|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Need help with DirectorySearcher FILTER using SID.the AD object's current login name. The search is returnning null when it shouldn't. I think there's problem with my byte array's allocation. Or maybe there's another way to do this? I saw 2.5.5.17 SID format in a book but wonder how can I use this format in my search filter string? The childKeySid is in SDDL format: S-15-76D9750B-34737BB4-2B3BE507-A30 I allocated byte array length to be 44 and got the following: searchSid = "\\01\\05\\00\\00\\00\\00\\00\\05\\15\\00\\00\\00\\0B\\75\\D9\\76\\B4\\7B\\73\\34\\07\\E5\\3B\\2B\\30\\0A\\00\\00\\00\\00\\00\\00\\00\\00\\00\\00\\00\\00\\00\\00\\00\\00\\00\\00" Can someone tell me how to correct my search here? Many thanks. public static string GetWinName(DirectoryEntry de, DirectoryEntry deParent) { string sidKey = null, childSidKey = null, sid = null, displayName=null, searchSid; int lastDash = 0; childSidKey = de.Properties["cn"].Value.ToString(); SecurityIdentifier sdSID = new SecurityIdentifier(childSidKey); byte[] bArray = new byte[childSidKey.Length]; sdSID.GetBinaryForm(bArray, 0); searchSid = BuildFilterOctetString(bArray); de.AuthenticationType = AuthenticationTypes.FastBind | AuthenticationTypes.Secure; DirectorySearcher dsFindADObject = new DirectorySearcher(deParent); dsFindADObject.Filter = "(objectSid=" + childSidKey + ")"; dsFindADObject.PropertiesToLoad.Add("objectSid"); SearchResult sr = dsFindADObject.FindOne(); string foundSid = null; if (sr != null) { foundSid = sr.Properties["objectSid"].ToString(); return foundSid; } else return null; -- Thanks. The code below makes no sense to me.
What is this supposed to do? childSidKey = de.Properties["cn"].Value.ToString(); SecurityIdentifier sdSID = new SecurityIdentifier(childSidKey); It looks like you are reading an object's CN attribute and then trying to build a SecurityIdentifier object with it. That would only make sense if the object is a foreign security principal, but would not work in general. Is that what you are doing? If that is the case, why would you bother doing a search for it? You already have a DirectoryEntry for the object. In general, you can locate objects by their SID using a filter like you specified. If the directory is AD2003 or ADAM, it also supports filters that use the SDDL format: (objectSid=S-1-5-20-xxx) You would want to make sure you did the search at the domain root scope or at the forest scope with the GC if you want to search the whole forest. It isn't easy to tell from your code what the DE that is used as the SearchRoot actually points to. Joe K. -- Show quoteHide quoteJoe Kaplan-MS MVP Directory Services Programming Co-author of "The .NET Developer's Guide to Directory Services Programming" http://www.directoryprogramming.net -- "Pucca" <Pu***@discussions.microsoft.com> wrote in message news:41E2995E-5011-45F2-BE3A-2592F008A731@microsoft.com... > Hi, I'm using vs2005, .net 2.0. I have the following method that > retrieves > the AD object's current login name. The search is returnning null when it > shouldn't. I think there's problem with my byte array's allocation. Or > maybe there's another way to do this? I saw 2.5.5.17 SID format in a book > but wonder how can I use this format in my search filter string? > > > The childKeySid is in SDDL format: S-15-76D9750B-34737BB4-2B3BE507-A30 > I allocated byte array length to be 44 and got the following: > searchSid = > "\\01\\05\\00\\00\\00\\00\\00\\05\\15\\00\\00\\00\\0B\\75\\D9\\76\\B4\\7B\\73\\34\\07\\E5\\3B\\2B\\30\\0A\\00\\00\\00\\00\\00\\00\\00\\00\\00\\00\\00\\00\\00\\00\\00\\00\\00\\00" > > Can someone tell me how to correct my search here? Many thanks. > > public static string GetWinName(DirectoryEntry de, DirectoryEntry > deParent) > { > string sidKey = null, childSidKey = null, sid = null, > displayName=null, searchSid; > int