This project is read-only.

help with (almost) arbitrary searching

May 8, 2013 at 1:01 AM
The web project I'm working on includes a requirement an address book pulling stuff from AD. Not a big deal, I've managed to get that working and I started out not knowing much of anything about LDAP (ok, I still don't).

I have two issues I'd like some advice on.

The first has to do with connections. On every request, I'm creating a new authenticated connection to LDAP using the user's credentials (I keep a copy of the username and password around for this reason). The reason I'm doing this is that I may be allowed access to a different set of entries than you and authenticating against the specific user ensures that he only sees what he is supposed to see. Since I'm only looking at 100-200 people who will not be using this feature all the time, performance isn't my primary concern today.

But it kind of bothers me that I have to keep the passwords around to make this work.

Is there a better way? Is it possible to have a single user that I connect with (perhaps using the connection pool) and then do searches "as if you were user foo"?

My second question has to do with flexibility. The app I'm building is a dashboard and I'd like to be able to allow the people who will be using this app, specifically the admins, to create directory search widgets that are limited in some way. For example all the people belonging to IT or all the people in a part of the AD tree ("OU=Users,OU=Region1,OU=Sites,OU=Internal Users,DC=mysite,DC=local" vs. "OU=Users,OU=Region2,OU=Sites,OU=Internal Users,DC=mysite,DC=local" vs "OU=Vendors,OU=Global,OU=Sites,OU=Internal Users,DC=mysite,DC=local").

I'd really rather not have to add code for each type of thing you'd want to search by. Rather I'd prefer to be able to include something in the request that I could translate into a generic query. If I have to predefine everything in my code, fine, but I'm not certain what I have to add through code and what I can set at request time.

Maybe its just my limited understanding of how LDAP works, not to mention being more of a Web Front End Guy and new to the whole .NET ecosystem, but there seems to be some terminology that I'm missing that would make understanding all this easier.
Jun 29, 2013 at 8:56 PM
If you have the ability to enable integrated authentication that could take care of your credential storage problem. It is also possible to query the directory using a service account, however since you limit what is visible in the directory based on the user accessing the directory won't that cause a problem?

For your second question, you can look into the dynamic querying and custom querying. You can build dynamic queries using the Filter class or specifying the query your self using Where("filter"). You can see more about that here.
Jul 5, 2013 at 8:54 PM
Unfortunately, we're using a third party webservice for authentication. It provides SSO services to all the other things that are going into my dashboard. Ironically it is actually using the same LDAP servers I need to access but, unfortunately, it cannot provide me with the stuff I need to connect to LDAP so I have to keep a reference. I also want to keep this directory search feature independent of the rest of the webapp since we're using it with other clients, including those that have no relationship to LDAP.

My first question has to do with something I thought I'd seen suggesting that I could authenticate using service account but then when actually searching have the results reflect what the user would have received had we authenticated as them (meaning I need only store the password for the service account and not the individual users). Obviously this would require that the service account have a superset of permissions, but that shouldn't be a problem. I'm beginning to think I misread something

Thanks for the reference to the filter class. I think that'll do want I want.

One new question. From what I've seen, there is no way to build my search such that I can request paged results from the browser (say with: GET /LDAP/search?q=jimbob&pagesize=20&page=3) since LDAP only lets you get results sequentially. The results come paged from the LDAP server to my .NET application but I can't just ask for items 40-59, I would need go through and get records 0-39, toss them out and then return the ones I want. Or have I missed something.
Aug 3, 2013 at 7:57 AM
I'm not sure impersonation is possible for searching. I haven't seen anything in the S.DS.P or S.DS API that would suggest this is possible. Can you link to the information you read on the topic?

For your next question, that is correct. LDAP paging is extremely opaque so you'll have to take care how you design your interface for paging. I tend to focus on providing fairly robust contextual searching with limited results and then adding a "load more" if necessary.