Click here to Skip to main content
Rate this: bad
good
Please Sign up or sign in to vote.
See more: C#ASP.NETLDAP
Hi,
I am working on a website. I have to find the value of user can't change password property of a user. I get this link
http://msdn.microsoft.com/en-us/library/aa746448(v=vs.85).aspx[^]
according to which I have to find "ntSecurityDescriptor" value of that user. They are using DirectoryEntry class to find that but in my case I am using LdapConnection class.
If I use entry class I was not able to make connectivity with server So that I change it to LdapConnection class. Now I don't know how to find value.
Posted 4-Nov-12 4:10am
Rate this: bad
good
Please Sign up or sign in to vote.

Solution 1

Dont know if im answering your question or not, but if your working on a website, Use the VB at the End of your Link posted above, VB can query the information you need and can be encased within an ASP webpage. The VB code can also Manipulate the returned data to what ever format you need.
 
Const CHANGE_PASSWORD_GUID = "{AB721A53-1E2F-11D0-9819-00AA0040529B}"
Const ADS_ACETYPE_ACCESS_DENIED_OBJECT = &H6
 
Function UserCannotChangePassword(strUserDN As String, strUsername As String, strPassword As String) As Boolean
    UserCannotChangePassword = False
 
    Dim oUser As IADs
    Dim oSecDesc As IADsSecurityDescriptor
    Dim oACL As IADsAccessControlList
    Dim oACE As IADsAccessControlEntry
    Dim fEveryone As Boolean
    Dim fSelf As Boolean
 
    fEveryone = False
    fSelf = False
 
    If "" <> strUsername Then
        Dim dso As IADsOpenDSObject
 
        ' Bind to the group with the specified user name and password.
        Set dso = GetObject("LDAP:")
        Set oUser = dso.OpenDSObject(strUserDN, strUsername, strPassword, 1)
    Else
        ' Bind to the group with the current credentials.
        Set oUser = GetObject(strUserDN)
    End If
 
    Set oSecDesc = oUser.Get("ntSecurityDescriptor")
    Set oACL = oSecDesc.DiscretionaryAcl
 
    For Each oACE In oACL
        If UCase(oACE.ObjectType) = UCase(CHANGE_PASSWORD_GUID) Then
            If oACE.Trustee = "Everyone" And oACE.AceType = ADS_ACETYPE_ACCESS_DENIED_OBJECT Then
                fEveryone = True
            End If
 
            If oACE.Trustee = "NT AUTHORITY\SELF" And oACE.AceType = ADS_ACETYPE_ACCESS_DENIED_OBJECT Then
                fSelf = True
            End If
        End If
    Next
 
    If fSelf And fEveryone Then
        UserCannotChangePassword = True
    Else
        UserCannotChangePassword = False
    End If
End Function
  Permalink  
v2
Comments
mayankkarki at 6-Nov-12 1:43am
   
Hi, My problem is that I am using LDAPconnection class and connecting over ssl. Anyway I manage to get nTSecurityDescriptor value but now getting error "Unable to cast object of System.Byte[] to ActiveDs.IADsSecurityDescriptor" I am using code like this SearchResponse response = (SearchResponse)connection.SendRequest(request); IADsSecurityDescriptor sd = (IADsSecurityDescriptor)response.Entries[0].Attributes["nTSecurityDescriptor"][0];
Rate this: bad
good
Please Sign up or sign in to vote.

Solution 2

This is the solution that I find.
 SearchResponse response = (SearchResponse)connection.SendRequest(request);
                DirectoryAttribute attribute = response.Entries[0].Attributes["ntSecurityDescriptor"];
 
                if (attribute != null)
                {
                    const string PASSWORD_GUID = "{ab721a53-1e2f-11d0-9819-00aa0040529b}";
                    const int ADS_ACETYPE_ACCESS_DENIED_OBJECT = 6;
                    bool fEveryone = false;
                    bool fSelf = false;
 
                    ActiveDs.ADsSecurityUtility secUtility = new ActiveDs.ADsSecurityUtility();
                    ActiveDs.IADsSecurityDescriptor sd = (IADsSecurityDescriptor)secUtility.ConvertSecurityDescriptor((byte[])attribute[0], (int)ADS_SD_FORMAT_ENUM.ADS_SD_FORMAT_RAW, (int)ADS_SD_FORMAT_ENUM.ADS_SD_FORMAT_IID);
                    ActiveDs.IADsAccessControlList acl = (ActiveDs.IADsAccessControlList)sd.DiscretionaryAcl;
 
                    foreach (ActiveDs.IADsAccessControlEntry ace in acl)
                    {
                        if ((ace.ObjectType != null) && (ace.ObjectType.ToUpper() == PASSWORD_GUID.ToUpper()))
                        {
                            if ((ace.Trustee == "Everyone") && (ace.AceType == ADS_ACETYPE_ACCESS_DENIED_OBJECT))
                            {
                                fEveryone = true;
                            }
                            if ((ace.Trustee == @"NT AUTHORITY\SELF") && (ace.AceType == ADS_ACETYPE_ACCESS_DENIED_OBJECT))
                            {
                                fSelf = true;
                            }
 
                            break;
                        }
                    }
 
                    if (fEveryone || fSelf)
                    {
                        return Global.RequestContants.CANT_CHANGE_PASSWORD;
                    }
                    else
                    {
                        return string.Empty;
                    }
                }              
                
            
  Permalink  

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

  Print Answers RSS
Your Filters
Interested
Ignored
     
0 OriginalGriff 448
1 Sergey Alexandrovich Kryukov 425
2 Abhinav S 408
3 sanket saxena 285
4 Tadit Dash 160
0 Sergey Alexandrovich Kryukov 8,482
1 OriginalGriff 4,830
2 Peter Leow 3,794
3 Maciej Los 3,515
4 Er. Puneet Goel 3,107


Advertise | Privacy | Mobile
Web03 | 2.8.140415.2 | Last Updated 24 Nov 2012
Copyright © CodeProject, 1999-2014
All Rights Reserved. Terms of Use
Layout: fixed | fluid