lastDash = 0; > > childSidKey = de.Properties["cn"].Value.ToString(); > SecurityIdentifier sdSID = new SecurityIdentifier(childSidKey); > byte[] bArray = new byte[childSidKey.Length]; > sdSID.GetBinaryForm(bArray, 0); > searchSid = BuildFilterOctetString(bArray); > > de.AuthenticationType = AuthenticationTypes.FastBind | > AuthenticationTypes.Secure; > > > DirectorySearcher dsFindADObject = new > DirectorySearcher(deParent); > dsFindADObject.Filter = "(objectSid=" + childSidKey + ")"; > dsFindADObject.PropertiesToLoad.Add("objectSid"); > SearchResult sr = dsFindADObject.FindOne(); > string foundSid = null; > if (sr != null) > { > foundSid = sr.Properties["objectSid"].ToString(); > return foundSid; > } > else > return null; > -- > Thanks. Hi Joe, Sorry for not giving a bit more backgroup information about my
question here. We are storing our data in AD using the "meeting" class. In this class object, we store sid in sddl format in the "Common-Name" field ("cn" is the attribute name). After I retrive this sid from meeting class, I need to use it as the filter to search for the "matching sid" AD object , which can be acomputer,a group or a user. The parent container indicates to search in perspective container like: "LDAP://CN=COMPUTERS, DC=X,DC=Y,DC=COM" The application needs to run on Win 2000 server and up. So there is no ADAM availabe and SDDL is also not an option. Based on what I just describe, can you see why my code isn't working? I use the SecurityIdentifier to get the byte array which can then be transform to Octet string for search filter. But it's not working. Thanks. -- Show quoteHide quoteThanks. "Joe Kaplan" wrote: > The code below makes no sense to me. > > What is this supposed to do? > > childSidKey = de.Properties["cn"].Value.ToString(); > SecurityIdentifier sdSID = new SecurityIdentifier(childSidKey); > > It looks like you are reading an object's CN attribute and then trying to > build a SecurityIdentifier object with it. That would only make sense if > the object is a foreign security principal, but would not work in general. > Is that what you are doing? > > If that is the case, why would you bother doing a search for it? You > already have a DirectoryEntry for the object. > > In general, you can locate objects by their SID using a filter like you > specified. If the directory is AD2003 or ADAM, it also supports filters > that use the SDDL format: > > (objectSid=S-1-5-20-xxx) > > You would want to make sure you did the search at the domain root scope or > at the forest scope with the GC if you want to search the whole forest. It > isn't easy to tell from your code what the DE that is used as the SearchRoot > actually points to. > > Joe K. > > -- > Joe Kaplan-MS MVP Directory Services Programming > Co-author of "The .NET Developer's Guide to Directory Services Programming" > http://www.directoryprogramming.net > -- > "Pucca" <Pu***@discussions.microsoft.com> wrote in message > news:41E2995E-5011-45F2-BE3A-2592F008A731@microsoft.com... > > Hi, I'm using vs2005, .net 2.0. I have the following method that > > retrieves > > the AD object's current login name. The search is returnning null when it > > shouldn't. I think there's problem with my byte array's allocation. Or > > maybe there's another way to do this? I saw 2.5.5.17 SID format in a book > > but wonder how can I use this format in my search filter string? > > > > > > The childKeySid is in SDDL format: S-15-76D9750B-34737BB4-2B3BE507-A30 > > I allocated byte array length to be 44 and got the following: > > searchSid = > > "\\01\\05\\00\\00\\00\\00\\00\\05\\15\\00\\00\\00\\0B\\75\\D9\\76\\B4\\7B\\73\\34\\07\\E5\\3B\\2B\\30\\0A\\00\\00\\00\\00\\00\\00\\00\\00\\00\\00\\00\\00\\00\\00\\00\\00\\00\\00" > > > > Can someone tell me how to correct my search here? Many thanks. > > > > public static string GetWinName(DirectoryEntry de, DirectoryEntry > > deParent) > > { > > string sidKey = null, childSidKey = null, sid = null, > > displayName=null, searchSid; > > int lastDash = 0; > > > > childSidKey = de.Properties["cn"].Value.ToString(); > > SecurityIdentifier sdSID = new SecurityIdentifier(childSidKey); > > byte[] bArray = new byte[childSidKey.Length]; > > sdSID.GetBinaryForm(bArray, 0); > > searchSid = BuildFilterOctetString(bArray); > > > > de.AuthenticationType = AuthenticationTypes.FastBind | > > AuthenticationTypes.Secure; > > > > > > DirectorySearcher dsFindADObject = new > > DirectorySearcher(deParent); > > dsFindADObject.Filter = "(objectSid=" + childSidKey + ")"; > > dsFindADObject.PropertiesToLoad.Add("objectSid"); > > SearchResult sr = dsFindADObject.FindOne(); > > string foundSid = null; > > if (sr != null) > > { > > foundSid = sr.Properties["objectSid"].ToString(); > > return foundSid; > > } > > else > > return null; > > -- > > Thanks. > > > It should work as long as you are searching at the right scope in the
domain. Whenever you are having trouble with a query, try it by hand in ldp and see what is happening. You should be able to copy and paste the filter into ldp and use the DN of the search root object for the search root in ldp. That should give you some equivalence. Also, the escape character should be a single backslash in the filter. You would obviously supply that as "\\" in a string literal, but make sure the actual string doesn't contain \\. That would break the code. I assume you are using the method BuildFilterOctetString from our book since it has the same method name. If not, grab our source from the book's website and use that. It definitely works fine. Joe K. -- Show quoteHide quoteJoe Kaplan-MS MVP Directory Services Programming Co-author of "The .NET Developer's Guide to Directory Services Programming" http://www.directoryprogramming.net -- "Pucca" <Pu***@discussions.microsoft.com> wrote in message news:14B2CEE9-1534-4E41-88D9-C716FA6BF809@microsoft.com... > Hi Joe, Sorry for not giving a bit more backgroup information about my > question here. We are storing our data in AD using the "meeting" class. > In > this class object, we store sid in sddl format in the "Common-Name" field > ("cn" is the attribute name). > After I retrive this sid from meeting class, I need to use it as the > filter > to search for the "matching sid" AD object , which can be acomputer,a > group > or a user. The parent container indicates to search in perspective > container > like: "LDAP://CN=COMPUTERS, DC=X,DC=Y,DC=COM" > > The application needs to run on Win 2000 server and up. So there is no > ADAM > availabe and SDDL is also not an option. Based on what I just describe, > can > you see why my code isn't working? I use the SecurityIdentifier to get > the > byte array which can then be transform to Octet string for search filter. > But it's not working. Thanks. > -- > Thanks. > > > "Joe Kaplan" wrote: > >> The code below makes no sense to me. >> >> What is this supposed to do? >> >> childSidKey = de.Properties["cn"].Value.ToString(); >> SecurityIdentifier sdSID = new SecurityIdentifier(childSidKey); >> >> It looks like you are reading an object's CN attribute and then trying to >> build a SecurityIdentifier object with it. That would only make sense if >> the object is a foreign security principal, but would not work in >> general. >> Is that what you are doing? >> >> If that is the case, why would you bother doing a search for it? You >> already have a DirectoryEntry for the object. >> >> In general, you can locate objects by their SID using a filter like you >> specified. If the directory is AD2003 or ADAM, it also supports filters >> that use the SDDL format: >> >> (objectSid=S-1-5-20-xxx) >> >> You would want to make sure you did the search at the domain root scope >> or >> at the forest scope with the GC if you want to search the whole forest. >> It >> isn't easy to