Everything Developers Need to. and/or ADAM, and/or LDAP

Everything Developers Need to Know About Active Directory and/or ADAM, and/or LDAP

My Boring & Generic Bio Slide Working with Active Directory since Oct 1999 (RTM date) Currently run large Active Directory installation 60,000+ User Objects Technical Lead Windows Server Group 75% of the.netprojects I ve done does something with Active Directory I own a mini-van, enough said!

My Boring & Generic Bio Slide http://scevanscg.com Information on S.DS in 3.5 coming soon

My Boring & Generic Bio Slide SLO.Net Users Group (http://slodotnet.org) San Luis Obispo Code Camp (http://www.centralcoastcodecamp.com)

What This Talk is Not How to setup Active Directory How to manage Active Directory (manually) How to secure Active Directory How to backup Active Directory How to architect Active Directory How to scale Active Directory How to... Active Directory This is only about how to write code that leverages Active Directory/LDAP

What is LDAP? LDAP = Lightweight Directory Access Protocol Store information about stuff (people, computers, groups, printers, organizations, objects)

LDAP 101? Object Types Schema Distinguished Name (DN) Attribute

What is Active Directory? Microsoft s domain authentication service Uses LDAP to identify and store information about users, computers, objects AND services What is users jdoe first name? What operating system does computer x have? Who is a member of group y? Where is a Terminal Services Licensing Server Uses Kerberos for Authentication

Then who is ADAM? Active Directory Application Mode Becoming Active Directory Lightweight Directory Services in Longhorn timeframe Install on any Windows Box (XP or 2003) Active Directory Light Used by applications Multiple Instances per server Replication Avoids schema modifications to AD forest

Why would you use ADAM instead of Active Directory? Provides secure password storage, password policies, account life cycles, and groups out of the box. Use pass through authentication to authenticate internal and external users. Store directory information we don t want in AD (eg Pictures, confidential, etc) Include ADAM with a shipping application.

System.DirectoryServices AKA = S.DS.Net Wrapper around ADSI

Before We Get To Code What you should NEVER do, when working against Active Directory Target a specific Domain Controller Increase Page Size Change the schema without LDIF file

LDAP Address Book Find User Modify User Add User Modify Group Membership

S.DS.DirectoryEntryConstructor Path LDAP://server/ou=org,dc=domain,dc=name LDAP://ou=org,dc=domain,dc=name (serverless binding) LDAP://RootDSE GC://dc=forest,dc=name Username Full DN (eg cn=user,dc=domain,dc=com) NT Account Name (domain\user) User Principal Name (aka = UPN) (user@domain.com) Plain Username (username)(requires AuthenticationTypes.Secure)

S.DS.DirectoryEntryConstructor #2 Password AuthenticationTypes Secure Uses SSPI (Windows Security Support Provider Interface) Anonymous Pass or String.Emptyto Username and Password attributes SecureSocketsLayer SSL, can be used in combination with Secure, or can be used to secure connections to non-ad LDAP s. None AKA = Basic, credentials passed in clear text. Should always use in conjunction with SecureSocketsLayer. Common Uses: If you re using Active Directory use Secure If your not use anonymous if you can Otherwise you must use SecureSocketsLayer

S.DS.DirectoryEntryMisc Attributes Set attribute to null de.properties[attribute].clear() Single-Value Check for existence de.properties.contains(attribute) Multi-Value de.properties.add(object) Object Cache Link Value Pairs Disposing

DirectorySearcherConstructor SearchRoot DirectoryEntry object of root of search Filter String of LDAP Filter (<attribute name><filter type><attribute value>) (givenname=steve) (objectclass=*) (badpwdcount>10) ( (givenname=steve)(givenname=steven)) (givenname=steve*) objectcategory* vs objectclass

S.DS.DirectorySearcherExecute Search searcher.findone() Avoid.net 2.0 Memory Leak if no object returned Think there can only be one object, but you end up being wrong searcher.findall() Returns SearchResultCollection(collection of SearchResult objects) foreach(searchresult sr in searcher.findall())

S.DS.DirectorySearcherMisc Only use SearchResult.GetDirectoryEntry() when modifying object SearchResultcontains all the properties we need for read operations SearchResult.Properties[attribute].Value; GetDirectoryEntry() triggers at least one LDAP call. searcher.pagesize = 2000; samaccountname vs userprincipalname

How to use LDAP for Authentication NOTE: There are better ways to do authentication if your using Active Directory

Gotcha s LDAP over SSL Global Catalog Index s Paged Searching (Max Query Limit) Default limit is 2000 results in Active Directory

References S.DS Quick List for C# Code Examples (http://shrinkster.com/p0v) The.NET Developer's Guide to Directory Services Programming (http://directoryprogramming.net) Joe Kaplan Blog (http://www.joekaplan.net/) Ryan Dunn Blog (http://dunnry.com/blog/) nntp://microsoft.public.adsi.general

Thanks For Coming! PRIZES!!!! Don t forget we draw prizes on Sunday afternoon, including great products like Acronisand CodeSmithTools, plus many new books! THANKS AGAIN TO OUR CONTRIBUTORS!!!! Cal State Fullerton (http://www.fullerton.edu) Spherion (www.spherion.com) Microsoft (www.microsoft.com) Neudesic(www.neudesic.com) PDSA Inc. (www.pdsa.com) QuickStart(www.quickstart.com) Harbor Objects (www.harborobjects.com) Odyssey Consulting Group (www.ocgpros.com) IDesign Inc. (www.idesign.net)