About the Authors Fundamentals p. 1 Introduction to LDAP and Active Directory p. 3 A Brief History of Directory Services p. 3 Definition of LDAP p.

Transcription

1 Listings p. xv Tables p. xix Foreword p. xxi Preface p. xxiii Acknowledgments p. xxix About the Authors p. xxxi Fundamentals p. 1 Introduction to LDAP and Active Directory p. 3 A Brief History of Directory Services p. 3 Definition of LDAP p. 4 Definition of Active Directory p. 5 Domain p. 6 Domain Tree p. 6 Forest p. 6 Domain Controller p. 6 Global Catalog p. 7 Definition of ADAM p. 7 Comparing ADAM with Active Directory p. 8 LDAP Basics p. 11 LDAP Distinguished Names p. 11 Naming Contexts p. 14 Schema Basics p. 15 LDAP Protocol and API Basics p. 20 LDAP Controls p. 25 Introduction to.net Directory Services Programming p. 27.NET Directory Services Programming Landscape p. 27 Native Directory Services Programming Landscape p. 29 Native LDAP p. 29 The Net* APIs p. 29 The Ds* Active Directory APIs p. 30 Active Directory Service Interfaces (ADSI) p. 30 System.DirectoryServices Overview p. 32 Class Overview p. 33 ADSI Providers p. 36 Other Useful ADSI Interfaces p. 37 System.DirectoryServices.ActiveDirectory Overview p. 40 Class Overview p. 40 System.DirectoryServices.Protocols Overview p. 43 Overall Design p. 44 How Is it Organized? p. 45 Selecting the Right Technology p. 49

2 The Argument against Using activeds.dll Directly via COM Interop p. 50 Binding and CRUD Operations with DirectoryEntry p. 53 Property and Method Overview p. 54 Constructors p. 54 Properties p. 54 Methods p. 58 Binding to the Directory p. 62 Binding Syntax p. 62 ADSI Path Anatomy p. 64 Providing Credentials p. 79 Username Syntaxes in Active Directory and ADAM p. 81 Username Syntaxes in ADAM p. 83 AuthenticationTypes Explained p. 84 Binding to RootDSE p. 92 ADSI Connection Caching Explained p. 95 Directory CRUD Operations p. 98 Reading Attributes of Directory Objects p. 99 Modifying Attributes of Directory Objects p. 100 Creating Directory Objects p. 100 Deleting Directory Objects p. 102 Moving and Renaming Directory Objects p. 105 Searching with the DirectorySearcher p. 109 LDAP Searching Overview p. 109 LDAP Searches in ADSI p. 110 LDAP Searches in System.DirectoryServices p. 110 DirectorySearcher Overview p. 111 DirectorySearcher Properties p. 111 Methods p. 113 Related Classes p. 114 The Basics of Searching p. 115 Deciding Where to Search p. 115 Controlling Depth of Search with SearchScope p. 117 Building LDAP Filters p. 118 Basic Syntax p. 119 Filter Types p. 120 Reserved Characters in Values p. 123 Specifying Comparison Values in Search Filters p. 124 Bitwise Operations p. 133 Ambiguous Name Resolution p. 135 Controlling the Content of Search Results p. 136 Specifying Attribute Data to Be Returned p. 137

3 Limiting the Number of Results to Return with the SizeLimit Property p. 138 Executing the Query and Enumerating Results p. 139 Finding a Single Object with FindOne p. 139 Getting Multiple Results with FindAll p. 141 Enumerating the Results p. 142 Returning Many Results with Paged Searches p. 143 Enabling Paging p. 144 Choosing an Appropriate Page Size p. 145 Using the ServerPageTimeLimit p. 145 Caching Result Sets p. 146 Sorting Search Results p. 146 Advanced LDAP Searches p. 149 Administrative Limits Governing Active Directory and ADAM p. 150 Understanding Searching Timeouts p. 152 Precedence of Timeouts p. 152 Nonpaged Searches p. 153 Paged Searches p. 154 Optimizing Search Performance p. 154 Choosing the Right Search Root p. 155 Choosing the Right Scope p. 155 Creating Efficient Queries p. 156 Turn Caching Off When Possible p. 158 Searching the Global Catalog p. 158 Important Considerations for Using the Global Catalog p. 159 Binding Syntax for the Global Catalog p. 159 Chasing Referrals p. 161 Virtual List View Searches p. 162 Offset versus Target Searches p. 163 Using the DirectoryVirtualListView Class p. 164 Searching by Offset p. 166 Searching by String p. 167 Searching for Deleted Objects p. 169 Reasons to Search for Deleted Objects p. 171 Directory Synchronization Queries p. 171 Limitations on Search Root and Scope p. 172 Permissions p. 172 Filter p. 173 Attributes p. 173 DirSync Samples p. 174 Using Attribute Scope Query p. 178 Extended DN Queries p. 181

4 Reading Security Descriptors with Security Masks p. 183 Asynchronous Searches p. 185 Creating an Asynchronous Search p. 186 Reading and Writing LDAP Attributes p. 193 Basics of Reading Attribute Values p. 193 The Basic Design p. 194 Key Differences between the Value Collections p. 195 Collection Class Usage p. 195 Getting Single Values p. 195 Checking for Null Values p. 196 Checking for Multiple Values p. 198 Using the Value Property p. 198 Understanding the ADSI Property Cache p. 199 Flushing Changes Back to the Directory p. 200 LDAP Data Types in.net p. 200 ADSI Schema Mapping Mechanism p. 206 Schema Caching p. 208.NET Attribute Value Conversion p. 213 Data-Type Conversion with the DirectoryEntry Family p. 213 Data-Type Conversion with the DirectorySearcher Family p. 213 Why the Big Deal? p. 214 Standard Data Types p. 214 Binary Data Conversion p. 215 COM Interop Data Types p. 216 Approaches for COM Interop p. 217 LargeInteger Values p. 217 DN-With-Binary p. 222 Reading Security Descriptors p. 225 Syntactic versus Semantic Conversion p. 229 Dealing with Attributes with Many Values p. 230 How to Use Range Retrieval in SDS p. 231 Basics of Writing Attribute Values p. 234 Setting Initial Values p. 235 Clearing an Attribute p. 236 Replacing an Existing Attribute Value p. 237 Adding and Removing Values from Multivalued Attributes p. 237 Attribute Modification Summary p. 237 Writing COM Interop Types p. 241 Writing LargeInteger Values p. 241 Writing DN-With-Binary p. 242 Writing Security Descriptors p. 243

5 Active Directory and ADAM Schema p. 247 Schema Extension Best Practices p. 247 Read All of Microsoft's Documentation Carefully p. 248 Register OIDs for New Classes and Attributes p. 248 Manage OID Namespaces Thoughtfully p. 249 Practice on ADAM Instances p. 250 Set the schemaidguid Attribute p. 250 Use Company-Specific Prefixes on IdapDisplayNames p. 251 Choosing an Object Class p. 251 Choosing Attribute Syntaxes p. 253 String Data p. 253 Date/Time Values p. 254 Numeric Data p. 255 Binary Data p. 255 Boolean Data p. 255 Object Identifiers p. 255 Foreign Keys p. 255 Other Data Types p. 256 Modeling One-to-Many and Many-to-Many Relationships p. 256 Link Value Pairs p. 257 DN Syntax Attribute Best Practices p. 258 Search Flags and Indexing p. 261 searchflags p. 261 systemflags p. 263 Techniques for Extending the Schema p. 264 Discovering Schema Information at Runtime p. 266 Using Constructed Attributes p. 269 Reading Schema Objects Directly p. 271 Security in Directory Services Programming p. 273 Binding and Delegation p. 274 Types of Binds p. 274 Performing a Secure Bind p. 276 Windows Security Contexts p. 278 Single Hops, Double Hops, and Delegation p. 281 Discovering Remote Security Information at Runtime p. 285 Guidance for Using SDS with ASP.NET p. 287 Serverless Binding and ASP.NET p. 296 Binding with ADAM p. 296 Binding and Other Directories p. 298 Securing the Simple Bind p. 298 Client Certificate Authentication p. 299

6 Binding Features Not Supported by SDS/ADSI p. 299 Directory Object Permissions in Active Directory and ADAM p. 300.NET 2.0 Object Security Model p. 300 Reading Security Descriptors p. 302 Changing Security Descriptors p. 304.NET 1.x Interop Model p. 310 Code Access Security p. 315 CAS Encounters of the First Kind p. 316 The Relevance to SDS p. 316 SDS in Partial Trust Scenarios in.net 2.0 p. 317 The Problem p. 319 Configuring DirectoryServicesPermission for Use with Partial Trust p. 320 Partial Trust in.net 1.x p. 321 Introduction to the ActiveDirectory Namespace p. 325 Working with the DirectoryContext Class p. 326 General Usage p. 326 Examples of Using DirectoryContext p. 328 Locating Domain Controllers p. 332 How the Domain Controller Locator Works p. 332 Using the Locator Service p. 333 Enumerating All Domain Controllers p. 334 Advanced Locator Features p. 334 DsGetDcName under the Hood p. 336 Applications for Locating Domain Controllers p. 338 Understanding the Active Directory RPC APIs p. 339 Useful Shortcuts for Developers p. 339 Active Directory Shortcuts p. 341 ADAM Shortcuts p. 342 Practical Applications p. 345 User Management p. 347 Finding Users p. 347 Finding Users in ADAM p. 349 Creating Users p. 351 Managing User Account Features p. 353 Managing Basic User Account Properties in Active Directory p. 353 Managing Basic User Account Properties in ADAM p. 357 Determining Domain-Wide Account Policies p. 360 Determining Password Expiration p. 362 Determining Last Logon p. 370 Determining Account Lockout p. 373 Managing Passwords for Active Directory Users p. 376

7 Password Management Complications p. 377 Understanding Password Policy and Security p. 377 Understanding the Underlying ADSI Methods p. 378 Error Handling with the Invoke Method in.net p. 381 Recommendations for Successful Password Modification Operations p. 382 Why Can't We Do LDAP Password Modifications Directly in SDS? p. 383 SDS.P to the Rescue p. 383 Managing Passwords for ADAM Users p. 386 Programming Differences When Setting ADAM Passwords p. 387 Determining User Group Membership in Active Directory and ADAM p. 389 Retrieving the User's Token Groups p. 390 Using an LDAP Search p. 391 Using DsCrackNames p. 393 Using the SidIdentifier and IdentityReference Classes p. 394 Retrieving tokengroups from ADAM p. 395 Group Management p. 397 Creating Groups in Active Directory and ADAM p. 397 Manipulating Group Membership p. 400 Expanding Group Membership p. 403 Using.NET Version 2.0 p. 404 Using.NET Version 1.1 p. 407 Primary Group Membership p. 409 Foreign Security Principals p. 413 Authentication p. 417 Authentication Using SDS p. 418 Active Directory Authentication p. 420 ADAM Authentication p. 422 Authentication Using SDS.P p. 424 Authentication Using SSPI p. 428 Discovering the Cause of Authentication Failures p. 431 Appendixes p. 433 Three Approaches to COM Interop with ADSI p. 435 The Standard Method p. 435 Advantages p. 436 Disadvantages p. 436 The Reflection Method p. 437 Advantages p. 439 Disadvantages p. 439 Handcrafted COM Interop Declarations p. 439 Advantages p. 440 Disadvantages p. 440

8 LDAP Tools for Programmers p. 443 LDP p. 443 ADSI Edit p. 445 Active Directory Users and Computers p. 445 LDIFDE p. 446 ADFind/ADMod p. 447 BeaverTail LDAP Browser p. 447 Softerra LDAP Browser p. 448 Troubleshooting and Help p. 449 Error 0x A: "The server is not operational" p. 449 Error 0x E: "Login Failure: unknown user name or bad password" p. 450 Error 0x : "An operations error occurred" p. 450 Error 0x : "There is no such object on the server" p. 451 Error 0x F: "A constraint violation occurred" p. 451 Error 0x : "The server is unwilling to process the request" p. 452 Error 0x : "General access denied error" p. 452 InvalidOperationException from DirectorySearcher p. 452 Getting Help p. 453 Index p. 455 Table of Contents provided by Blackwell's Book Services and R.R. Bowker. Used with permission.