Let's say I did a simple bind with user "TestUser", but the user record is actually located at "CN=TestUserCN,OU=Users1,DC=company,DC=com" and it can (as far as I know) only be recognized by having sAMAccountName "TestUser". I could probably find the user by searching under "DC=company,DC=com" with a filter "(sAMAccountName=TestUser)", but I think it would impose a substantial load on the Active Directory server, because not all users are under "OU=Users,DC=company,DC=cz", some are located in other subtrees. Do you think it would be OK to do that?
Thanks, Alexandr Dne úterý 23 leden 2007 19:02 Joe Kaplan napsal(a): > If you did a bind to the directory with that user object, then you should > be able to do a search to find the user object you used for the bind. This > might only be complicated if you authenticated with a foreign domain user, > but I doubt you are doing that. > > The exact nature of the search would depend on the user name format you are > using in the bind. If you did a simple bind with the DN, then you already > have the path to the user object. :) > > Joe K. > > ----- Original Message ----- > From: "Alexandr Kara" <[EMAIL PROTECTED]> > To: <ActiveDir@mail.activedir.org> > Sent: Tuesday, January 23, 2007 11:26 AM > Subject: Re: [ActiveDir] "Who Am I" request > > > Hello Dmitri, > thanks for your reply. The server I connect to is pre-LH (Windows 2003 I > think), which doesn't support WhoAmI. > You suggested that I read tokenGroups, but I have no "user object" to read > it > from. All I have generic connection to a LDAP server (I need to use the > OpenLDAP library for compatibility). > Can I get the user object by some other means? > > Thanks a lot, > Alexandr > > Dne pondělí 22 leden 2007 16:07 Dmitri Gavrilov napsal(a): > > ADAM (starting from ADAM 1.0) and AD (starting from Longhorn) support > > WhoAmI extended operation per RFC. In addition, they support > > rootDSE/tokenGroups attribute, which is exactly what you need to check > > "self group membership". > > > > If you have pre-LH AD, then what you can do is read tokenGroups off the > > user object (which you can find using %USERDOMAIN% and %USERNAME% vars > > if you have an interactive session, or by looking up user SID from the > > token). Note tokenGroups value can vary slightly depending on which DC > > you connect to. If you want deterministic results, read > > tokenGroupsGlobalAndUniversal (which excludes domain local groups). > > > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Alexandr Kara > > Sent: Monday, January 22, 2007 6:46 AM > > To: ActiveDir@mail.activedir.org > > Subject: [ActiveDir] "Who Am I" request > > > > Hello everybody, > > I am trying to get the CN of a user currently connected to Active > > Directory > > (using a 3rd party library). > > > > I tried the "Who am I?" extended operation from RFC 4532, but I got an > > error > > 120 or 0x78 (I don't know if it is useful). > > Do you know of another method to get the CN? I need it to find out if > > the user > > is part of a group. > > > > Thanks a lot, > > Alexandr > > List info : http://www.activedir.org/List.aspx > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > List archive: http://www.activedir.org/ma/default.aspx > > > > List info : http://www.activedir.org/List.aspx > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > List archive: http://www.activedir.org/ma/default.aspx > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.activedir.org/ma/default.aspx > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
