User Management with Active Directory—Determining User Group Membership in Active Directory and ADAM
|Visual C# Tutorials|
© 2006 Pearson Education, Inc.
Determining User Group Membership in Active Directory and ADAM
We often need to know a user’s group membership, especially when building applications that require role-based security. There are many cases when we cannot simply rely on Windows to do this expansion for us, and we need an LDAP-based approach instead. Unfortunately, many samples that attempt to show how to do this miss important details or make key mistakes that can lead to compromised security in our applications. We attempt to right these wrongs and show some proven techniques that have been effective for us.
Two linked multivalued attributes, called
memberOf, control group membership. The group object always holds the
member attribute. The
memberOf attribute is a calculated back link held on the group member object itself. As such, group membership is always managed from the group object side (the forward link) of the relationship and the back link is updated by the system automatically. That is, we can read the
memberOf attribute, but we cannot modify it directly. This multivalued attribute contains the user’s direct group membership, with one exception: It does not contain what is called the primary group. This group receives special treatment, and we cover how to read it in the next chapter.
When we say that the
memberOf attribute contains the user’s direct membership, we mean that while we can view groups that directly contain the user object, we cannot view any group membership that is derived from the nesting of group memberships. We will have to use either a recursive technique or the
tokenGroups attribute to expand a user’s membership fully.
It turns out that using the
tokenGroups attribute is typically what we are after. This attribute holds a security identifier (SID) for each security group (including the aforementioned primary group) for which the user is a member, including nested group membership. Recursive solutions can often be a little messy. As such, the only advantage that the recursive technique holds is that it will expand group membership in distribution lists, while the
tokenGroups attribute contains only security group membership.
We will cover three techniques for reading group membership using the
tokenGroups attribute. The first technique will use an LDAP search to find each SID in the
tokenGroups attribute, and the second technique will use the
DsCrackNames API to convert them in a single batch. The third technique will be a .NET 2.0-only solution using the new
Our ultimate goal will be to convert the
tokenGroups attribute into a collection of human-readable group names. A typical example of this is to build a
GenericPrincipal object and fill it with roles for a custom ASP.NET Forms authentication mechanism.