Re: [ActiveDir] LDAP Directory Server Path
No, LDAP://DC=harry,DC=org would be the path (note that LDAP is the protocol vs. part of the domain context) Al On 6/7/06, HBooGz <[EMAIL PROTECTED]> wrote: My first post, definite follower.My development staff is trying to implement an ASP.NET application using AD/LDAP authentication. They need the path to my LDAP directory Server. I've come across some notes that indicate the path syntax is similar to the following: LDAP://Yourcompany.com/DC=yourcompany,DC=comif the Active directory domain is named harry.org -- what would the syntax be ? LDAP://harry.org/DC=harry,DC=org ?I really just need the LDAP path so that this application can authenticate logins using AD.Thanks.-- HBooGz:\>
Re: [ActiveDir] LDAP Directory Server Path
Thanks Al -When i type that into my web browser a search function come up -- should i be able to search for objects successfully using this ? because currently i get an error message.Also, the development staff is trying to create a form to authenticate users who login against AD. The path mentioned above is all they would need ? Even if this login authentication page is located in the DMZ ? Thanks,On 6/7/06, Al Mulnick <[EMAIL PROTECTED]> wrote: No, LDAP://DC=harry,DC=org would be the path (note that LDAP is the protocol vs. part of the domain context) Al On 6/7/06, HBooGz <[EMAIL PROTECTED]> wrote: My first post, definite follower.My development staff is trying to implement an ASP.NET application using AD/LDAP authentication. They need the path to my LDAP directory Server. I've come across some notes that indicate the path syntax is similar to the following: LDAP://Yourcompany.com/DC=yourcompany,DC=comif the Active directory domain is named harry.org -- what would the syntax be ? LDAP://harry.org/DC=harry,DC=org ?I really just need the LDAP path so that this application can authenticate logins using AD.Thanks.-- HBooGz:\> -- HBooGz:\>
Re: [ActiveDir] LDAP Directory Server Path
Totally different questions. The ldap path is what is needed to connect to the directory via .net (there are many examples in the language dialect you're development staff are planning to use; Joe Kaplan is a good person to search for as he does this frequently and I believe has even taken the time to write a book about it. Accessing it from a 'DMZ' is a different animal altogether and has a lot more to do with architecture, routing, physical connections, and name resolution. Architecture is a huge part of that equation. There's nowhere near enough information in your posts, nor would I think it appropriate that you share that amount of information with outsiders, to even begin to answer that question in a usable manner. To see/use that syntax, minus the protocol portion, have a look at tools like LDP.EXE. Also search the Microsoft site for things like .net examples and ldap syntax and .net examples. You'll see what I mean. Al On 6/7/06, HBooGz <[EMAIL PROTECTED]> wrote: Thanks Al -When i type that into my web browser a search function come up -- should i be able to search for objects successfully using this ? because currently i get an error message.Also, the development staff is trying to create a form to authenticate users who login against AD. The path mentioned above is all they would need ? Even if this login authentication page is located in the DMZ ? Thanks, On 6/7/06, Al Mulnick <[EMAIL PROTECTED]> wrote: No, LDAP://DC=harry,DC=org would be the path (note that LDAP is the protocol vs. part of the domain context) Al On 6/7/06, HBooGz <[EMAIL PROTECTED]> wrote: My first post, definite follower.My development staff is trying to implement an ASP.NET application using AD/LDAP authentication. They need the path to my LDAP directory Server. I've come across some notes that indicate the path syntax is similar to the following: LDAP://Yourcompany.com/DC=yourcompany,DC=comif the Active directory domain is named harry.org -- what would the syntax be ? LDAP://harry.org/DC=harry,DC=org ?I really just need the LDAP path so that this application can authenticate logins using AD.Thanks.-- HBooGz:\> -- HBooGz:\>
Re: [ActiveDir] LDAP Directory Server Path
Just to elaborate a little on what Al said, when using an ADSI-based model like S.DS, the adspath contains the provider, optional server info and a distinguished name of an object to search. When you don't specify a server part in the path (a serverless bind), LDAP infers a domain from the current security context and then uses the locator to find a DC in that domain. You have to be careful with serverless binds though, especially in web apps, as the security context may be local machine instead of domain, so it may not be possible to infer a domain. In some cases, it may be necessary to supply a domain name or even the DNS name of a specific DC. Using your previous example, you may need to specify the "harry.org" part of the path. A lot of it depends on the environment. I also recommend using a tool like ldp.exe or adfind to help with LDAP programming. These tools are very useful for executing ad hoc LDAP ops and modeling queries. In general, you want to be careful with using ADSI or S.DS for authentication in an app. It doesn't scale well for this type of thing. If you must use LDAP-based auth (which is generally best avoided; use Windows auth instead), using something like the ActiveDirectoryMembershipProvider or calling System.DirectoryServices.Protocols directly will get you better scalability (if that's important). We actually did write a whole book about this stuff and it doesn't suck, so won't hesitate to recommend it for these types of questions. www.directoryprogramming.net. Joe K. - Original Message - From: Al Mulnick To: ActiveDir@mail.activedir.org Sent: Wednesday, June 07, 2006 3:09 PM Subject: Re: [ActiveDir] LDAP Directory Server Path Totally different questions. The ldap path is what is needed to connect to the directory via .net (there are many examples in the language dialect you're development staff are planning to use; Joe Kaplan is a good person to search for as he does this frequently and I believe has even taken the time to write a book about it. Accessing it from a 'DMZ' is a different animal altogether and has a lot more to do with architecture, routing, physical connections, and name resolution. Architecture is a huge part of that equation. There's nowhere near enough information in your posts, nor would I think it appropriate that you share that amount of information with outsiders, to even begin to answer that question in a usable manner. To see/use that syntax, minus the protocol portion, have a look at tools like LDP.EXE. Also search the Microsoft site for things like .net examples and ldap syntax and .net examples. You'll see what I mean. Al List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] LDAP Directory Server Path
Thanks Joe and Al.In all honesty, I'm far from a programmer and i wouldn't go so far as to say I'm an Active Directory expert like most on this list. I'm going to pass your information to my developers who are working on a web app in .Net with the hopes of authenticating users against our AD. I've read some articles that indicate to create a username ( w/ domain admin rights ) and put that into the code to use for the authentication. Although I'm not a developer i just don't feel good about this approach. Before i mentioned DMZ. My environment is relatively small and the web applications are sitting on a Windows 2000 server in a single hop DMZ environment.any more information that could help me or the developers, who are at a stand-still, would be appreciated. Thanks,On 6/7/06, Joe Kaplan <[EMAIL PROTECTED]> wrote: Just to elaborate a little on what Al said, when using an ADSI-based modellike S.DS, the adspath contains the provider, optional server info and adistinguished name of an object to search. When you don't specify a server part in the path (a serverless bind), LDAP infers a domain from the currentsecurity context and then uses the locator to find a DC in that domain. Youhave to be careful with serverless binds though, especially in web apps, as the security context may be local machine instead of domain, so it may notbe possible to infer a domain. In some cases, it may be necessary to supplya domain name or even the DNS name of a specific DC. Using your previous example, you may need to specify the "harry.org" part of the path. A lot ofit depends on the environment. I also recommend using a tool like ldp.exe or adfind to help with LDAP programming. These tools are very useful for executing ad hoc LDAP ops andmodeling queries.In general, you want to be careful with using ADSI or S.DS forauthentication in an app. It doesn't scale well for this type of thing. If you must use LDAP-based auth (which is generally best avoided; use Windowsauth instead), using something like the ActiveDirectoryMembershipProvider orcalling System.DirectoryServices.Protocols directly will get you better scalability (if that's important).We actually did write a whole book about this stuff and it doesn't suck, sowon't hesitate to recommend it for these types of questions. www.directoryprogramming.net.Joe K.- Original Message -From: Al MulnickTo: ActiveDir@mail.activedir.orgSent: Wednesday, June 07, 2006 3:09 PM Subject: Re: [ActiveDir] LDAP Directory Server PathTotally different questions.The ldap path is what is needed to connect to the directory via .net (thereare many examples in the language dialect you're development staff are planning to use; Joe Kaplan is a good person to search for as he does thisfrequently and I believe has even taken the time to write a book about it.Accessing it from a 'DMZ' is a different animal altogether and has a lot more to do with architecture,routing, physical connections, and name resolution. Architecture is a hugepart of that equation. There's nowhere near enough information in your posts, nor would I think it appropriate that you share that amount ofinformation with outsiders, to even begin to answer that question in ausable manner.To see/use that syntax, minus the protocol portion, have a look at tools like LDP.EXE. Also search the Microsoft site for things like .net examplesand ldap syntax and .net examples. You'll see what I mean.AlList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx -- HBooGz:\>
Re: [ActiveDir] LDAP Directory Server Path
It is hard to provide any additional information that would be useful without some specifics about the actual problems they are facing/what isn't working/what code they are trying. From a firewall perspective, at a bare minimum you need LDAP ports open to your DC, depending on whether you want LDAP or GC and SSL or not. You'll want DNS. You'll probably want Kerberos and RPC to support secure bind. I'd also recommend staying away from Win2K/IIS 5 as a web server if you can avoid it as IIS6 is way better, but that might not be an option. I also answer a lot of dev-oriented questions on the ADSI microsoft newsgroup. One again, I bet everything your guys need to know is in my book too. :) Joe Kaplan - Original Message - From: HBooGz To: ActiveDir@mail.activedir.org Sent: Thursday, June 08, 2006 11:01 AM Subject: Re: [ActiveDir] LDAP Directory Server Path Thanks Joe and Al. In all honesty, I'm far from a programmer and i wouldn't go so far as to say I'm an Active Directory expert like most on this list. I'm going to pass your information to my developers who are working on a web app in .Net with the hopes of authenticating users against our AD. I've read some articles that indicate to create a username ( w/ domain admin rights ) and put that into the code to use for the authentication. Although I'm not a developer i just don't feel good about this approach. Before i mentioned DMZ. My environment is relatively small and the web applications are sitting on a Windows 2000 server in a single hop DMZ environment. any more information that could help me or the developers, who are at a stand-still, would be appreciated. Thanks, On 6/7/06, Joe Kaplan <[EMAIL PROTECTED]> wrote: Just to elaborate a little on what Al said, when using an ADSI-based model like S.DS, the adspath contains the provider, optional server info and a distinguished name of an object to search. When you don't specify a server part in the path (a serverless bind), LDAP infers a domain from the current security context and then uses the locator to find a DC in that domain. You have to be careful with serverless binds though, especially in web apps, as the security context may be local machine instead of domain, so it may not be possible to infer a domain. In some cases, it may be necessary to supply a domain name or even the DNS name of a specific DC. Using your previous example, you may need to specify the "harry.org" part of the path. A lot of it depends on the environment. I also recommend using a tool like ldp.exe or adfind to help with LDAP programming. These tools are very useful for executing ad hoc LDAP ops and modeling queries. In general, you want to be careful with using ADSI or S.DS for authentication in an app. It doesn't scale well for this type of thing. If you must use LDAP-based auth (which is generally best avoided; use Windows auth instead), using something like the ActiveDirectoryMembershipProvider or calling System.DirectoryServices.Protocols directly will get you better scalability (if that's important). We actually did write a whole book about this stuff and it doesn't suck, so won't hesitate to recommend it for these types of questions. www.directoryprogramming.net. Joe K. - Original Message - From: Al Mulnick To: ActiveDir@mail.activedir.org Sent: Wednesday, June 07, 2006 3:09 PM Subject: Re: [ActiveDir] LDAP Directory Server Path Totally different questions. The ldap path is what is needed to connect to the directory via .net (there are many examples in the language dialect you're development staff are planning to use; Joe Kaplan is a good person to search for as he does this frequently and I believe has even taken the time to write a book about it. Accessing it from a 'DMZ' is a different animal altogether and has a lot more to do with architecture, routing, physical connections, and name resolution. Architecture is a huge part of that equation. There's nowhere near enough information in your posts, nor would I think it appropriate that you share that amount of information with outsiders, to even begin to answer that question in a usable manner. To see/use that syntax, minus the protocol portion, have a look at tools like LDP.EXE. Also search the Microsoft site for things like .net examples and ldap syntax and .net examples. You'll see what I mean. Al List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx -- HBooGz:\> List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
