Long story short, a client wants to be able to use the nested groups in their Active Directory (AD from now on) in integrating with my favorite CMS, Farcry. Nested groups are a feature available in some directory servers, including newer versions of AD, that allow administrators to place groups as members of groups, allowing dynamic and complex group membership heirarchies

Farcry has "out-of-the-box" ability to do AD integration, and it does this using 2 external components:

ntadmin.dll

  • enumerates a domain's groups
  • gets a group's description
  • gets a user's description

jrun.security.ntauth package

  • authenticates users
  • gets user's group membership

Well, the documentation on jrun.security.ntauth is light, and from all my testing, there is no way to get it to return a user's nested groups. To me, this sounds like a job for LDAP. My approach was the following:

  • get user's group membership
  • loop through returned groups
  • get their group membership
  • lather, rinse, repeat (the last 2 steps)

I feel more comfortable using recursion to do the job, however I'm sure this can be done using some clever iterative construct. Additionally, I thought this would be a good time to compare CFLDAP and JLDAP (see previous entry). From my tests, using JLDAP is 2-5 times faster than CFLDAP, and I'm positive that this factor will only increase with the number of groups/levels of nesting (as each CFLDAP call must connect to the server, bind, and then perform the read operation, whereas JLDAP only has to connect and bind once).

One caveat to using JLDAP in this situation is that it must be fed a fully qualified distinguished name (DN), but CFLDAP can be satisfied by <ntdomain name>\<user name>. So, with my CFC, if you setProvider("JLDAP"), you must pass in a full DN.

Click Here To Download ldaputil.cfc (in .txt format)

Here's an example comparing the two providers:

<cfset lc = createObject("component", "ldaputil").init()/>
<cfset lc.setHostName("myLdapServerAddress")/>
<cfset lc.setHostPort(389)/>
<cfset lc.setTimeout(2000)/>

<cfset lc.setProvider("CFLDAP")/>
<cfset t1 = getTickCount()/>
<cfset lc.getUserGroups("CN=myTestUser,OU=Users,DC=myDomain,DC=COM", "testUser'sPassword")/>
<cfdump var="#(getTickCount()-t1)#" label="CFLDAP execution time (ms)"/>

<cfset lc.setProvider("JLDAP")/>
<cfset t2 = getTickCount()/>
<cfset lc.getUserGroups("CN=myTestUser,OU=Users,DC=myDomain,DC=COM", "testUser'sPassword")/>
<cfdump var="#(getTickCount()-t2)#" label="JLDAP execution time (ms)"/>

 


08/17/2004 05:50 P - PJ said...
The link to your ldaputil.cfc file is broken. Could you repost? Thanks.

10/13/2004 10:34 A - JC said...
How about updating the members of a group?  Have you ever attempted to do that?

04/01/2005 03:13 A - Andrew said...
Is there a way in CFMX do do the equivilant of the following so more than 1000 records are returned?
objCommand.Properties("Page Size") = 1000

04/01/2005 03:17 A - Andrew said...
http://www.microsoft.com/technet/scriptcenter/resources/qanda/aug04/hey0824.mspx

04/02/2005 11:29 P - Dave Ross said...
JC - should be straightforward... hope you figured it out (it's been 6 months since your comment... I must have missed the notification).

Andrew - JLDAP has a few "LDAPConstraints" classes, such as LDAPSearchConstraints. You can use the to limit the number of records returned, however I believe by default JLDAP will return as many records as it finds.

12/05/2005 01:39 P - Michael Dawson said...
Andrew, if you are still having issues with CFMX LDAP and 1,000 records, you need to Google "ntdsutil" and "maxPageSize".

By default, AD sets a 1,000-record limit to all LDAP queries.  You can set this to a much-higher limit using ntdsutil.

03/14/2007 09:13 A - Tom Winter said...
Have you ever tried the tokengroups attributes for an AD LDAP query?

05/11/2007 08:15 P - Jesse said...
So, sorry for the lame question but this will out put the groups a person is a member of? I cant seem to get this out put to display? I am trying to figure out how I can display what groups a user is a member of. Basicly I have DMS_reset that has Techs and Code as members when i view a user that is a member of tech I dont see that they are a member of DMS_reset and its making me bonkers! Any help? Thanks

05/11/2009 02:38 A - Princess said...
Standalone LDAP directory servers soon followed, as did directory serves supporting both LDAP and DAP. The latter has become popular in enterprises, Kryptos, as LDAP removed any need to deploy an OSI network. Today, X.500 directory protocols including DAP can also be used directly over TCp/IP.

05/11/2009 02:48 A - Jaidyn said...
In the early engineering stages of LDAP, it was known as Lightweight Directory Browsing Protocol, or LDBp. It was renames as the scope of the protocol was expanded to include not only directory browsing and searching function, but also directory update function. To read more about LDAP, click here.

Post a comment:

(required, will not be displayed)
 

   You will be sent an email asking you to validate your comment.



Driven by Farcry Open Source CMS. Dressed in Aura.
Powered by ColdFusion MX.