Just to elaborate a little on what Al said, when using an ADSI-based model
like S.DS, the adspath contains the provider, optional server info and a
distinguished name of an object to search. When you don't specify a server
part in the path (a serverless bind), LDAP infers a domain from the current
security context and then uses the locator to find a DC in that domain. You
have to be careful with serverless binds though, especially in web apps, as
the security context may be local machine instead of domain, so it may not
be possible to infer a domain. In some cases, it may be necessary to supply
a domain name or even the DNS name of a specific DC. Using your previous
example, you may need to specify the "harry.org" part of the path. A lot of
it depends on the environment.
I also recommend using a tool like ldp.exe or adfind to help with LDAP
programming. These tools are very useful for executing ad hoc LDAP ops and
modeling queries.
In general, you want to be careful with using ADSI or S.DS for
authentication in an app. It doesn't scale well for this type of thing. If
you must use LDAP-based auth (which is generally best avoided; use Windows
auth instead), using something like the ActiveDirectoryMembershipProvider or
calling System.DirectoryServices.Protocols directly will get you better
scalability (if that's important).
We actually did write a whole book about this stuff and it doesn't suck, so
won't hesitate to recommend it for these types of questions.
www.directoryprogramming.net.
Joe K.
----- Original Message -----
From: Al Mulnick
To: [email protected]
Sent: Wednesday, June 07, 2006 3:09 PM
Subject: Re: [ActiveDir] LDAP Directory Server Path
Totally different questions.
The ldap path is what is needed to connect to the directory via .net (there
are many examples in the language dialect you're development staff are
planning to use; Joe Kaplan is a good person to search for as he does this
frequently and I believe has even taken the time to write a book about it.
Accessing it from a 'DMZ' <depending on what that means to you> is a
different animal altogether and has a lot more to do with architecture,
routing, physical connections, and name resolution. Architecture is a huge
part of that equation. There's nowhere near enough information in your
posts, nor would I think it appropriate that you share that amount of
information with outsiders, to even begin to answer that question in a
usable manner.
To see/use that syntax, minus the protocol portion, have a look at tools
like LDP.EXE. Also search the Microsoft site for things like .net examples
and ldap syntax and .net examples. You'll see what I mean.
Al
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
