Manipulating an LDAP Directory Using ADSI

   

Manipulating an LDAP Directory Using ADSI

Unlike the Windows NT and IIS ADSI providers, which are constrained by an established directory structure, the open architecture of an LDAP directory allows infinite variations on the design of the namespace. Because of such flexibility, some organizations may choose flat structures, whereas others might opt for extremely deep hierarchical schemes utilizing geographical or functionally based organizational units to organize their entries.

You must understand the architecture of your particular directory implementation to properly bind to entries in the directory. For an example of how a binding string relates to the directory structure, consider Figure 11.1 and both of the following related binding strings.

Figure 11.1. Relatively flat hierarchical directory architecture used in the Airius sample database.

graphics/11fig01.gif

To bind to the user object scarter , use either of the following ADSI binding strings:

Big-Endian form:

 Set Obj = GetObject("LDAP://LDAP_ServerName/O=airius.com/OU=People/UID=scarter") 

Little-Endian form ( default ):

 Set Obj = GetObject("LDAP://LDAP_ServerName:TCP_Port/UID=scarter, OU=People, graphics/ccc.gif O=airius.com") 

Notice in Big-Endian form, you start from the top of the structure and work your way down to the smallest element, which in this case happens to be a user object. Conversely, Little-Endian form starts at the smallest element, the user object in this case, and navigates up the directory back to the root of the tree. Although Little-Endian form is the default returned by ADSI queries, many people find Big-Endian form a bit more intuitive when binding to objects in the directory.

Note

If you have an LDAP server installed on an alternate port, you must use Little-Endian form with ADSI .


Discovering the Architecture of an Existing LDAP Directory Using Visual Basic

To properly bind to an LDAP directory, you must know the relationship between parent and child objects for each entry in the directory. If you do not want to ask the LDAP directory project team for a detailed sketch of the topology of the directory, use the following Visual Basic code to programmatically derive a map:

 Dim Container As IADsContainer Dim Entry As IADs Dim StartingPoint As String 'StartingPoint = "/ou=People" Set Container = GetObject("LDAP://LDAP_SERVER/o=airius.com" & StartingPoint) For Each Entry In Container      Debug.Print "Entry Name: " & Entry.Name & vbTab & vbTab & "Class: "& Entry.Class Next 

By changing the starting point, you can enumerate all child entries beneath the point chosen in the binding string. This can be useful for displaying all entries in, for example, the People or Groups containers.

Warning

Enumeration processes can be extremely CPU intensive when run on containers with significantly large quantities (20,000 or more) of entries. If your organization has implemented a relatively flat directory architecture, you should take this into account when designing your LDAP client application .


Querying Entry Attributes with ADSI Using Anonymous Access in Visual Basic

To query an entry's attributes, you can typically bind to the entry and use the IAD's Get method to query each desired attribute. If your LDAP server allows anonymous read access to the directory, you can use the following Visual Basic code as a guide to query the entry's attributes:

 On Error Resume Next Dim Container As IADsContainer Dim User As IADs Set Container = GetObject("LDAP://LDAP_SERVER/o=airius.com/ou=People") For Each User In Container      Debug.Print "UserID: "&vbTab&User.Get("uid")&vbTab&"Common Name: "& graphics/ccc.gif User.Get("cn")&vbTab&"Surname: "&User.Get("sn") Next 

Note

In this example, you are simply querying the mandatory properties ( cn and sn attributes) of an entry of type inetOrgPerson .


Querying Entry Attributes with ADSI Using Alternate Credentials in Visual Basic

If you must access an entry that either is blocked from general access or whose attributes have access control items assigned, you must use the OpenDSObject method of the IADsOpenDSObject interface to define a set of credentials to use for directory access.

For Netscape Directory Servers, this account is typically defined as cn=directory manager , although it can be changed at installation time to any value valid for a common name entry.

Use the following code to bind to the directory as cn=directory manager and query the mandatory attributes of an entry of type inetOrgPerson:

 On Error Resume Next Dim dso As IADsOpenDSObject Dim Container As IADsContainer Dim User As IADs Set dso = GetObject("LDAP:") Set Container = dso.OpenDSObject("LDAP://LDAP_SERVER/o=airius.com/ou=People", graphics/ccc.gif "cn=Directory Manager", "l@undrym@t1974", 0) For Each User In Container      Debug.Print "UserID: "&vbTab&User.Get("uid")&vbTab&"Common Name: "& graphics/ccc.gif User.Get("cn")&vbTab&"Surname: "&User.Get("sn") Next 

Modifying Entry Attributes Using ADSI in Visual Basic

To set an attribute value of an existing directory entry, simply use the Put method of the IAD's interface. To successfully perform this task, you must be bound to the directory as a user with directory modification privileges. As in the authenticated access query in the preceding example, specifying the directory manager account credentials as an argument of the IADsOpenDSObject interface's OpenDSObject method will allow you to modify the directory. Use the following Visual Basic code to change the sn attribute of a user named uid=aknutson from Knutson to McNally:

 Dim dso As IADsOpenDSObject Dim Container As IADsContainer Dim User As IADs Set dso = GetObject("LDAP:") Set Container = dso.OpenDSObject("LDAP://LDAP_SERVER/o=airius.com/ou=People", graphics/ccc.gif "cn=Directory Manager", "l@undrym@t1974", 0) Set User = Container.GetObject("inetorgperson", "uid=aknutson") User.Put "sn", "McNally" User.SetInfo 

Creating a New Entry Using ADSI in Visual Basic

To create a new entry in the directory, you must have several pieces of information about the entry and its parent container, including the following:

  • The credentials required to update the directory (such as the credentials for the directory manager account)

  • The path to the Parent container in which you wish to create the entry

  • The class of the object to be created

  • The mandatory properties for the object class of the entry you want to create

Consider the following Visual Basic code example, which creates a new entry named uid=teck of type inetOrgPerson in the People organizational unit:

 Dim dso As IADsOpenDSObject Dim Container As IADsContainer Dim User As IADs Dim ClassArray As Variant Set dso = GetObject("LDAP:") Set Container = dso.OpenDSObject("LDAP://LDAP_SERVER/o=airius.com/ou=People", graphics/ccc.gif "cn=Directory Manager", "l@undrym@t1974", 0) Set User = Container.Create("inetorgperson", "uid=teck") ClassArray = Array("inetOrgPerson", "person", "top", "organizationalPerson") User.Put "objectClass", ClassArray User.Put "cn", "Thomas Eck" User.Put "sn", "Eck" User.SetInfo 

Removing an Entry Using ADSI in Visual Basic

To remove an existing entry in the directory, simply call the Delete method of the IAD's interface, with the name of the entry and its class specified as arguments.

Consider the following Visual Basic code to remove the entry created in the previous example:

 Dim dso As IADsOpenDSObject Dim Container As IADsContainer Set dso = GetObject("LDAP:") Set Container = dso.OpenDSObject("LDAP://LDAP_SERVER/o=airius.com/ou=People", graphics/ccc.gif "cn=Directory Manager", "l@undrym@t1974", 0) Call Container.Delete("inetorgperson", "uid=teck") 

   
Top


Windows NT. 2000 ADSI Scripting for System Administration
Windows NT/2000 ADSI Scripting for System Administration
ISBN: 1578702194
EAN: 2147483647
Year: 2000
Pages: 194
Authors: Thomas Eck

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net