Accessing Active Directory with the System.DirectoryServices Classes

If your Web server is a member of a Windows Active Directory-enabled domain, you may find that you need to be able to query (or even update) the directory from your ASP.NET code. This is most likely to be the case for intranet applications. Alternatively, you may wish to query other types of remote directory. The .NET Framework includes a series of classes in the System.DirectoryServices namespace that provide access to directories using one of four protocols:

The Lightweight Directory Access Protocol (LDAP) for Windows Active Directory or any other LDAP-enabled directory service
The Internet Information Server (IIS) protocol for access to metabase information
Novel Netware Directory Services (NDS)
Windows NT internal protocol

In the example, you will see how you can use the most common of these, the LDAP protocol, to access Active Directory and get a list of values from one of the AD containers. However, for this to work, the account that ASP.NET is running under must have permission to access the Active Directory. If you are using Visual Studio or VWD, and running the page using the built-in Web server, you should find that it works. If not, try logging on to your machine with an account that has administrator permissions on the domain.

If you want to access Active Directory from an application running under IIS, you will most likely need to disable anonymous access to the application in Internet Services Manager, so that users must provide domain credentials when accessing the application. Be careful if you decide to allocate the anonymous IUSR account or ASPNET permissions within the directory, and restrict these permissions to the minimum required.

The main classes in the System.DirectoryServices namespace are the DirectoryEntry, which represents an individual item in a container within the directory; and DirectorySearcher and SearchResult, which you use to get a list of DirectoryEntry instances matching specific criteria. The starting point is to get a reference to the root of the directory. For this, you must specify the URI in the correct LDAP format. To access the local Active Directory, you require "LDAP://domain-name," for example:

DirectoryEntry root = new DirectoryEntry("LDAP://mydomain.com")

Note that the protocol definition ("LDAP") must be uppercase.

You can then search for containers using the DirectorySearcher class, specifying the node to start the search from and the query that selects a container or value:

DirectorySearcher searcher = new DirectorySearcher(root, "CN=Users") SearchResult result = searcher.FindOne();

The result of a call to the FindOne method of the DirectorySearcher is a single SearchResult instance, while the result of a call to the FindAll method is a SearchResultCollection capable of containing more than one SearchResult. Each SearchResult exposes the path of the item it found and a set of properties for that item. If you want to access the item itself, perhaps to perform more searches starting from here, you use the GetdirectoryEntry method of the SearchResult.

This is, of course, only a very brief overview of the capabilities of the System.DirectoryServices classes, but it is enough to demonstrate how useful they are.

Getting a List of Users

The GetADUserList method in the Ch15DataProcess.cs file returns a String value that is a list of the users found in the "Users" container of Active Directory within the local domain. Listing 15.31 shows the code used in the example. You can see that it first calls the static GetCurrentDomain method to get the local AD domain name, accesses the root of the Active Directory hierarchy for this domain, and then uses a DirectorySearcher from this point to find the first container with "CN=Users" in its name.

This is the Users container, and so the code can get a reference to the "live" node in Active Directory for this entry and iterate through all the child nodes (the users). The Name property of each contains the LDAP protocol identifier, as "CN=username", so the code removes this to leave just the name.

Listing 15.31. Listing Users from Active Directory

StringBuilder builder = new StringBuilder(); // get reference to current Active Directory domain // and display domain name Domain theDomain = Domain.GetCurrentDomain(); String domainName = theDomain.Name; builder.Append("List of Active Directory Users for Domain '"                + domainName + "'\n"); // get root entry in AD for this domain using (DirectoryEntry root = new DirectoryEntry("LDAP://"                                               + domainName)) {   // search AD for child directory path with container CN=Users   using (DirectorySearcher searcher = new DirectorySearcher(root,                                                      "CN=Users"))   {     // just return first match (only one such path should exist)     SearchResult result = searcher.FindOne();     if (result == null)     {       builder.Append("No 'CN=Users' entry found.");     }     else     {       // get the directory entry for the CN=Users path       using (DirectoryEntry entry = result.GetDirectoryEntry())       {         // iterate through all the child entries (the users)         foreach (DirectoryEntry child in entry.Children)         {           String userEntry = child.Name;           // remove leading "CN=" from returned name           builder.Append(userEntry.Substring(                          userEntry.IndexOf("=") + 1) + "\n");         }       }     }   } } sourceString = builder.ToString();

Figure 15.20 shows the result. You can see that it detects the domain name automatically and finds a complete list of users (some of which are hidden here).

Figure 15.20. A list of users obtained from Active Directory