-XXX-XXXX", new string[0], DateTime.Now, false);

Let me know.

Regards,

Andrea.

__________________________________
Andrea Ferendeles
NetSqlAzMan - Project Coordinator

http://netsqlazman.codeplex.com

Jun 9, 2010 at 12:17 PM
Edited Jun 9, 2010 at 12:21 PM

Hi,

I Use ADAM and I want to define Application Group (LDAP Type) to connect to ADAM

I write "[RootDSE:localhost:389/DC=TestProjName,DC=com](&(Name=testname*))" in LDAP Query but I don't see any results,

could you plz help me and tell the correct syntax?

Coordinator
Jun 21, 2010 at 11:54 AM

Hi,

the syntax is correct.

Do you receive some errors … or just a blank list ?

Try with "[RootDSE:localhost:389/DC=TestProjName,DC=com](&(sAMAccountName=a*))”.

Regards,
Andrea.

__________________________________
Andrea Ferendeles
NetSqlAzMan Project Coordinator
E-mail aferende@hotmail.com Web http://netsqlazman.codeplex.com

Mar 13, 2012 at 9:20 PM

Where are you setting this query?  We have ADAM but I do not see how/where to configure NetSQLAzMan to use it.