tell from your code what the DE that is used as the >> SearchRoot >> actually points to. >> >> Joe K. >> >> -- >> Joe Kaplan-MS MVP Directory Services Programming >> Co-author of "The .NET Developer's Guide to Directory Services >> Programming" >> http://www.directoryprogramming.net >> -- >> "Pucca" <Pu***@discussions.microsoft.com> wrote in message >> news:41E2995E-5011-45F2-BE3A-2592F008A731@microsoft.com... >> > Hi, I'm using vs2005, .net 2.0. I have the following method that >> > retrieves >> > the AD object's current login name. The search is returnning null when >> > it >> > shouldn't. I think there's problem with my byte array's allocation. >> > Or >> > maybe there's another way to do this? I saw 2.5.5.17 SID format in a >> > book >> > but wonder how can I use this format in my search filter string? >> > >> > >> > The childKeySid is in SDDL format: S-15-76D9750B-34737BB4-2B3BE507-A30 >> > I allocated byte array length to be 44 and got the following: >> > searchSid = >> > "\\01\\05\\00\\00\\00\\00\\00\\05\\15\\00\\00\\00\\0B\\75\\D9\\76\\B4\\7B\\73\\34\\07\\E5\\3B\\2B\\30\\0A\\00\\00\\00\\00\\00\\00\\00\\00\\00\\00\\00\\00\\00\\00\\00\\00\\00\\00" >> > >> > Can someone tell me how to correct my search here? Many thanks. >> > >> > public static string GetWinName(DirectoryEntry de, >> > DirectoryEntry >> > deParent) >> > { >> > string sidKey = null, childSidKey = null, sid = null, >> > displayName=null, searchSid; >> > int lastDash = 0; >> > >> > childSidKey = de.Properties["cn"].Value.ToString(); >> > SecurityIdentifier sdSID = new >> > SecurityIdentifier(childSidKey); >> > byte[] bArray = new byte[childSidKey.Length]; >> > sdSID.GetBinaryForm(bArray, 0); >> > searchSid = BuildFilterOctetString(bArray); >> > >> > de.AuthenticationType = AuthenticationTypes.FastBind | >> > AuthenticationTypes.Secure; >> > >> > >> > DirectorySearcher dsFindADObject = new >> > DirectorySearcher(deParent); >> > dsFindADObject.Filter = "(objectSid=" + childSidKey + ")"; >> > dsFindADObject.PropertiesToLoad.Add("objectSid"); >> > SearchResult sr = dsFindADObject.FindOne(); >> > string foundSid = null; >> > if (sr != null) >> > { >> > foundSid = sr.Properties["objectSid"].ToString(); >> > return foundSid; >> > } >> > else >> > return null; >> > -- >> > Thanks. >> >> >> I use the " bool sidValidate = sdSID.IsAccountSid();" in my code and it is a
validate SID. I also did the search in ldp and got the following result of 0 found ldap_search_s(ld, "CN=Computers,DC=unity,DC=windev,DC=symark,DC=com", 2, "(objectSid=\\01\\05\\00\\00\\00\\00\\00\\05\\15\\00\\00\\00\\0B\\75\\D9\\76\\B4\\7B\\73\\34\\07\\E5\\3B\\2B\\30\\0A\\00\\00\\00\\00\\00\\00\\00\\00\\00\\00\\00\\00\\00\\00\\00\\00\\00\\00)", attrList, 0, &msg) Result <0>: (null) Matched DNs: Getting 0 entries: ----------- I also tried searcing with the SDDL format but it didn't work either: ***Searching... ldap_search_s(ld, "CN=Computers,DC=unity,DC=windev,DC=symark,DC=com", 1, "(objectSid=S-1-5-21-1993962763-879983540-725345543-2608)", attrList, 0, &msg) Result <0>: (null) Matched DNs: Getting 0 entries: The problem is obviously my SID format in the search filter. This is what I did to get the above format: 1. I have a SDDL SID 2. I took its length and converted it to byte array (but I got bunch of //00 at the end) byte[] bArray = new byte[childSidKey.Length]; sdSID.GetBinaryForm(bArray, 0); 3. I used the code form the book to convert result from step 2 to an octet string but result is not found. searchSid = BuildFilterOctetString(bArray); Can you see what I've done wrong in my step? Here is my new code: public static string GetWinName(DirectoryEntry de, DirectoryEntry deParent) { string searchSid = null, childSidKey = null; childSidKey = de.Properties["cn"].Value.ToString(); SecurityIdentifier sdSID = new SecurityIdentifier(childSidKey); bool sidValidate = sdSID.IsAccountSid(); byte[] bArray = new byte[childSidKey.Length]; sdSID.GetBinaryForm(bArray, 0); searchSid = BuildFilterOctetString(bArray); de.AuthenticationType = AuthenticationTypes.FastBind | AuthenticationTypes.Secure; DirectorySearcher dsFindADObject = new DirectorySearcher(deParent); dsFindADObject.Filter = "(objectSid=" + searchSid + ")"; dsFindADObject.PropertiesToLoad.Add("sAMAccountName"); SearchResult sr = dsFindADObject.FindOne(); string sAMAccountName = null; if (sr != null) { sAMAccountName = sr.Properties["sAMAccountName"].ToString(); return sAMAccountName; } else return null; -- Show quoteHide quoteThanks. "Joe Kaplan" wrote: > It should work as long as you are searching at the right scope in the > domain. > > Whenever you are having trouble with a query, try it by hand in ldp and see > what is happening. You should be able to copy and paste the filter into ldp > and use the DN of the search root object for the search root in ldp. That > should give you some equivalence. > > Also, the escape character should be a single backslash in the filter. You > would obviously supply that as "\\" in a string literal, but make sure the > actual string doesn't contain \\. That would break the code. I assume you > are using the method BuildFilterOctetString from our book since it has the > same method name. If not, grab our source from the book's website and use > that. It definitely works fine. > > Joe K. > > -- > Joe Kaplan-MS MVP Directory Services Programming > Co-author of "The .NET Developer's Guide to Directory Services Programming" > http://www.directoryprogramming.net > -- > "Pucca" <Pu***@discussions.microsoft.com> wrote in message > news:14B2CEE9-1534-4E41-88D9-C716FA6BF809@microsoft.com... > > Hi Joe, Sorry for not giving a bit more backgroup information about my > > question here. We are storing our data in AD using the "meeting" class. > > In > > this class object, we store sid in sddl format in the "Common-Name" field > > ("cn" is the attribute name). > > After I retrive this sid from meeting class, I need to use it as the > > filter > > to search for the "matching sid" AD object , which can be acomputer,a > > group > > or a user. The parent container indicates to search in perspective > > container > > like: "LDAP://CN=COMPUTERS, DC=X,DC=Y,DC=COM" > > > > The application needs to run on Win 2000 server and up. So there is no > > ADAM > > availabe and SDDL is also not an option. Based on what I just describe, > > can > > you see why my code isn't working? I use the SecurityIdentifier to get > > the > > byte array which can then be transform to Octet string for search filter. > > But it's not working. Thanks. > > -- > > Thanks. > > > > > > "Joe Kaplan" wrote: > > > >> The code below makes no sense to me. > >> > >> What is this supposed to do? > >> > >> childSidKey = de.Properties["cn"].Value.ToString(); > >> SecurityIdentifier sdSID = new SecurityIdentifier(childSidKey); > >> > >> It looks like you are reading an object's CN attribute and then trying to > >> build a SecurityIdentifier object with it. That would only make sense if > >> the object is a foreign security principal, but would not work in > >> general. > >> Is that what you are doing? > >> > >> If that is the case, why would you bother doing a search for it? You > >> already have a DirectoryEntry for the object. > >> > >> In general, you can locate objects by their SID using a filter like you > >> specified. If the directory is AD2003 or ADAM, it also supports filters > >> that use the SDDL format: > >> > >> (objectSid=S-1-5-20-xxx) > >> > >> You would want to make sure you did the search at the domain root scope > >> or > >> at the forest scope with the GC if you want to search the whole forest. > >> It > >> isn't easy to tell from your code what the DE that is used as the > >> SearchRoot > >> actually points to. > >> > >> Joe K. > >> > >> -- > >> Joe Kaplan-MS MVP Directory Services Programming > >> Co-author of "The .NET Developer's Guide to Directory Services > >> Programming" > >> http://www.directoryprogramming.net > >> -- > >> "Pucca" <Pu***@discussions.microsoft.com> wrote in message > >> news:41E2995E-5011-45F2-BE3A-2592F008A731@microsoft.com... > >> > Hi, I'm using vs2005, .net 2.0. I have the following method that > >> > retrieves > >> > the AD object's current login name. The search is returnning null when > >> > it > >> > shouldn't. I think there's problem with my byte array's allocation. > >> > Or > >> > maybe there's another way to do this? I saw 2.5.5.17 SID format in a > >> > book > >> > but wonder how can I use this format in my search filter string? > >> > > >> > > >> > The childKeySid is in SDDL format: S-15-76D9750B-34737BB4-2B3BE507-A30 > >> > I allocated byte array length to be 44 and got the following: > >> > searchSid = > >> > "\\01\\05\\00\\00\\00\\00\\00\\05\\15\\00\\00\\00\\0B\\75\\D9\\76\\B4\\7B\\73\\34\\07\\E5\\3B\\2B\\30\\0A\\00\\00\\00\\00\\00\\00\\00\\00\\00\\00\\00\\00\\00\\00\\00\\00\\00\\00" > >> > > >> > Can someone tell me how to correct my search here? Many thanks. > >> > > >> > public static string GetWinName(DirectoryEntry de, > >> > DirectoryEntry > >> > deParent) > >> > { > >> > string sidKey = null, childSidKey = null, sid = null, > >> > displayName=null, searchSid; > >> > int lastDash = 0; > >> > > >> > childSidKey = de.Properties["cn"].Value.ToString(); > >> > SecurityIdentifier sdSID = new > >> > SecurityIdentifier(childSidKey); > >> > byte[] bArray = new byte[childSidKey.Length]; > >> > sdSID.GetBinaryForm(bArray, 0); > >> > searchSid = BuildFilterOctetString(bArray); > >> > > >> > de.AuthenticationType = AuthenticationTypes.FastBind | > >> > AuthenticationTypes.Secure; > >> > > >> > > >> > DirectorySearcher dsFindADObject = new > >> > DirectorySearcher(deParent); > >> > dsFindADObject.Filter = "(objectSid=" + childSidKey + ")"; > >> > dsFindADObject.PropertiesToLoad.Add("objectSid"); > >> > SearchResult sr = dsFindADObject.FindOne(); > >> > string foundSid = null; > >> > if (sr != null) > >> > { > >> > foundSid = sr.Properties["objectSid"].ToString(); > >> > return foundSid; > >> > } > >> > else > >> > return null; > >> > -- > >> > Thanks. > >> > >> > >> > > > Your filter has \\ in it, not \. Like I said in my previous message, that
won't work. If you use the code from our site, it will work fine. For example, the filter for the authenticated users built in SID, S-1-5-11 would look like: (objectSid=\01\01\00\00\00\00\00\05\0B\00\00\00) Also, the object would need to be found in the CN=computers container. If you want to search the whole domain, move your search base to the root. Joe K. -- Show quoteHide quoteJoe Kaplan-MS MVP Directory Services Programming Co-author of "The .NET Developer's Guide to Directory Services Programming" http://www.directoryprogramming.net -- "Pucca" <Pu***@discussions.microsoft.com> wrote in message news:84D0032A-05DB-4416-A6CF-A814CEDB789C@microsoft.com... >I use the " bool sidValidate = sdSID.IsAccountSid();" in my code and it is >a > validate SID. I also did the search in ldp and got the following result > of 0 > found > ldap_search_s(ld, "CN=Computers,DC=unity,DC=windev,DC=symark,DC=com", 2, > "(objectSid=\\01\\05\\00\\00\\00\\00\\00\\05\\15\\00\\00\\00\\0B\\75\\D9\\76\\B4\\7B\\73\\34\\07\\E5\\3B\\2B\\30\\0A\\00\\00\\00\\00\\00\\00\\00\\00\\00\\00\\00\\00\\00\\00\\00\\00\\00\\00)", > attrList, 0, &msg) > Result <0>: (null) > Matched DNs: > Getting 0 entries: > ----------- > > I also tried searcing with the SDDL format but it didn't work either: > > ***Searching... > ldap_search_s(ld, "CN=Computers,DC=unity,DC=windev,DC=symark,DC=com", 1, > "(objectSid=S-1-5-21-1993962763-879983540-725345543-2608)", attrList, 0, > &msg) > Result <0>: (null) > Matched DNs: > Getting 0 entries: > > > > The problem is obviously my SID format in the search filter. This is what > I > did to get the above format: > 1. I have a SDDL SID > 2. I took its length and converted it to byte array (but I got bunch of > //00 at the end) > byte[] bArray = new byte[childSidKey.Length]; > sdSID.GetBinaryForm(bArray, 0); > 3. I used the code form the book to convert result from step 2 to an > octet > string but result is not found. > searchSid = BuildFilterOctetString(bArray); > > Can you see what I've done wrong in my step? Here is my new code: > > public static string GetWinName(DirectoryEntry de, DirectoryEntry > deParent) > { > string searchSid = null, childSidKey = null; > > childSidKey = de.Properties["cn"].Value.ToString(); > SecurityIdentifier sdSID = new SecurityIdentifier(childSidKey); > bool sidValidate = sdSID.IsAccountSid(); > byte[] bArray = new byte[childSidKey.Length]; > sdSID.GetBinaryForm(bArray, 0); > searchSid = BuildFilterOctetString(bArray); > > de.AuthenticationType = AuthenticationTypes.FastBind | > AuthenticationTypes.Secure; > > > DirectorySearcher dsFindADObject = new > DirectorySearcher(deParent); > dsFindADObject.Filter = "(objectSid=" + searchSid + ")"; > dsFindADObject.PropertiesToLoad.Add("sAMAccountName"); > SearchResult sr = dsFindADObject.FindOne(); > string sAMAccountName = null; > if (sr != null) > { > sAMAccountName = > sr.Properties["sAMAccountName"].ToString(); > return sAMAccountName; > } > else > return null; > > -- > Thanks. > > > "Joe Kaplan" wrote: > >> It should work as long as you are searching at the right scope in the >> domain. >> >> Whenever you are having trouble with a query, try it by hand in ldp and >> see >> what is happening. You should be able to copy and paste the filter into >> ldp >> and use the DN of the search root object for the search root in ldp. >> That >> should give you some equivalence. >> >> Also, the escape character should be a single backslash in the filter. >> You >> would obviously supply that as "\\" in a string literal, but make sure >> the >> actual string doesn't contain \\. That would break the code. I assume >> you >> are using the method BuildFilterOctetString from our book since it has >> the >> same method name. If not, grab our source from the book's website and >> use >> that. It definitely works fine. >> >> Joe K. >> >> -- >> Joe Kaplan-MS MVP Directory Services Programming >> Co-author of "The .NET Developer's Guide to Directory Services >> Programming" >> http://www.directoryprogramming.net >> -- >> "Pucca" <Pu***@discussions.microsoft.com> wrote in message >> news:14B2CEE9-1534-4E41-88D9-C716FA6BF809@microsoft.com... >> > Hi Joe, Sorry for not giving a bit more backgroup information about my >> > question here. We are storing our data in AD using the "meeting" >> > class. >> > In >> > this class object, we store sid in sddl format in the "Common-Name" >> > field >> > ("cn" is the attribute name). >> > After I retrive this sid from meeting class, I need to use it as the >> > filter >> > to search for the "matching sid" AD object , which can be acomputer,a >> > group >> > or a user. The parent container indicates to search in perspective >> > container >> > like: "LDAP://CN=COMPUTERS, DC=X,DC=Y,DC=COM" >> > >> > The application needs to run on Win 2000 server and up. So there is no >> > ADAM >> > availabe and SDDL is also not an option. Based on what I just >> > describe, >> > can >> > you see why my code isn't working? I use the SecurityIdentifier to get >> > the >> > byte array which can then be transform to Octet string for search >> > filter. >> > But it's not working. Thanks. >> > -- >> > Thanks. >> > >> > >> > "Joe Kaplan" wrote: >> > >> >> The code below makes no sense to me. >> >> >> >> What is this supposed to do? >> >> >> >> childSidKey = de.Properties["cn"].Value.ToString(); >> >> SecurityIdentifier sdSID = new SecurityIdentifier(childSidKey); >> >> >> >> It looks like you are reading an object's CN attribute and then trying >> >> to >> >> build a SecurityIdentifier object with it. That would only make sense >> >> if >> >> the object is a foreign security principal, but would not work in >> >> general. >> >> Is that what you are doing? >> >> >> >> If that is the case, why would you bother doing a search for it? You >> >> already have a DirectoryEntry for the object. >> >> >> >> In general, you can locate objects by their SID using a filter like >> >> you >> >> specified. If the directory is AD2003 or ADAM, it also supports >> >> filters >> >> that use the SDDL format: >> >> >> >> (objectSid=S-1-5-20-xxx) >> >> >> >> You would want to make sure you did the search at the domain root >> >> scope >> >> or >> >> at the forest scope with the GC if you want to search the whole >> >> forest. >> >> It >> >> isn't easy to tell from your code what the DE that is used as the >> >> SearchRoot >> >> actually points to. >> >> >> >> Joe K. >> >> >> >> -- >> >> Joe Kaplan-MS MVP Directory Services Programming >> >> Co-author of "The .NET Developer's Guide to Directory Services >> >> Programming" >> >> http://www.directoryprogramming.net >> >> -- >> >> "Pucca" <Pu***@discussions.microsoft.com> wrote in message >> >> news:41E2995E-5011-45F2-BE3A-2592F008A731@microsoft.com... >> >> > Hi, I'm using vs2005, .net 2.0. I have the following method that >> >> > retrieves >> >> > the AD object's current login name. The search is returnning null >> >> > when >> >> > it >> >> > shouldn't. I think there's problem with my byte array's allocation. >> >> > Or >> >> > maybe there's another way to do this? I saw 2.5.5.17 SID format in >> >> > a >> >> > book >> >> > but wonder how can I use this format in my search filter string? >> >> > >> >> > >> >> > The childKeySid is in SDDL format: >> >> > S-15-76D9750B-34737BB4-2B3BE507-A30 >> >> > I allocated byte array length to be 44 and got the following: >> >> > searchSid = >> >> > "\\01\\05\\00\\00\\00\\00\\00\\05\\15\\00\\00\\00\\0B\\75\\D9\\76\\B4\\7B\\73\\34\\07\\E5\\3B\\2B\\30\\0A\\00\\00\\00\\00\\00\\00\\00\\00\\00\\00\\00\\00\\00\\00\\00\\00\\00\\00" >> >> > >> >> > Can someone tell me how to correct my search here? Many thanks. >> >> > >> >> > public static string GetWinName(DirectoryEntry de, >> >> > DirectoryEntry >> >> > deParent) >> >> > { >> >> > string sidKey = null, childSidKey = null, sid = null, >> >> > displayName=null, searchSid; >> >> > int lastDash = 0; >> >> > >> >> > childSidKey = de.Properties["cn"].Value.ToString(); >> >> > SecurityIdentifier sdSID = new >> >> > SecurityIdentifier(childSidKey); >> >> > byte[] bArray = new byte[childSidKey.Length]; >> >> > sdSID.GetBinaryForm(bArray, 0); >> >> > searchSid = BuildFilterOctetString(bArray); >> >> > >> >> > de.AuthenticationType = AuthenticationTypes.FastBind | >> >> > AuthenticationTypes.Secure; >> >> > >> >> > >> >> > DirectorySearcher dsFindADObject = new >> >> > DirectorySearcher(deParent); >> >> > dsFindADObject.Filter = "(objectSid=" + childSidKey + >> >> > ")"; >> >> > dsFindADObject.PropertiesToLoad.Add("objectSid"); >> >> > SearchResult sr = dsFindADObject.FindOne(); >> >> > string foundSid = null; >> >> > if (sr != null) >> >> > { >> >> > foundSid = sr.Properties["objectSid"].ToString(); >> >> > return foundSid; >> >> > } >> >> > else >> >> > return null; >> >> > -- >> >> > Thanks. >> >> >> >> >> >> >> >> >> 
Other interesting topics
how to add "Authorization: Basic" for a web service call
Winform: Call a vbscript with elevated privileges FullTrust on network drive Redirect when User is Unauthorized Do i need to got Https:// throught the website ??? Why am I getting errors when I want to rebuild the TreeView contro How to decrypt CAPICOM data i .NET 2.0 How do I use windowsIdentity to start a process in .net? IE C# ActiveX without permissons LocalSystem network access problem |
|||||||||||||||||||||||
