A little bit of LDAP here & There


Hullo all,

I know… I know… yet another substantial gap since I posted anything, but what can I say I’ve been really busy with the new job and everything.

So what am I whittering on about this time…..

LDAP?  What on earth is LDAP?

Well for those of you who have never heard of it before it’s an ancronym for “Light Weight Directory access Protocol”

and… yes I can hear you all saying now… why on earth would I be remotley intrested in that shawty?

Well Iv’e seen a few questions related to user managment latley the latest of which is here on Lidnug. Quite simply, LDAP is the interface used to talk to Active Directory Services on a windows server, but beacuse local windows accounts are kind of managed the same way, the same techniques are perfectly valid if your trying to do things like create local accounts from a C# program.

LDAP is also use extensively in the communications & mobile industry, and for the most part was pretty much coined as a standard by the main telco companies in the world.  Designed initially to access subscriber details in all the black box systems that link together to run a typical telco infrastucture it was adopted by Microsoft way back in the NT4 days as the protocol behind Active Directory.

Granted AD has grown a lot (An awfull lot in fact) since then and now encompases more technologies than you can shake a ram chip at, but the basic principle is still the same.

LDAP has grown too, since it’s conception in the 1980’s through to today, it’s now a fully structured and supported networking protocol in very much the same fasion as http or bittorrent and is used for almost any system that organises information in a directory based structure.

So what does LDAP look like?

in a nutshell, very much like a standard URI:

ldap://host:port/DN?attributes?scope?filter?extensions

The host:port part is just like a URL in a web page, and is generally the FDQN or (Fully Qualified Domain Name)
DN is the distinguished name of the object your searching for.
attributes is a comma-separated list of attributes to retrieve for your object.
scope specifies the search scope.
filter is a search filter.
extensions are extensions to the LDAP URL format.

EG:

ldap://adserver.digital-solutions.local/cn=shawty,dc=digital-solutions,dc=local

or

ldap:///dc=digital-solutions,dc=local??sub?(givenName=shawty)

The first retrieves ALL attributes for my entry on the directory server ‘adserver’ in my local network, by attributes I mean any bit of information that is attached to ‘shawty’ as an object in the directory.

The Second example performs the same search but by using a defualt server, much like using a broadcast in TCP/IP speak.

Ok, so whats this got to do with coding or C# (After all that’s what you tagged it as…)?

Well using LDAP it’s trivially easy to create local user accounts, as the windows user managment system uses LDAP internally, however instead of using “LDAP://” it uses “WinNT://” as the protocol identifier, and ‘localhost’ for local machine accounts. You can specify a full LDAP string, and specify full FDQN for servers under the administrators control, but I’ll leave that for another day.

First things first, you need to set up the required objects to support your task:

using System.DirectoryServices;


function void addUser(string userShortName, string userFullName, string password)
{
DirectoryEntry hostMachineDirectory = new DirectoryEntry("WinNT://localhost");
DirectoryEntries entries = hostMachineDirectory.Children;

Needles to say you’ll need to add a reference to ‘System.DirectoryServices’ and if you trace through the code you should see that the “WinNT://localhost/” string has hopefully changed to “WinNT://[workgroup]/localhost” where [workgroup] will be the workgroup name used by your local machine, and can be looked up under ‘MyComputer->properties’ in the computer name property pages.

Once you have the required Objects the rest is childs play:

DirectoryEntry obUser = entries.Add(userShortName, "User");
obUser.Properties["FullName"].Add(userLongName);
obUser.Invoke("SetPassword", password);
obUser.Invoke("Put", new object[] {"UserFlags", 0x10000});
obUser.CommitChanges();
}

Note the user flags line?

well there are a number of different status bit flags you can combine, the one above means don’t expire, these are the most common ones:

SCRIPT 0x0001
ACCOUNTDISABLE 0x0002
HOMEDIR_REQUIRED 0x0008
LOCKOUT 0x0010
PASSWD_NOTREQD 0x0020
PASSWD_CANT_CHANGE 0x0040
ENCRYPTED_TEXT_PWD_ALLOWED 0x0080
TEMP_DUPLICATE_ACCOUNT 0x0100
NORMAL_ACCOUNT 0x0200
INTERDOMAIN_TRUST_ACCOUNT 0x0800
WORKSTATION_TRUST_ACCOUNT 0x1000
SERVER_TRUST_ACCOUNT 0x2000
DONT_EXPIRE_PASSWORD 0x10000
MNS_LOGON_ACCOUNT 0x20000
SMARTCARD_REQUIRED 0x40000
TRUSTED_FOR_DELEGATION 0x80000
NOT_DELEGATED 0x100000
USE_DES_KEY_ONLY 0x200000
DONT_REQ_PREAUTH 0x400000
PASSWORD_EXPIRED 0x800000
TRUSTED_TO_AUTH_FOR_DELEGATION 0x1000000

and there you go…. one word of warning though.. the AD COM manager is VERY EASY to upset, and even with the best care in the world, simple mistakes can very often mean a reboot to get things working again, so tread carefully, test your code on a machine you don’t mind rebooting and test it throughly.

While you’ll get some intresting if not useful exceptions, for the best part you will just end up killing things and know nothing about it until everything stops working, get it right however and you can do much much more than just create users, you can create groups , assign users to specific groups, remove & assign user privliges and work accross clusters, servers and public LDAP servers too (Single Sign on anyone?)

Thats all for now, rember it’s not just about Coding, it’s about having fun while doing so…

Oh and Happy christmas and a Prosperous New Year to you all…

Best Regards

Shawty

About these ads

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s