Thursday, January 25, 2007
ADAM WhoAmI Control in S.DS.P

After some lofty goals of getting this blog jumpstarted back in the fall, I did just the opposite and let it drop into a black hole.  To all of my faithful readers, I humbly apologize.

As part of an effort to gain some momentum again, I thought I'd try to rattle off a quick post here.  Today's topic is intended as a continuation of my article on series of "things you can do in System.DirectoryServices.Protocols that you can't do in System.DirectoryServices".  We already discussed the ability to do Digest authentication and process server certificates.  Today's topic shows how to use S.DS.P's ability to invoke arbitrary extended operations using the ExtendedRequest/ExtendedResponse message types.

Briefly, extended requests in LDAP allow directory vendors to create whole new types of operations that are not built in to the base LDAP specification.  Essentially, the directory advertises that it supports a specific type of extended operation via the "supportedExtension" attribute in RootDSE (not loaded by default, so make sure you add it to your attribute list!).  If the client knows how to pass in the data to the extension operation and knows how to interpret the results, it can invoke the extended operation.  If not, too bad.

One such common extended LDAP operation is the "Who Am I?" operation as defined by RFC 4532.  Basically, the intent is to allow the LDAP client to issue the extended operation and receive a response that provides information about the identity of the user who is currently authenticated to the current LDAP connection via a previous bind operation (if a bind was performed). 

Interestingly, ADAM now supports the "Who Am I?" operation, as will Active Directory in the Longhorn server time frame.  As such, it makes an excellent target for investigation here as "Who Am I?" currently has no strongly typed wrapper in S.DS.P (yet) and is also exceedingly easy to both call and interpret the returned results.  I just learned about the existence of this thing via a thread on the exceedingly great mailing list "activedir.org".  I figured I should go ahead and give it a whirl to see how it works. 

Without further ado, I humbly submit a few lines of code that demonstrate binding to an ADAM instance on localhost on the default port (389) as the currently logged on user and then invoking the "Who Am I?" extended request to find out my own Windows user name (in case I forgot it :)). 

public class AdamWhoAmI
{
    public static void Main()
    {
        using (LdapConnection con = new LdapConnection("localhost"))
        {
            con.Bind(); //use default credentials. Current user can bind to ADAM...
            
            ExtendedRequest whoami = new ExtendedRequest("1.3.6.1.4.1.4203.1.11.3"); 

            //whoami OID shown above, as per RFC


            ExtendedResponse whoamiResult = (ExtendedResponse) con.SendRequest(whoami);
            Console.WriteLine(System.Text.Encoding.UTF8.GetString(whoamiResult.ResponseValue));

            //the result is a simple byte array that happens to contain UTF8 text
        }
        Console.ReadLine();
    }
}

Wow, pretty fancy stuff!  This actually compiled and ran on my very first try, which usually doesn't work out.  As such, I feel confident in describing this as "exceedingly simple".  On my machine, the result looks something like:

u:machine\joe

The interesting thing here is that this "just works" and it shows a semi-practical thing you can do with this particular extensibility mechanism in LDAP that just happens to not be exposed in System.DirectoryServices at all.  I'm sure there are some practical uses for this, but the main point is just to show how to use this feature with the simplest example possible.

Thursday, January 25, 2007 5:32:39 PM (Central Standard Time, UTC-06:00)  #    Comments [0]  |  Tracked by:
http://9uahh-le-informazioni.info/89490604/index.html [Pingback]

Theme design by Jelle Druyts