| 

.NET C# Java Javascript Exception

5

In 2007 I wrote a blogpost how easy it is to get all “groups” of a given user via the tokenGroup attribute.

Last month I had the task to check why “distribution list memberships” are not part of the result.

The reason is simple:

A pure distribution list (not security enabled) is not a security group and only security groups are part of the “tokenGroup” attribute.

After some thoughts and discussions we agreed, that it would be good if we could enhance our function and treat distribution lists like security groups.

How to get all distribution lists of a user?

The get all groups of a given user might be seen as trivial, but the problem is, that groups can contain other groups. As always, there are a couple of ways to get a “full flat” list of all group memberships.

A stupid way would be to load all groups in a recrusive function - this might work, but will result in a flood of requests.

A clever way would be to write a good LDAP query and let the Active Directory do the heavy lifting for us, right?

1.2.840.113556.1.4.1941

I found some sample code online with a very strange LDAP query and it turns out: There is a “magic” ldap query called “LDAP_MATCHING_RULE_IN_CHAIN” and it does everything we are looking for:

var getGroupsFilterForDn = $"(&(objectClass=group)(member:1.2.840.113556.1.4.1941:= {distinguishedName}))";
 using (var dirSearch = CreateDirectorySearcher(getGroupsFilterForDn))
 {
 using (var results = dirSearch.FindAll())
 {
 foreach (SearchResult result in results)
 {
 if (result.Properties.Contains("name") && result.Properties.Contains("objectSid") && result.Properties.Contains("groupType"))
 groups.Add(new GroupResult() { Name = (string)result.Properties["name"][0], GroupType = (int)result.Properties["groupType"][0], ObjectSid = new SecurityIdentifier((byte[])result.Properties["objectSid"][0], 0).ToString() });
 }
 }
 }

With a given distinguishedName of the target user, we can load all distribution and security groups (see below…) transitive!

Combine tokenGroups and this

During our testing we found some minor differences between the LDAP_MATCHING_RULE_IN_CHAIN and the tokenGroups approach. Some “system-level” security groups were missing with the LDAP_MATCHING_RULE_IN_CHAIN way. In our production code we use a combination of those two approaches and it seems to work.

A full demo code how to get all distribution lists for a user can be found on GitHub.

Hope this helps!

.net web csharp asp.net javascript html5 asp.net-mvc jquery css iis
5 Meinungen
0
There’s a myth out there that addiction is https://dltutuapp.com/tutuapp-download/ https://showbox.run/ https://kodi.software/ inescapable or something that’s “locked-in” for life, but that’s definitely not the case.
0
When it comes to acquiring runescape memberships what do you look out for first? Is it the price or time of delivery?
Jon 1
0
Thanks for sharing this.
0
Thanks for sharing this.

GarageBand
0
Thanks to the author for writing the post, it was quite necessary for me and liked it. I wrote a note on the https://ukbestessays.org/ about this. I will be happy if you read it and accept it. Thank you for your concern.
Schreibe einen Kommentar:
Themen:
iis css jquery asp.net-mvc html5 javascript asp.net csharp web .net
Entweder einloggen... ...oder ohne Wartezeit registrieren
Benutzername
Passwort
Passwort wiederholen
E-Mail
TOP TECHNOLOGIES CONSULTING GmbH