Directory Programming .NET

Hello,

I'm using ActiveDirectoryRoleProvider in conjonction with ADAM.

I have a problem using IsUserInRole, with the parameter 'roleName' set to a group DN. The following Exception is thrown : "The parameter 'roleName' must not contains commas".

System.Web.Util.SecUtility.CheckParameter(String& param, Boolean checkForNull, Boolean checkIfEmpty, Boolean checkForCommas, Int32 maxSize, String paramName) +757969
   System.Web.Security.Roles.IsUserInRole(String username, String roleName) +217

My question is how can I specify a group name without using a DN when using ADAM ?

TIA.

Which ActiveDirectoryRoleProvider is that?  Is that the experimental one that Ryan wrote or something else?  AFAIK, MS doesn't ship one with ASP.NET (just the membership provider).

The problem with ADAM and groups is that there is no other unique identifier for ADAM groups beside the DN and the SID.  With AD groups, you have the NT name (domain\sAMAccountName), but ADAM doesn't have an equivalent.

As such, there isn't an obvious answer as to what that name should be here.  What friendly name would you want to use for the group?

The provider is the one that Ryan wrote. By goup name, I meant group identifier. I'll try with the SID.

Thanks for that.

Interesting.  I would say that we might have to modify the way the role provider returns the names and simply remove the commas or even just keep the CN portion only.  This way you don't have to worry about it.  It is not ideal of course since we want a global unique thing (like sAMAccountName) in ADAM, but also want to keep it somewhat reasonable to maintain (where the DN is a pain since it can move, though it is unique).

---

Ryan Dunn
Extemporaneous Mumblings
The .NET Developer's Guide to Directory Services Programming

To me this is a problem with no obvious answer.  Maybe the canonicalName would be a good choice?  I don't like the CN idea as it isn't guaranteed unique, but the DN or SID aren't very good either.

I agree, it is pretty ugly, but I am not sure what to do either.  Given that ',' characters are no good for the framework, we have to pick something.  It is the whole uniqueness problem that is biting us.  SIDs are unique, but wholly unmanageable.  The canonical name is good, but suffers from DN problems (moving).  I would have found this bug earlier, but I admit that I have written most of this provider with very little testing (well, my mind doesn't count, right?).

If anyone has suggestions, goto codeplex.com/adrp and let me know... better yet, download the code, fix it, and then let me know so I can incorporate the patch.

---

Ryan Dunn
Extemporaneous Mumblings
The .NET Developer's Guide to Directory Services Programming

So, I don't want to see this issue die.  I am willing to code something to fix this if someone has a way that we can uniquely identify the group in ADAM.  It looks like the DN format is not going to work in ASP.NET since the IsInRole() hates it.  How should we tackle this?  I will do canonical names if I can get some feedback here.

I could also do something more clever, like prefixing the name of the partition like a domain - e.g. "CN=Adam Group 1,OU=Groups,O=dunnry,C=us" would become "dunnry.us\Adam Group" and "CN=GroupB,OU=Groups,OU=ParentGroups,DC=dunnry,DC=net" would be "dunnry.net\GroupB" for instance.  Would that work?

---

Ryan Dunn
Extemporaneous Mumblings
The .NET Developer's Guide to Directory Services Programming

I like the canonicalName format myself.  The big drawback with it is that it is not "move safe", so if you move a group, the canonicalName will change.  However, the DN has the same drawback.

I think it is important to guarantee uniqueness as failing to do so can lead to unexpected security issues.

If it would be possible to make it configurable, that would be good too.  That way, you could decide.  If you had another attribute that you were using that you were willing to guarantee uniqueness with, then you could use that (at your own risk). 

I like your idea aesthetically as it matches nicely with the Windows style, but it suffers from the potential uniqueness problem, so it gives me pause.

Another thing you could do would be to pair the CN with the RID of the group.  The RID will definitely be unique and is less unwieldy than the whole SID.

dunnry.us\Adam Group-3311

The problem there is that it would not be obvious what any given group might be named.  You'd want/need a little utility that would tell you, so that's a pain.

I think I like canonicalName best as default.  I think it is the least evil.  The other problem with though is that it will contain multiple \ characters, so any code that attempts to parse NT account names that expect a single \ may trip on it.

It is hard to win here.  :)

Yeah, I suppose you are right.  It would be otherwise possible to have naming collisions allowing too much access which is a bigger problem than the 'move safe' issue, IMO.

I will update the code to do this and give it a whirl to see if it will work or if the extra '\' values cause other problems.

---

Ryan Dunn
Extemporaneous Mumblings
The .NET Developer's Guide to Directory Services Programming