It works and has a pretty good performance. Thanks a lot! Alexandr
Dne středa 24 leden 2007 00:18 Joe Kaplan napsal(a): > I think that's fine. Remember that AD has a global catalog, so you can > search across the whole forest quite easily. > > I'm not actually certain that you can do a simple bind with a user from a > different domain, but maybe you can. My multi-domain LDAP knowledge is a > little weak since I don't actually have to deal with one on a day to day > basis. I do know that you simple bind is only supposed to support the full > DN (as per LDAP spec), the UPN or the NT name for simple bind. The > unqualified user name is only supposed to work with a Windows secure > (GSS-SPNEGO SASL) bind. I think it actually does work in some cases, but > not others, so you should not use it as it is not documented to work > correctly. > > There is also a Windows RPC method called DsCrackNames that will translate > names between different format if you have a logon name and want something > you can use in a DN such as the full DN, GUID or SID. I doubt that helps > if you are trying to use use OpenLDAP though. :) > > Joe K. > > ----- Original Message ----- > From: "Alexandr Kara" <[EMAIL PROTECTED]> > To: <ActiveDir@mail.activedir.org> > Sent: Tuesday, January 23, 2007 3:12 PM > Subject: Re: [ActiveDir] "Who Am I" request > > > Let's say I did a simple bind with user "TestUser", but the user record is > actually located at "CN=TestUserCN,OU=Users1,DC=company,DC=com" and it can > (as far as I know) only be recognized by having sAMAccountName "TestUser". > I could probably find the user by searching under "DC=company,DC=com" with > a filter "(sAMAccountName=TestUser)", but I think it would impose a > substantial > load on the Active Directory server, because not all users are > under "OU=Users,DC=company,DC=cz", some are located in other subtrees. Do > you > think it would be OK to do that? > > Thanks, > Alexandr > > Dne úterý 23 leden 2007 19:02 Joe Kaplan napsal(a): > > If you did a bind to the directory with that user object, then you should > > be able to do a search to find the user object you used for the bind. > > This > > might only be complicated if you authenticated with a foreign domain > > user, but I doubt you are doing that. > > > > The exact nature of the search would depend on the user name format you > > are > > using in the bind. If you did a simple bind with the DN, then you > > already have the path to the user object. :) > > > > Joe K. > > > > ----- Original Message ----- > > From: "Alexandr Kara" <[EMAIL PROTECTED]> > > To: <ActiveDir@mail.activedir.org> > > Sent: Tuesday, January 23, 2007 11:26 AM > > Subject: Re: [ActiveDir] "Who Am I" request > > > > > > Hello Dmitri, > > thanks for your reply. The server I connect to is pre-LH (Windows 2003 I > > think), which doesn't support WhoAmI. > > You suggested that I read tokenGroups, but I have no "user object" to > > read it > > from. All I have generic connection to a LDAP server (I need to use the > > OpenLDAP library for compatibility). > > Can I get the user object by some other means? > > > > Thanks a lot, > > Alexandr > > > > Dne pondělí 22 leden 2007 16:07 Dmitri Gavrilov napsal(a): > > > ADAM (starting from ADAM 1.0) and AD (starting from Longhorn) support > > > WhoAmI extended operation per RFC. In addition, they support > > > rootDSE/tokenGroups attribute, which is exactly what you need to check > > > "self group membership". > > > > > > If you have pre-LH AD, then what you can do is read tokenGroups off the > > > user object (which you can find using %USERDOMAIN% and %USERNAME% vars > > > if you have an interactive session, or by looking up user SID from the > > > token). Note tokenGroups value can vary slightly depending on which DC > > > you connect to. If you want deterministic results, read > > > tokenGroupsGlobalAndUniversal (which excludes domain local groups). > > > > > > > > > -----Original Message----- > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED] On Behalf Of Alexandr Kara > > > Sent: Monday, January 22, 2007 6:46 AM > > > To: ActiveDir@mail.activedir.org > > > Subject: [ActiveDir] "Who Am I" request > > > > > > Hello everybody, > > > I am trying to get the CN of a user currently connected to Active > > > Directory > > > (using a 3rd party library). > > > > > > I tried the "Who am I?" extended operation from RFC 4532, but I got an > > > error > > > 120 or 0x78 (I don't know if it is useful). > > > Do you know of another method to get the CN? I need it to find out if > > > the user > > > is part of a group. > > > > > > Thanks a lot, > > > Alexandr > > > List info : http://www.activedir.org/List.aspx > > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > > List archive: http://www.activedir.org/ma/default.aspx > > > > > > List info : http://www.activedir.org/List.aspx > > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > > List archive: http://www.activedir.org/ma/default.aspx > > > > List info : http://www.activedir.org/List.aspx > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > List archive: http://www.activedir.org/ma/default.aspx > > > > List info : http://www.activedir.org/List.aspx > > List FAQ : http://www.activedir.org/ListFAQ.aspx > > List archive: http://www.activedir.org/ma/default.aspx > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.activedir.org/ma/default.aspx > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx