Active Directory/LDAP.
-
Hi all, We have a client/server (C/C++/MFC/Win32) application that historically has used an internal table for managing users/passwords/product permissions etc. We've had a request from a customer to manage these types of things via Active Directory and take advantage of Single Sign-on etc. I know very little about Active Directory since we don't use it here in our office, but I've done a fair amount of reading and managed to set one up in a VM for testing purposes. Questions: 1) Since much of our product depends on OUR UserID table and we have some customers that want to use AD , I'm thinking we should be importing account information FROM Active Directory periodically. Does this sound right? 2) When a user logs in - I should be authenticating the user through Active Directory and NOT our internal mechanism? 3) Does Active Directory have a means for me to define a list of permission options that the ADMIN can manage? ie: Add Record, Delete Record, Update Record, that I can check against when one of these operations are performed in our product. 4) I have found a lot of AD code in C# but, having a harder time finding stuff in C++. Anyone have any good examples? Anything you could forward my way would be greatly appreciated. Cheers. Mike.
-
Hi all, We have a client/server (C/C++/MFC/Win32) application that historically has used an internal table for managing users/passwords/product permissions etc. We've had a request from a customer to manage these types of things via Active Directory and take advantage of Single Sign-on etc. I know very little about Active Directory since we don't use it here in our office, but I've done a fair amount of reading and managed to set one up in a VM for testing purposes. Questions: 1) Since much of our product depends on OUR UserID table and we have some customers that want to use AD , I'm thinking we should be importing account information FROM Active Directory periodically. Does this sound right? 2) When a user logs in - I should be authenticating the user through Active Directory and NOT our internal mechanism? 3) Does Active Directory have a means for me to define a list of permission options that the ADMIN can manage? ie: Add Record, Delete Record, Update Record, that I can check against when one of these operations are performed in our product. 4) I have found a lot of AD code in C# but, having a harder time finding stuff in C++. Anyone have any good examples? Anything you could forward my way would be greatly appreciated. Cheers. Mike.
The Active directory (AD) is an architecture where domains (containers of users groups, resources and access lists) derives each other hierarchically into forests and trust each other between forest. The way they do this depends on how the managers of your client organization organize their information system, and -ideally- the AD architecture either by domain derivation or trusteeship, can span the world. Think to the AD as a "generalized DNS for users". You cannot download the entire DNS to get an IP address, hence you cannot pretend to download the AD. You must instead query the AD. You application should NOT contain any "user login". You simply should get who is the user actually on a machine by simply query proper OS API (
GetUsername... or similar, nor shure about it, but MSDN may help) and to decide if the user can do or not a given operation you must check if such a user is part or not a given user group (The API should beIsInRole... or something similar). The name of the groups corresponding to your app privileges, should be loaded by a config file (the domain administrator will typically place it in a read-only place) and should be defined by the domain admin itself. This is a minimum way to start with. And is valid -as a concept- also for a stabdard LDAP server - non necessarily AD2 bugs found. > recompile ... 65534 bugs found. :doh:
-
The Active directory (AD) is an architecture where domains (containers of users groups, resources and access lists) derives each other hierarchically into forests and trust each other between forest. The way they do this depends on how the managers of your client organization organize their information system, and -ideally- the AD architecture either by domain derivation or trusteeship, can span the world. Think to the AD as a "generalized DNS for users". You cannot download the entire DNS to get an IP address, hence you cannot pretend to download the AD. You must instead query the AD. You application should NOT contain any "user login". You simply should get who is the user actually on a machine by simply query proper OS API (
GetUsername... or similar, nor shure about it, but MSDN may help) and to decide if the user can do or not a given operation you must check if such a user is part or not a given user group (The API should beIsInRole... or something similar). The name of the groups corresponding to your app privileges, should be loaded by a config file (the domain administrator will typically place it in a read-only place) and should be defined by the domain admin itself. This is a minimum way to start with. And is valid -as a concept- also for a stabdard LDAP server - non necessarily AD2 bugs found. > recompile ... 65534 bugs found. :doh:
Thanks for your reply - much appreciated. I'm finding lots of code related to group membership (
IsInRoleetc) for C#, but not a whole lot in Win32, any help? Also, is there a way I can query for a list of users in the group? Again, thanks alot for your reply. M. -
Thanks for your reply - much appreciated. I'm finding lots of code related to group membership (
IsInRoleetc) for C#, but not a whole lot in Win32, any help? Also, is there a way I can query for a list of users in the group? Again, thanks alot for your reply. M.Mike Doner wrote:
I'm finding lots of code related to group membership (IsInRole etc) for C#, but not a whole lot in Win32
There is a chapter o the MS-SDK called "Security" that describe all the aspects, including "Authentication" and "Authorization", that also have sections bout C++. It's all about COM objects. That's why they have mostly C# wrapper: COM is natively marshaled into .net give a look to http://msdn.microsoft.com/en-us/library/aa375769%28v=VS.85%29.aspx[^]
2 bugs found. > recompile ... 65534 bugs found. :doh: