| Author | Messages | |
Alexandr.Kara@xxxx.yyy
 | | 01/22/2007 9:45 AM |
| Hello everybody,
I am trying to get the CN of a user currently connected to Active Directory
(using a 3rd party library).
I tried the "Who am I?" extended operation from RFC 4532, but I got an error
120 or 0x78 (I don't know if it is useful).
Do you know of another method to get the CN? I need it to find out if the user
is part of a group.
Thanks a lot,
Alexandr
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx | | | |
| joe
Posts:106
| | 01/22/2007 10:07 AM |
| It there support for WhoAmI in ldp.exe? It sounds useful and I'd like to
try it. :)
Joe R.: When will this be added to Adfind (or is it already)?
Joe K.
----- Original Message -----
From: "Dmitri Gavrilov"
To:
Sent: Monday, January 22, 2007 9:07 AM
Subject: RE: [ActiveDir] "Who Am I" request
ADAM (starting from ADAM 1.0) and AD (starting from Longhorn) support
WhoAmI extended operation per RFC. In addition, they support
rootDSE/tokenGroups attribute, which is exactly what you need to check
"self group membership".
If you have pre-LH AD, then what you can do is read tokenGroups off the
user object (which you can find using %USERDOMAIN% and %USERNAME% vars
if you have an interactive session, or by looking up user SID from the
token). Note tokenGroups value can vary slightly depending on which DC
you connect to. If you want deterministic results, read
tokenGroupsGlobalAndUniversal (which excludes domain local groups).
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Alexandr Kara
Sent: Monday, January 22, 2007 6:46 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] "Who Am I" request
Hello everybody,
I am trying to get the CN of a user currently connected to Active
Directory
(using a 3rd party library).
I tried the "Who am I?" extended operation from RFC 4532, but I got an
error
120 or 0x78 (I don't know if it is useful).
Do you know of another method to get the CN? I need it to find out if
the user
is part of a group.
Thanks a lot,
Alexandr
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx | | | |
| dmitrig@xxxx.yyy
| | 01/22/2007 10:07 AM |
| ADAM (starting from ADAM 1.0) and AD (starting from Longhorn) support
WhoAmI extended operation per RFC. In addition, they support
rootDSE/tokenGroups attribute, which is exactly what you need to check
"self group membership".
If you have pre-LH AD, then what you can do is read tokenGroups off the
user object (which you can find using %USERDOMAIN% and %USERNAME% vars
if you have an interactive session, or by looking up user SID from the
token). Note tokenGroups value can vary slightly depending on which DC
you connect to. If you want deterministic results, read
tokenGroupsGlobalAndUniversal (which excludes domain local groups).
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Alexandr Kara
Sent: Monday, January 22, 2007 6:46 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] "Who Am I" request
Hello everybody,
I am trying to get the CN of a user currently connected to Active
Directory
(using a 3rd party library).
I tried the "Who am I?" extended operation from RFC 4532, but I got an
error
120 or 0x78 (I don't know if it is useful).
Do you know of another method to get the CN? I need it to find out if
the user
is part of a group.
Thanks a lot,
Alexandr
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx | | | |
| joe
Posts:106
| | 01/23/2007 1:02 AM |
| If you did a bind to the directory with that user object, then you should be
able to do a search to find the user object you used for the bind. This
might only be complicated if you authenticated with a foreign domain user,
but I doubt you are doing that.
The exact nature of the search would depend on the user name format you are
using in the bind. If you did a simple bind with the DN, then you already
have the path to the user object. :)
Joe K.
----- Original Message -----
From: "Alexandr Kara"
To:
Sent: Tuesday, January 23, 2007 11:26 AM
Subject: Re: [ActiveDir] "Who Am I" request
Hello Dmitri,
thanks for your reply. The server I connect to is pre-LH (Windows 2003 I
think), which doesn't support WhoAmI.
You suggested that I read tokenGroups, but I have no "user object" to read
it
from. All I have generic connection to a LDAP server (I need to use the
OpenLDAP library for compatibility).
Can I get the user object by some other means?
Thanks a lot,
Alexandr
Dne pondělà 22 leden 2007 16:07 Dmitri Gavrilov napsal(a):
> ADAM (starting from ADAM 1.0) and AD (starting from Longhorn) support
> WhoAmI extended operation per RFC. In addition, they support
> rootDSE/tokenGroups attribute, which is exactly what you need to check
> "self group membership".
>
> If you have pre-LH AD, then what you can do is read tokenGroups off the
> user object (which you can find using %USERDOMAIN% and %USERNAME% vars
> if you have an interactive session, or by looking up user SID from the
> token). Note tokenGroups value can vary slightly depending on which DC
> you connect to. If you want deterministic results, read
> tokenGroupsGlobalAndUniversal (which excludes domain local groups).
>
>
> -----Original Message-----
> From: ActiveDir-owner@mail.activedir.org
> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Alexandr Kara
> Sent: Monday, January 22, 2007 6:46 AM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] "Who Am I" request
>
> Hello everybody,
> I am trying to get the CN of a user currently connected to Active
> Directory
> (using a 3rd party library).
>
> I tried the "Who am I?" extended operation from RFC 4532, but I got an
> error
> 120 or 0x78 (I don't know if it is useful).
> Do you know of another method to get the CN? I need it to find out if
> the user
> is part of a group.
>
> Thanks a lot,
> Alexandr
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx | | | |
| Alexandr.Kara@xxxx.yyy
| | 01/23/2007 4:12 AM |
| Let's say I did a simple bind with user "TestUser", but the user record is
actually located at "CN=TestUserCN,OU=Users1,DC=company,DC=com" and it can
(as far as I know) only be recognized by having sAMAccountName "TestUser".
I could probably find the user by searching under "DC=company,DC=com" with a
filter "(sAMAccountName=TestUser)", but I think it would impose a substantial
load on the Active Directory server, because not all users are
under "OU=Users,DC=company,DC=cz", some are located in other subtrees. Do you
think it would be OK to do that?
Thanks,
Alexandr
Dne úterý 23 leden 2007 19:02 Joe Kaplan napsal(a):
> If you did a bind to the directory with that user object, then you should
> be able to do a search to find the user object you used for the bind. This
> might only be complicated if you authenticated with a foreign domain user,
> but I doubt you are doing that.
>
> The exact nature of the search would depend on the user name format you are
> using in the bind. If you did a simple bind with the DN, then you already
> have the path to the user object. :)
>
> Joe K.
>
> ----- Original Message -----
> From: "Alexandr Kara"
> To:
> Sent: Tuesday, January 23, 2007 11:26 AM
> Subject: Re: [ActiveDir] "Who Am I" request
>
>
> Hello Dmitri,
> thanks for your reply. The server I connect to is pre-LH (Windows 2003 I
> think), which doesn't support WhoAmI.
> You suggested that I read tokenGroups, but I have no "user object" to read
> it
> from. All I have generic connection to a LDAP server (I need to use the
> OpenLDAP library for compatibility).
> Can I get the user object by some other means?
>
> Thanks a lot,
> Alexandr
>
> Dne pondělí 22 leden 2007 16:07 Dmitri Gavrilov napsal(a):
> > ADAM (starting from ADAM 1.0) and AD (starting from Longhorn) support
> > WhoAmI extended operation per RFC. In addition, they support
> > rootDSE/tokenGroups attribute, which is exactly what you need to check
> > "self group membership".
> >
> > If you have pre-LH AD, then what you can do is read tokenGroups off the
> > user object (which you can find using %USERDOMAIN% and %USERNAME% vars
> > if you have an interactive session, or by looking up user SID from the
> > token). Note tokenGroups value can vary slightly depending on which DC
> > you connect to. If you want deterministic results, read
> > tokenGroupsGlobalAndUniversal (which excludes domain local groups).
> >
> >
> > -----Original Message-----
> > From: ActiveDir-owner@mail.activedir.org
> > [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Alexandr Kara
> > Sent: Monday, January 22, 2007 6:46 AM
> > To: ActiveDir@mail.activedir.org
> > Subject: [ActiveDir] "Who Am I" request
> >
> > Hello everybody,
> > I am trying to get the CN of a user currently connected to Active
> > Directory
> > (using a 3rd party library).
> >
> > I tried the "Who am I?" extended operation from RFC 4532, but I got an
> > error
> > 120 or 0x78 (I don't know if it is useful).
> > Do you know of another method to get the CN? I need it to find out if
> > the user
> > is part of a group.
> >
> > Thanks a lot,
> > Alexandr
> > List info : http://www.activedir.org/List.aspx
> > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > List archive: http://www.activedir.org/ma/default.aspx
> >
> > List info : http://www.activedir.org/List.aspx
> > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > List archive: http://www.activedir.org/ma/default.aspx
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx | | | |
| lef
Posts:42
| | 01/23/2007 6:13 AM |
| Using ldp.exe;
rootDSE query for supportedExtension will you the OID:
4> supportedExtension:
1.3.6.1.4.1.1466.20037 = ( LDAP_SERVER_START_TLS_OID );
1.3.6.1.4.1.1466.101.119.1 = ( LDAP_TTL_REFRESH_OID );
1.2.840.113556.1.4.1781 = ( LDAP_SERVER_FAST_BIND_OID );
1.3.6.1.4.1.4203.1.11.3 = ( LDAP_SERVER_WHO_AM_I_OID );
Then it's (post bind to be useful)
Browse -> Extended Op
and paste in the OID (1.3.6.1.4.1.4203.1.11.3) with no Data value.
Lee Flight
On Mon, 22 Jan 2007, Joe Kaplan wrote:
> It there support for WhoAmI in ldp.exe? It sounds useful and I'd like to try
> it. :)
>
> Joe R.: When will this be added to Adfind (or is it already)?
>
> Joe K.
>
> ----- Original Message ----- From: "Dmitri Gavrilov"
>
> To:
> Sent: Monday, January 22, 2007 9:07 AM
> Subject: RE: [ActiveDir] "Who Am I" request
>
>
> ADAM (starting from ADAM 1.0) and AD (starting from Longhorn) support
> WhoAmI extended operation per RFC. In addition, they support
> rootDSE/tokenGroups attribute, which is exactly what you need to check
> "self group membership".
>
> If you have pre-LH AD, then what you can do is read tokenGroups off the
> user object (which you can find using %USERDOMAIN% and %USERNAME% vars
> if you have an interactive session, or by looking up user SID from the
> token). Note tokenGroups value can vary slightly depending on which DC
> you connect to. If you want deterministic results, read
> tokenGroupsGlobalAndUniversal (which excludes domain local groups).
>
>
> -----Original Message-----
> From: ActiveDir-owner@mail.activedir.org
> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Alexandr Kara
> Sent: Monday, January 22, 2007 6:46 AM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] "Who Am I" request
>
> Hello everybody,
> I am trying to get the CN of a user currently connected to Active
> Directory
> (using a 3rd party library).
>
> I tried the "Who am I?" extended operation from RFC 4532, but I got an
> error
> 120 or 0x78 (I don't know if it is useful).
> Do you know of another method to get the CN? I need it to find out if
> the user
> is part of a group.
>
> Thanks a lot,
> Alexandr
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
>
Lee Flight
__________________________________________________________
Lee Flight (lef@le.ac.uk) Tel: +44 (0)116 252 2257
IT Services,
Computer Centre, University of Leicester
Leicester LE1 7RH, United Kingdom
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx | | | |
| joe
Posts:106
| | 01/23/2007 6:18 AM |
| I think that's fine. Remember that AD has a global catalog, so you can
search across the whole forest quite easily.
I'm not actually certain that you can do a simple bind with a user from a
different domain, but maybe you can. My multi-domain LDAP knowledge is a
little weak since I don't actually have to deal with one on a day to day
basis. I do know that you simple bind is only supposed to support the full
DN (as per LDAP spec), the UPN or the NT name for simple bind. The
unqualified user name is only supposed to work with a Windows secure
(GSS-SPNEGO SASL) bind. I think it actually does work in some cases, but
not others, so you should not use it as it is not documented to work
correctly.
There is also a Windows RPC method called DsCrackNames that will translate
names between different format if you have a logon name and want something
you can use in a DN such as the full DN, GUID or SID. I doubt that helps if
you are trying to use use OpenLDAP though. :)
Joe K.
----- Original Message -----
From: "Alexandr Kara"
To:
Sent: Tuesday, January 23, 2007 3:12 PM
Subject: Re: [ActiveDir] "Who Am I" request
Let's say I did a simple bind with user "TestUser", but the user record is
actually located at "CN=TestUserCN,OU=Users1,DC=company,DC=com" and it can
(as far as I know) only be recognized by having sAMAccountName "TestUser".
I could probably find the user by searching under "DC=company,DC=com" with a
filter "(sAMAccountName=TestUser)", but I think it would impose a
substantial
load on the Active Directory server, because not all users are
under "OU=Users,DC=company,DC=cz", some are located in other subtrees. Do
you
think it would be OK to do that?
Thanks,
Alexandr
Dne úterý 23 leden 2007 19:02 Joe Kaplan napsal(a):
> If you did a bind to the directory with that user object, then you should
> be able to do a search to find the user object you used for the bind.
> This
> might only be complicated if you authenticated with a foreign domain user,
> but I doubt you are doing that.
>
> The exact nature of the search would depend on the user name format you
> are
> using in the bind. If you did a simple bind with the DN, then you already
> have the path to the user object. :)
>
> Joe K.
>
> ----- Original Message -----
> From: "Alexandr Kara"
> To:
> Sent: Tuesday, January 23, 2007 11:26 AM
> Subject: Re: [ActiveDir] "Who Am I" request
>
>
> Hello Dmitri,
> thanks for your reply. The server I connect to is pre-LH (Windows 2003 I
> think), which doesn't support WhoAmI.
> You suggested that I read tokenGroups, but I have no "user object" to read
> it
> from. All I have generic connection to a LDAP server (I need to use the
> OpenLDAP library for compatibility).
> Can I get the user object by some other means?
>
> Thanks a lot,
> Alexandr
>
> Dne pondělà 22 leden 2007 16:07 Dmitri Gavrilov napsal(a):
> > ADAM (starting from ADAM 1.0) and AD (starting from Longhorn) support
> > WhoAmI extended operation per RFC. In addition, they support
> > rootDSE/tokenGroups attribute, which is exactly what you need to check
> > "self group membership".
> >
> > If you have pre-LH AD, then what you can do is read tokenGroups off the
> > user object (which you can find using %USERDOMAIN% and %USERNAME% vars
> > if you have an interactive session, or by looking up user SID from the
> > token). Note tokenGroups value can vary slightly depending on which DC
> > you connect to. If you want deterministic results, read
> > tokenGroupsGlobalAndUniversal (which excludes domain local groups).
> >
> >
> > -----Original Message-----
> > From: ActiveDir-owner@mail.activedir.org
> > [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Alexandr Kara
> > Sent: Monday, January 22, 2007 6:46 AM
> > To: ActiveDir@mail.activedir.org
> > Subject: [ActiveDir] "Who Am I" request
> >
> > Hello everybody,
> > I am trying to get the CN of a user currently connected to Active
> > Directory
> > (using a 3rd party library).
> >
> > I tried the "Who am I?" extended operation from RFC 4532, but I got an
> > error
> > 120 or 0x78 (I don't know if it is useful).
> > Do you know of another method to get the CN? I need it to find out if
> > the user
> > is part of a group.
> >
> > Thanks a lot,
> > Alexandr
> > List info : http://www.activedir.org/List.aspx
> > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > List archive: http://www.activedir.org/ma/default.aspx
> >
> > List info : http://www.activedir.org/List.aspx
> > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > List archive: http://www.activedir.org/ma/default.aspx
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx | | | |
| efleis1
Posts:0
| | 01/23/2007 6:52 AM |
| You can do an x-domain simple bind within the forest. You can not do it x-forest.
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Joe Kaplan
Sent: Tuesday, January 23, 2007 3:18 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] "Who Am I" request
I think that's fine. Remember that AD has a global catalog, so you can
search across the whole forest quite easily.
I'm not actually certain that you can do a simple bind with a user from a
different domain, but maybe you can. My multi-domain LDAP knowledge is a
little weak since I don't actually have to deal with one on a day to day
basis. I do know that you simple bind is only supposed to support the full
DN (as per LDAP spec), the UPN or the NT name for simple bind. The
unqualified user name is only supposed to work with a Windows secure
(GSS-SPNEGO SASL) bind. I think it actually does work in some cases, but
not others, so you should not use it as it is not documented to work
correctly.
There is also a Windows RPC method called DsCrackNames that will translate
names between different format if you have a logon name and want something
you can use in a DN such as the full DN, GUID or SID. I doubt that helps if
you are trying to use use OpenLDAP though. :)
Joe K.
----- Original Message -----
From: "Alexandr Kara"
To:
Sent: Tuesday, January 23, 2007 3:12 PM
Subject: Re: [ActiveDir] "Who Am I" request
Let's say I did a simple bind with user "TestUser", but the user record is
actually located at "CN=TestUserCN,OU=Users1,DC=company,DC=com" and it can
(as far as I know) only be recognized by having sAMAccountName "TestUser".
I could probably find the user by searching under "DC=company,DC=com" with a
filter "(sAMAccountName=TestUser)", but I think it would impose a
substantial
load on the Active Directory server, because not all users are
under "OU=Users,DC=company,DC=cz", some are located in other subtrees. Do
you
think it would be OK to do that?
Thanks,
Alexandr
Dne úterý 23 leden 2007 19:02 Joe Kaplan napsal(a):
> If you did a bind to the directory with that user object, then you should
> be able to do a search to find the user object you used for the bind.
> This
> might only be complicated if you authenticated with a foreign domain user,
> but I doubt you are doing that.
>
> The exact nature of the search would depend on the user name format you
> are
> using in the bind. If you did a simple bind with the DN, then you already
> have the path to the user object. :)
>
> Joe K.
>
> ----- Original Message -----
> From: "Alexandr Kara"
> To:
> Sent: Tuesday, January 23, 2007 11:26 AM
> Subject: Re: [ActiveDir] "Who Am I" request
>
>
> Hello Dmitri,
> thanks for your reply. The server I connect to is pre-LH (Windows 2003 I
> think), which doesn't support WhoAmI.
> You suggested that I read tokenGroups, but I have no "user object" to read
> it
> from. All I have generic connection to a LDAP server (I need to use the
> OpenLDAP library for compatibility).
> Can I get the user object by some other means?
>
> Thanks a lot,
> Alexandr
>
> Dne pondělí 22 leden 2007 16:07 Dmitri Gavrilov napsal(a):
> > ADAM (starting from ADAM 1.0) and AD (starting from Longhorn) support
> > WhoAmI extended operation per RFC. In addition, they support
> > rootDSE/tokenGroups attribute, which is exactly what you need to check
> > "self group membership".
> >
> > If you have pre-LH AD, then what you can do is read tokenGroups off the
> > user object (which you can find using %USERDOMAIN% and %USERNAME% vars
> > if you have an interactive session, or by looking up user SID from the
> > token). Note tokenGroups value can vary slightly depending on which DC
> > you connect to. If you want deterministic results, read
> > tokenGroupsGlobalAndUniversal (which excludes domain local groups).
> >
> >
> > -----Original Message-----
> > From: ActiveDir-owner@mail.activedir.org
> > [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Alexandr Kara
> > Sent: Monday, January 22, 2007 6:46 AM
> > To: ActiveDir@mail.activedir.org
> > Subject: [ActiveDir] "Who Am I" request
> >
> > Hello everybody,
> > I am trying to get the CN of a user currently connected to Active
> > Directory
> > (using a 3rd party library).
> >
> > I tried the "Who am I?" extended operation from RFC 4532, but I got an
> > error
> > 120 or 0x78 (I don't know if it is useful).
> > Do you know of another method to get the CN? I need it to find out if
> > the user
> > is part of a group.
> >
> > Thanks a lot,
> > Alexandr
> > List info : http://www.activedir.org/List.aspx
> > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > List archive: http://www.activedir.org/ma/default.aspx
> >
> > List info : http://www.activedir.org/List.aspx
> > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > List archive: http://www.activedir.org/ma/default.aspx
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
.+-�0�jq.+-�0�ˊEKj!ibbןjm | | | |
| Alexandr.Kara@xxxx.yyy
| | 01/23/2007 8:30 AM |
| It works and has a pretty good performance. Thanks a lot!
Alexandr
Dne středa 24 leden 2007 00:18 Joe Kaplan napsal(a):
> I think that's fine. Remember that AD has a global catalog, so you can
> search across the whole forest quite easily.
>
> I'm not actually certain that you can do a simple bind with a user from a
> different domain, but maybe you can. My multi-domain LDAP knowledge is a
> little weak since I don't actually have to deal with one on a day to day
> basis. I do know that you simple bind is only supposed to support the full
> DN (as per LDAP spec), the UPN or the NT name for simple bind. The
> unqualified user name is only supposed to work with a Windows secure
> (GSS-SPNEGO SASL) bind. I think it actually does work in some cases, but
> not others, so you should not use it as it is not documented to work
> correctly.
>
> There is also a Windows RPC method called DsCrackNames that will translate
> names between different format if you have a logon name and want something
> you can use in a DN such as the full DN, GUID or SID. I doubt that helps
> if you are trying to use use OpenLDAP though. :)
>
> Joe K.
>
> ----- Original Message -----
> From: "Alexandr Kara"
> To:
> Sent: Tuesday, January 23, 2007 3:12 PM
> Subject: Re: [ActiveDir] "Who Am I" request
>
>
> Let's say I did a simple bind with user "TestUser", but the user record is
> actually located at "CN=TestUserCN,OU=Users1,DC=company,DC=com" and it can
> (as far as I know) only be recognized by having sAMAccountName "TestUser".
> I could probably find the user by searching under "DC=company,DC=com" with
> a filter "(sAMAccountName=TestUser)", but I think it would impose a
> substantial
> load on the Active Directory server, because not all users are
> under "OU=Users,DC=company,DC=cz", some are located in other subtrees. Do
> you
> think it would be OK to do that?
>
> Thanks,
> Alexandr
>
> Dne úterý 23 leden 2007 19:02 Joe Kaplan napsal(a):
> > If you did a bind to the directory with that user object, then you should
> > be able to do a search to find the user object you used for the bind.
> > This
> > might only be complicated if you authenticated with a foreign domain
> > user, but I doubt you are doing that.
> >
> > The exact nature of the search would depend on the user name format you
> > are
> > using in the bind. If you did a simple bind with the DN, then you
> > already have the path to the user object. :)
> >
> > Joe K.
> >
> > ----- Original Message -----
> > From: "Alexandr Kara"
> > To:
> > Sent: Tuesday, January 23, 2007 11:26 AM
> > Subject: Re: [ActiveDir] "Who Am I" request
> >
> >
> > Hello Dmitri,
> > thanks for your reply. The server I connect to is pre-LH (Windows 2003 I
> > think), which doesn't support WhoAmI.
> > You suggested that I read tokenGroups, but I have no "user object" to
> > read it
> > from. All I have generic connection to a LDAP server (I need to use the
> > OpenLDAP library for compatibility).
> > Can I get the user object by some other means?
> >
> > Thanks a lot,
> > Alexandr
> >
> > Dne pondělí 22 leden 2007 16:07 Dmitri Gavrilov napsal(a):
> > > ADAM (starting from ADAM 1.0) and AD (starting from Longhorn) support
> > > WhoAmI extended operation per RFC. In addition, they support
> > > rootDSE/tokenGroups attribute, which is exactly what you need to check
> > > "self group membership".
> > >
> > > If you have pre-LH AD, then what you can do is read tokenGroups off the
> > > user object (which you can find using %USERDOMAIN% and %USERNAME% vars
> > > if you have an interactive session, or by looking up user SID from the
> > > token). Note tokenGroups value can vary slightly depending on which DC
> > > you connect to. If you want deterministic results, read
> > > tokenGroupsGlobalAndUniversal (which excludes domain local groups).
> > >
> > >
> > > -----Original Message-----
> > > From: ActiveDir-owner@mail.activedir.org
> > > [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Alexandr Kara
> > > Sent: Monday, January 22, 2007 6:46 AM
> > > To: ActiveDir@mail.activedir.org
> > > Subject: [ActiveDir] "Who Am I" request
> > >
> > > Hello everybody,
> > > I am trying to get the CN of a user currently connected to Active
> > > Directory
> > > (using a 3rd party library).
> > >
> > > I tried the "Who am I?" extended operation from RFC 4532, but I got an
> > > error
> > > 120 or 0x78 (I don't know if it is useful).
> > > Do you know of another method to get the CN? I need it to find out if
> > > the user
> > > is part of a group.
> > >
> > > Thanks a lot,
> > > Alexandr
> > > List info : http://www.activedir.org/List.aspx
> > > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > > List archive: http://www.activedir.org/ma/default.aspx
> > >
> > > List info : http://www.activedir.org/List.aspx
> > > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > > List archive: http://www.activedir.org/ma/default.aspx
> >
> > List info : http://www.activedir.org/List.aspx
> > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > List archive: http://www.activedir.org/ma/default.aspx
> >
> > List info : http://www.activedir.org/List.aspx
> > List FAQ : http://www.activedir.org/ListFAQ.aspx
> > List archive: http://www.activedir.org/ma/default.aspx
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx | | | |
| joe
Posts:106
| | 01/23/2007 9:45 AM |
| Thanks for clearing that up. I appreciate it.
Joe K.
----- Original Message -----
From: "Eric Fleischman"
To:
Sent: Tuesday, January 23, 2007 5:52 PM
Subject: RE: [ActiveDir] "Who Am I" request
> You can do an x-domain simple bind within the forest. You can not do it
> x-forest.
>
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx | | | |
| joe
Posts:106
| | 01/23/2007 11:47 AM |
| Cool, thanks Lee. It works. :)
Joe
----- Original Message -----
From: "Lee Flight"
To:
Sent: Tuesday, January 23, 2007 5:13 AM
Subject: Re: [ActiveDir] "Who Am I" request
>
> Using ldp.exe;
>
> rootDSE query for supportedExtension will you the OID:
>
> 4> supportedExtension:
> 1.3.6.1.4.1.1466.20037 = ( LDAP_SERVER_START_TLS_OID );
> 1.3.6.1.4.1.1466.101.119.1 = ( LDAP_TTL_REFRESH_OID );
> 1.2.840.113556.1.4.1781 = ( LDAP_SERVER_FAST_BIND_OID );
>
> 1.3.6.1.4.1.4203.1.11.3 = ( LDAP_SERVER_WHO_AM_I_OID );
>
>
> Then it's (post bind to be useful)
>
> Browse -> Extended Op
> and paste in the OID (1.3.6.1.4.1.4203.1.11.3) with no Data value.
>
>
>
>
> Lee Flight
>
> On Mon, 22 Jan 2007, Joe Kaplan wrote:
>
>> It there support for WhoAmI in ldp.exe? It sounds useful and I'd like to
>> try it. :)
>>
>> Joe R.: When will this be added to Adfind (or is it already)?
>>
>> Joe K.
>>
>> ----- Original Message ----- From: "Dmitri Gavrilov"
>>
>> To:
>> Sent: Monday, January 22, 2007 9:07 AM
>> Subject: RE: [ActiveDir] "Who Am I" request
>>
>>
>> ADAM (starting from ADAM 1.0) and AD (starting from Longhorn) support
>> WhoAmI extended operation per RFC. In addition, they support
>> rootDSE/tokenGroups attribute, which is exactly what you need to check
>> "self group membership".
>>
>> If you have pre-LH AD, then what you can do is read tokenGroups off the
>> user object (which you can find using %USERDOMAIN% and %USERNAME% vars
>> if you have an interactive session, or by looking up user SID from the
>> token). Note tokenGroups value can vary slightly depending on which DC
>> you connect to. If you want deterministic results, read
>> tokenGroupsGlobalAndUniversal (which excludes domain local groups).
>>
>>
>> -----Original Message-----
>> From: ActiveDir-owner@mail.activedir.org
>> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Alexandr Kara
>> Sent: Monday, January 22, 2007 6:46 AM
>> To: ActiveDir@mail.activedir.org
>> Subject: [ActiveDir] "Who Am I" request
>>
>> Hello everybody,
>> I am trying to get the CN of a user currently connected to Active
>> Directory
>> (using a 3rd party library).
>>
>> I tried the "Who am I?" extended operation from RFC 4532, but I got an
>> error
>> 120 or 0x78 (I don't know if it is useful).
>> Do you know of another method to get the CN? I need it to find out if
>> the user
>> is part of a group.
>>
>> Thanks a lot,
>> Alexandr
>> List info : http://www.activedir.org/List.aspx
>> List FAQ : http://www.activedir.org/ListFAQ.aspx
>> List archive: http://www.activedir.org/ma/default.aspx
>>
>> List info : http://www.activedir.org/List.aspx
>> List FAQ : http://www.activedir.org/ListFAQ.aspx
>> List archive: http://www.activedir.org/ma/default.aspx List info :
>> http://www.activedir.org/List.aspx
>> List FAQ : http://www.activedir.org/ListFAQ.aspx
>> List archive: http://www.activedir.org/ma/default.aspx
>>
>
> Lee Flight
> __________________________________________________________
> Lee Flight (lef@le.ac.uk) Tel: +44 (0)116 252 2257
> IT Services,
> Computer Centre, University of Leicester
> Leicester LE1 7RH, United Kingdom
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx | | | |
| Alexandr.Kara@xxxx.yyy
| | 01/23/2007 12:26 PM |
| Hello Dmitri,
thanks for your reply. The server I connect to is pre-LH (Windows 2003 I
think), which doesn't support WhoAmI.
You suggested that I read tokenGroups, but I have no "user object" to read it
from. All I have generic connection to a LDAP server (I need to use the
OpenLDAP library for compatibility).
Can I get the user object by some other means?
Thanks a lot,
Alexandr
Dne pondělí 22 leden 2007 16:07 Dmitri Gavrilov napsal(a):
> ADAM (starting from ADAM 1.0) and AD (starting from Longhorn) support
> WhoAmI extended operation per RFC. In addition, they support
> rootDSE/tokenGroups attribute, which is exactly what you need to check
> "self group membership".
>
> If you have pre-LH AD, then what you can do is read tokenGroups off the
> user object (which you can find using %USERDOMAIN% and %USERNAME% vars
> if you have an interactive session, or by looking up user SID from the
> token). Note tokenGroups value can vary slightly depending on which DC
> you connect to. If you want deterministic results, read
> tokenGroupsGlobalAndUniversal (which excludes domain local groups).
>
>
> -----Original Message-----
> From: ActiveDir-owner@mail.activedir.org
> [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Alexandr Kara
> Sent: Monday, January 22, 2007 6:46 AM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] "Who Am I" request
>
> Hello everybody,
> I am trying to get the CN of a user currently connected to Active
> Directory
> (using a 3rd party library).
>
> I tried the "Who am I?" extended operation from RFC 4532, but I got an
> error
> 120 or 0x78 (I don't know if it is useful).
> Do you know of another method to get the CN? I need it to find out if
> the user
> is part of a group.
>
> Thanks a lot,
> Alexandr
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx | | | |
| listmail
Posts:822
| | 01/30/2007 5:34 AM |
| Hmm, first I heard of it, added to the list to check out. Shouldn't be too
difficult to get in there depending on how the data is returned.
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Joe Kaplan
Sent: Monday, January 22, 2007 10:07 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] "Who Am I" request
It there support for WhoAmI in ldp.exe? It sounds useful and I'd like to
try it. :)
Joe R.: When will this be added to Adfind (or is it already)?
Joe K.
----- Original Message -----
From: "Dmitri Gavrilov"
To:
Sent: Monday, January 22, 2007 9:07 AM
Subject: RE: [ActiveDir] "Who Am I" request
ADAM (starting from ADAM 1.0) and AD (starting from Longhorn) support
WhoAmI extended operation per RFC. In addition, they support
rootDSE/tokenGroups attribute, which is exactly what you need to check
"self group membership".
If you have pre-LH AD, then what you can do is read tokenGroups off the
user object (which you can find using %USERDOMAIN% and %USERNAME% vars
if you have an interactive session, or by looking up user SID from the
token). Note tokenGroups value can vary slightly depending on which DC
you connect to. If you want deterministic results, read
tokenGroupsGlobalAndUniversal (which excludes domain local groups).
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Alexandr Kara
Sent: Monday, January 22, 2007 6:46 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] "Who Am I" request
Hello everybody,
I am trying to get the CN of a user currently connected to Active
Directory
(using a 3rd party library).
I tried the "Who am I?" extended operation from RFC 4532, but I got an
error
120 or 0x78 (I don't know if it is useful).
Do you know of another method to get the CN? I need it to find out if
the user
is part of a group.
Thanks a lot,
Alexandr
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx | | | |
| joe
Posts:106
| | 01/30/2007 10:38 AM |
| It is really easy, just a BER encoded string with a value like
"u:domain\user". You probably have all the code you need to handle it
already with the BER stuff you did for the stats control support.
Of course, the actual value of this is slightly dubious, but it is a fun
feature to have.
There are a couple of neat and useful things MS could do with this type of
thing. I think it would be nice to have a constructed attribute on security
principal objects that would return the NT account name (domain\user) as
well as another one that returns the complete UPN list (both implicit and
explicit).
I also think it would be useful to have an extended operation like this that
would return more than just the identity of the current user. Something
like the rootDSE/tokenGroups trick that ADAM supports, but with all of their
attribute data. There are lots of apps that do a bind and then have to do a
couple of searches to actually find the user's DN and then execute the
search against that. It would be handy to skip that step.
Joe K.
----- Original Message -----
From: "joe"
To:
Sent: Tuesday, January 30, 2007 4:34 PM
Subject: RE: [ActiveDir] "Who Am I" request
> Hmm, first I heard of it, added to the list to check out. Shouldn't be too
> difficult to get in there depending on how the data is returned.
>
>
> --
> O'Reilly Active Directory Third Edition -
> http://www.joeware.net/win/ad3e.htm
>
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx | | | |
| dmitrig@xxxx.yyy
| | 01/31/2007 1:29 AM |
| WRT constructed attribute on security principals -- check out
msDS-principalName. It works on users, groups and foreign security
principals (in ADAM and LH AD).
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Joe Kaplan
Sent: Tuesday, January 30, 2007 7:39 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] "Who Am I" request
It is really easy, just a BER encoded string with a value like
"u:domain\user". You probably have all the code you need to handle it
already with the BER stuff you did for the stats control support.
Of course, the actual value of this is slightly dubious, but it is a fun
feature to have.
There are a couple of neat and useful things MS could do with this type
of
thing. I think it would be nice to have a constructed attribute on
security
principal objects that would return the NT account name (domain\user) as
well as another one that returns the complete UPN list (both implicit
and
explicit).
I also think it would be useful to have an extended operation like this
that
would return more than just the identity of the current user. Something
like the rootDSE/tokenGroups trick that ADAM supports, but with all of
their
attribute data. There are lots of apps that do a bind and then have to
do a
couple of searches to actually find the user's DN and then execute the
search against that. It would be handy to skip that step.
Joe K.
----- Original Message -----
From: "joe"
To:
Sent: Tuesday, January 30, 2007 4:34 PM
Subject: RE: [ActiveDir] "Who Am I" request
> Hmm, first I heard of it, added to the list to check out. Shouldn't be
too
> difficult to get in there depending on how the data is returned.
>
>
> --
> O'Reilly Active Directory Third Edition -
> http://www.joeware.net/win/ad3e.htm
>
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx | | | |
| joe
Posts:106
| | 01/31/2007 10:45 AM |
| Glad to see that made it into LH AD. I like that feature in ADAM.
Joe K.
----- Original Message -----
From: "Dmitri Gavrilov"
To:
Sent: Wednesday, January 31, 2007 12:29 AM
Subject: RE: [ActiveDir] "Who Am I" request
WRT constructed attribute on security principals -- check out
msDS-principalName. It works on users, groups and foreign security
principals (in ADAM and LH AD).
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx | | | |
|
|