How to read Dynamic Access Control objects using LDAP
This code sample will enumerate all of the Dynamic Access Control objects in Active Directory.
Prerequisites
- C# and .NET Framework programming
- Basic understanding of the System.DirectoryServices.Protocols namespace, objects and methods.
Note This example contains queries that use Active Directory Schema attributes, such as msDS-ClaimAttributeSource. For information about specific attributes in the example, see All Attributes.
Instructions
Step 1:
/*********************************************** * * Find all of the Claim Types in the directory. * ***********************************************/ // Create a new Ldap endpoint with an empty server. This call will use the // Standard DC locator methods to locate a Domain Controller. var endpoint = new System.DirectoryServices.Protocols.LdapDirectoryIdentifier(string.Empty); // Create a new Ldap connection. var ldap_connection = new System.DirectoryServices.Protocols.LdapConnection(endpoint); // Create a search request to locate the Configuration Naming Context for the forest. var request = new System.DirectoryServices.Protocols.SearchRequest( "", "objectClass=*", System.DirectoryServices.Protocols.SearchScope.Base, new string[] { "configurationNamingContext" }); // Execute the search and cast the response as a SearchResponse var response = (System.DirectoryServices.Protocols.SearchResponse)ldap_connection.SendRequest(request); // Get the Configuration container DN for the forest. string configuration_dn = response.Entries[0].Attributes["configurationNamingContext"][0].ToString(); // Calculate the Claims Configuration DN based on the Configuration DN. string claims_dn = string.Format("CN=Claim Types,CN=Claims Configuration,CN=Services,{0}", configuration_dn); // Create a new search request for Claim Types. request = new System.DirectoryServices.Protocols.SearchRequest( claims_dn, "(cn=*)", System.DirectoryServices.Protocols.SearchScope.OneLevel, new string[] { "name", "description", "displayname", "enabled", "msDS-ClaimAttributeSource", "msDS-ClaimSource", "msDS-ClaimTypeAppliesToClass", "msDS-ClaimSourceType", "msDS-ClaimIsSingleValued", "msDS-ClaimPossibleValues", "msDS-ClaimValueType", "msDS-ClaimIsValueSpaceRestricted" }); // Execute the search and cast the response as a SearchResponse response = (System.DirectoryServices.Protocols.SearchResponse)ldap_connection.SendRequest(request); // Enumerate the results foreach (System.DirectoryServices.Protocols.SearchResultEntry entry in response.Entries) { string claim_id = entry.Attributes["name"][0].ToString(); } /*********************************************** * * Find all of the Resource Properties in the directory. * ***********************************************/ // Calculate the Resource Property Container DN based on the Configuration DN. string resource_properties_dn = string.Format("CN=Resource Properties,CN=Claims Configuration,CN=Services,{0}", configuration_dn); // Create a new search request for Resource Properties. request = new System.DirectoryServices.Protocols.SearchRequest( resource_properties_dn, "(cn=*)", System.DirectoryServices.Protocols.SearchScope.OneLevel, new string[] { "name", "description", "displayname", "enabled", "msDS-IsUsedAsResourceSecurityAttribute", "msDS-ClaimSharesPossibleValuesWith", "msDS-ValueTypeReference", "msDS-MembersOfResourcePropertyListBL", "msDS-ClaimPossibleValues", "msDS-AppliesToResourceTypes" }); // Execute the search and cast the response as a SearchResponse response = (System.DirectoryServices.Protocols.SearchResponse)ldap_connection.SendRequest(request); // Enumerate the results foreach (System.DirectoryServices.Protocols.SearchResultEntry entry in response.Entries) { string rp_id = entry.Attributes["name"][0].ToString(); } /*********************************************** * * Find all of the Central Access Rules in the directory. * ***********************************************/ // Calculate the Central Access Rules Container DN based on the Configuration DN. string car_dn = string.Format("CN=Central Access Rules,CN=Claims Configuration,CN=Services,{0}", configuration_dn); // Create a new search request for Resource Properties. request = new System.DirectoryServices.Protocols.SearchRequest( car_dn, "(cn=*)", System.DirectoryServices.Protocols.SearchScope.OneLevel, new string[] { "name", "description", "displayname", "enabled", "msAuthz-EffectiveSecurityPolicy", "msAuthz-LastEffectiveSecurityPolicy", "msAuthz-ProposedSecurityPolicy", "msAuthz-ResourceCondition" }); // Execute the search and cast the response as a SearchResponse response = (System.DirectoryServices.Protocols.SearchResponse)ldap_connection.SendRequest(request); // Enumerate the results foreach (System.DirectoryServices.Protocols.SearchResultEntry entry in response.Entries) { string car_id = entry.Attributes["name"][0].ToString(); } /*********************************************** * * Find all of the Central Access Policies in the directory. * ***********************************************/ // Calculate the Central Access Policies Container DN based on the Configuration DN. string cap_dn = string.Format("CN=Central Access Policies,CN=Claims Configuration,CN=Services,{0}", configuration_dn); // Create a new search request for Resource Properties. request = new System.DirectoryServices.Protocols.SearchRequest( cap_dn, "(cn=*)", System.DirectoryServices.Protocols.SearchScope.OneLevel, new string[] { "name", "description", "displayname", "enabled", "msAuthz-EffectiveSecurityPolicy", "msAuthz-LastEffectiveSecurityPolicy", "msAuthz-ProposedSecurityPolicy", "msAuthz-ResourceCondition" }); // Execute the search and cast the response as a SearchResponse response = (System.DirectoryServices.Protocols.SearchResponse)ldap_connection.SendRequest(request); // Enumerate the results foreach (System.DirectoryServices.Protocols.SearchResultEntry entry in response.Entries) { string cap_id = entry.Attributes["name"][0].ToString(); }
Related topics
Show: