Security in Directory Services Programming

In this chapter, we take a deeper look at security. We elaborate on the basics introduced in the previous chapters and explore some additional topics we have not yet mentioned.

The first part of the chapter is dedicated to binding and the security context. This is by far one of the most important concepts to understand, as it affects everything we try to do. It is also the primary reason why code fails to perform as expected and is quite often the first thing to investigate when troubleshooting.

The second part of the chapter deals with security settings on individual objects and applies to Active Directory and ADAM. Both Active Directory and ADAM use the standard Windows security descriptor model for securing objects and take advantage of the directory hierarchy to harness the inheritance model supported by security descriptors, much like the Windows file system or registry does. Active Directory and ADAM support security settings all the way down to individual attributes on objects, and we will discuss how to program this model using .NET with version 2.0 and the earlier 1.x release.

Finally, we take a brief but important look at code access security (CAS) and the notion of partially trusted code. This aspect of the .NET security model is often ignored and is not well understood by most developers, but it is critically important at least to know the basics, especially when programming in a partially trusted environment. As Windows itself matures, partial trust scenarios will become increasingly common. We discuss how System.DirectoryServices (SDS) and System.DirectoryServices.ActiveDirectory (SDS.AD) play in this space.