LDAP -vs- WinNT provider

Discussion:

(too old to reply)

Richard Moody

2003-07-18 21:13:54 UTC

What I am trying to do is get attributes for users from AD
using ADSI through an ASP page. I am running a Windows
2000 web server with SSL and Basic Authentication. I
originally was using the WINNT provider but decided to
switch to LDAP because it provides more information and
can run faster. I have a bit of a problem though, when I
try to get all of the same attributes back for the user
using LDAP they are not all there. I know these values
exist because I have viewed them through ADAT and binding
to the domain. I am also able to get these values to
return using a VBScript and the LDAP provider. Can anyone
think of any reason that I may not be able to get these
values to return using LDAP? I have a feeling it is an
authentication issue between the web server and the DC.
The account I am using is a domain admin so rights should
have nothing to do with it. Any and all help that can be
provide would be greatly appreciated.

Richard Mueller [MVP]

2003-07-18 22:15:45 UTC

Permalink

Post by Richard Moody
What I am trying to do is get attributes for users from AD
using ADSI through an ASP page. I am running a Windows
2000 web server with SSL and Basic Authentication. I
originally was using the WINNT provider but decided to
switch to LDAP because it provides more information and
can run faster. I have a bit of a problem though, when I
try to get all of the same attributes back for the user
using LDAP they are not all there. I know these values
exist because I have viewed them through ADAT and binding
to the domain. I am also able to get these values to
return using a VBScript and the LDAP provider. Can anyone
think of any reason that I may not be able to get these
values to return using LDAP? I have a feeling it is an
authentication issue between the web server and the DC.
The account I am using is a domain admin so rights should
have nothing to do with it. Any and all help that can be
provide would be greatly appreciated.

Hi,

If you get some attributes and not others, it can't be a problem with
authentication. Depending on your code, it could be that the attribute has
no value. Also, the LDAP provider uses different names than the WinNT
provider for many attributes. You may have to post a code snippet to
demonstrate your problem.

If you can get values using VBScript, but get nothing in ASP, then
authentication is the culprit. However, if you had no problem using WinNT in
ASP, then I'm confused. Finally, some "properties" are actually "property
methods". In some environments these cannot be retrieved directly.

--
Richard
Microsoft MVP Scripting and ADSI
HilltopLab web site - http://www.rlmueller.net
--

Joe Richards [MVP]

2003-07-21 17:38:19 UTC

Permalink

Hey,

It could be an authentication issue. Some information is available through pre-W2K Compatability access via LDAP and
some isn't. It is possible that a specific anonymous connection is made and the attributes that aren't being returned
are things that aren't in one of the following property sets:

Remote Access Information
General Information
Group Membership
Account Restrictions
Logon Information

The property sets above are set up for pre-w2k compatability access and I have seen this in IIS/ASP a couple of times
with the LDAP provider but couldn't duplicate with normal vbscript anonymous access scripts.

--
Joe Richards
www.joeware.net

--

Richard Mueller [MVP]

2003-07-22 01:30:11 UTC

Permalink

Hi Simon,

Joe refers to a compatibility setting I'm not aware of. The article that
Simon linked refers to IsAccountLocked as an ADSI property. I prefer to call
it a property method, although I can no longer find the article that
documents all of the property methods. I like the term because all property
methods return values based on other attributes. The term makes it clear
that no such value is actually stored in AD. In this case, IsAccountLocked
returns a value based on the attribute userAccountControl (and a mask). This
property method is known to not work using the LDAP provider because the
corresponding userAccountControl bit is not correct. Reading the
userAccountControl bit also fails to determine if the account is locked. The
IsAccountLocked property method exposed by the WinNT provider does work. The
only other property methods I'm aware of that are not supported by LDAP, but
supposedly are by WinNT, are PasswordExpirationDate and
PasswordMinimumLength.

In all such cases there is a way to get the information using LDAP, but it's
not as straightforward. For IsAccountLocked, you can retrieve the
lockoutTime attribute of the user object, convert this 64-bit value to a
date, and compare this date to the domain lockoutDuration attribute (also a
64-bit value) to determine if the account is still locked out. Even though
the code is longer, I think it would still be faster to retrieve this with
LDAP. I say this mostly because just binding with WinNT seems slower. I
don't know how the WinNT IsAccountLocked property method works. If you are
interested, here is a VBScript program that determines if a given user
account is locked out using LDAP and the method I described:

http://www.rlmueller.net/IsUserLocked.htm

--
Richard
Microsoft MVP Scripting and ADSI
HilltopLab web site - http://www.rlmueller.net
--

Hi Richard
experienced the same thing trying to access the IsAccountLocked property.
From the article

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnw2kmag01/

html/passwords.asp
I gather that not all properties in AD are supported thru ADSI and vice
versa. In my case of IsAccountLocked, I switched to WinNT-provider for

just

that property, using LDAP on all other.
Good luck
Simon