This is my first attempt in trying to query our LDAP server for AD info. When I am trying to query the LDAP server here is what I'm trying to retrieve:
I am trying to retrieve all active employees with a countlimit of 500 records whose displayname starts with "sav", has an email address and has a userAccountControl attribute of 512. The problem I'm encountering is that I'm only getting back 8 records total. I should literally be getting back at least 10 records.
I did a separate search on the 2 records that were NOT retrieved in my search and each had an email address and a userAccountControl value of 512. So I'm not sure why those 2 records were missing.
I'm sure I've done something wrong in my syntax but I cannot find what it is. Any HELP/DIRECTION would be appreciated. Thank you.
After googling I've defined the SEARCH FILTER as:
String searchFilter = "(&(objectClass=user)(displayname="+displayname+"*"+")(mail=*)(userAccountControl=512))";
Please see my complete method below:
public List<String> getAutocompleteEmpRecordsList(String displayname, LdapContext ctx) {
List<String> activeEmpAttributes = new ArrayList<String>();
Attributes attrs = null;
int count = 0;
int empEmailAddrLen = 0;
try {
SearchControls constraints = new SearchControls();
constraints.setCountLimit(500);
constraints.setSearchScope(SearchControls.SUBTREE_SCOPE);
String[] attrIDs = {"displayname", "mail", "userAccountControl"};
constraints.setReturningAttributes(attrIDs);
String searchFilter = "(&(objectClass=user)(displayname="+displayname+"*"+")(mail=*)(userAccountControl=512))";
NamingEnumeration answer = ctx.search("OU=Standard,OU=Users,DC=xxx,DC=org", searchFilter, constraints);
if (answer != null) {
while (answer.hasMore()) {
attrs = ((SearchResult) answer.next()).getAttributes();
if (attrs.get("displayname") != null) {
int empNameLen = attrs.get("displayname").toString().length();
activeEmpAttributes.add(attrs.get("displayname").toString().substring(13, empNameLen));
}
count++;
ctx.close();
}
}
else {
throw new Exception("Invalid User");
}
System.out.println("activeEmpAttributes: " + activeEmpAttributes);
System.out.println("count: " + activeEmpAttributes.size());
} catch (Exception ex) {
ex.printStackTrace();
}
return activeEmpAttributes;
}
You may be confusing displayname attribute and cn attribute.
On Windows server you've got a command line tool called LDIDIFDE.EXE which can allow you to test your filter.
ldifde -f datas.ldf -d "OU=Standard,OU=THR Users,DC=txhealth,DC=org" -r "(&(objectClass=user)(displayname=sav*)(mail=*)(userAccountControl=512))"
ldifde -f datas.ldf -d "OU=Standard,OU=THR Users,DC=txhealth,DC=org" -r "(&(objectClass=user)(cn=sav*)(mail=*)(userAccountControl=512))"
In the User and computer MMC you can also test your filter.
Start User and computer Active-Directory :
Right buton on registered request :
Choose personalize search, you've got an helper tab for common attributes :
You can choose personalized tab for technical attributes
You can test en copy the resulting LDAP filter (you don't need the double (& one is enough):
Can you post your userAccountControl, displayName, and mail values for the two excluded users?
FWIW the medial search on displayName would run alot faster if you add a tuple index to it.
I downloaded a free AD tool to view all in AD that I needed and it showed me that the data was not the problem but I was just not hitting all the OU's that I needed because there is NOT just 1 OU where all our users are stored.
Consequently, after googling some more I found a page on the Oracle site regarding LDAP and I changed my LDAPContext to DirContext for my connection to do searches within the directory as well as using this context's REFERRAL and set the value to "follow" to avoid the PartialSearchException.
I thought I'd post my findings just in case some other newbie ran into the same issue.
If you see a downside to the changes I made please let me know. Regards.
Here is my corrected code:
public List<String> getAutocompleteEmpRecordsList(String displayname, DirContext ctx) {
List<String> activeEmpAttributes = new ArrayList<String>();
Attributes attrs = null;
int count = 0;
int empEmailAddrLen = 0;
try {
SearchControls constraints = new SearchControls();
constraints.setCountLimit(500);
constraints.setSearchScope(SearchControls.SUBTREE_SCOPE);
String[] attrIDs = {"displayname", "mail", "userAccountControl"};
constraints.setReturningAttributes(attrIDs);
String searchFilter = "(&(objectClass=user)(displayname="+displayname.trim()+"*"+")(mail=*)(userAccountControl=512))";
NamingEnumeration answer = ctx.search("DC=xxx,DC=org", searchFilter, constraints);
if (answer != null) {
while (answer.hasMore()) {
attrs = ((SearchResult) answer.next()).getAttributes();
if (attrs.get("displayname") != null) {
int empNameLen = attrs.get("displayname").toString().length();
activeEmpAttributes.add(attrs.get("displayname").toString().substring(13, empNameLen));
}
count++;
ctx.close();
}
}
else {
throw new Exception("Invalid User");
}
System.out.println("activeEmpAttributes: " + activeEmpAttributes);
System.out.println("count: " + activeEmpAttributes.size());
} catch (Exception ex) {
ex.printStackTrace();
}
return activeEmpAttributes;
}
Thanks anyway.
Related
I am trying to unlock user account using spring ldap and getting the error message
""Malformed 'LockoutTime' attribute value" exception.
My code looks like below
public boolean unlockAccount(Name dn) {
ModificationItem item = new ModificationItem(DirContext.REPLACE_ATTRIBUTE, new BasicAttribute("lockoutTime", 0));
ldapTemplate.modifyAttributes(dn, new ModificationItem[] {item});
return true;
}
I am using Windows server 2016 and Spring ldap 2.3.2.
Is 'lockoutTime' the correct attribute to unlock an account ?
Is there anything else I am missing ?
In LDAP if you type the wrong password for more than 5 times, the account gets locked. If you want to unlock the user you have to delete an operational attribute name as pwdAccountLockedTime.
public String unlockUser(Users pvo) {
System.out.println("this is pvo" + pvo);
Name dn = buildDn(pvo);
DirContextOperations context = ldapTemplate.lookupContext(dn);
ModificationItem[] modificationItems;
modificationItems = new ModificationItem[1];
modificationItems[0] = new ModificationItem(DirContext.REMOVE_ATTRIBUTE,
new BasicAttribute("pwdAccountLockedTime"));
ldapTemplate.modifyAttributes(dn, modificationItems);
return "Account Unlocked";
}
build Dn for your LDAP and use the above code then the user gets unlocked.
String[] attrIDs = new String[] { "lockoutTime", "sAMAccountName",
"distinguishedName","pwdLastSet", "accountExpires", "userAccountControl",
"IsAccountLocked" };
ctls.setReturningAttributes(attrIDs);
ctls.setSearchScope(2);
String filter = "(&(objectClass=user)(objectCategory=Person)(sAMAccountName=" +
samaccountname+ "))";
NamingEnumeration<SearchResult> answer = ctx.search(adManagedOU, filter,ctls);
while (answer.hasMore()) {
SearchResult rs = answer.next();
Attributes attrs = rs.getAttributes();
distinguishedName = rs.getNameInNamespace();
String[] lockouttime = null;
String lockOutValue=attrs.get("lockoutTime");
if (lockOutValue != null)
{
lockouttime = attrs.get("lockoutTime").toString().split(":");
if (Long.valueOf(lockouttime[1].trim()) > 0) {
ModificationItem[] mods1 = new ModificationItem[] {
new ModificationItem(2, new BasicAttribute("lockoutTime", "0") )
};
((DirContext) ctls).modifyAttributes(distinguishedName, mods1);
}
else
{
LOGGER.info(username + " Account Not Locked");
}
The only values that may be set on lockouttime is to set the value to "0" which will effectively un-lock the account.
To learn more on Microsoft Active Directory Lockouts.
Setting the value to a String instead of an int makes this work, at least with AWS Simple AD.
ModificationItem item = new ModificationItem(DirContext.REPLACE_ATTRIBUTE, new BasicAttribute("lockoutTime", "0"));
ldapTemplate.modifyAttributes(dn, new ModificationItem[] {item});
I am looking for a way to dynamically populate my VCD file. I have a Code snippet from the Windows documentation that reads as follows:
Windows.ApplicationModel.VoiceCommands.VoiceCommandDefinition.VoiceCommandSet commandSetEnUs;
if (Windows.ApplicationModel.VoiceCommands.VoiceCommandDefinitionManager.
InstalledCommandSets.TryGetValue(
"AdventureWorksCommandSet_en-us", out commandSetEnUs))
{
await commandSetEnUs.SetPhraseListAsync(
"destination", new string[] {“London”, “Dallas”, “New York”, “Phoenix”});
}
But, when I put this into my version of App.OnActivated() Visual Studio shows an error saying that VoiceCommandSet is not contained in "Windows.ApplicationModel.VoiceCommands.VoiceCommandDefinition". My questions are:
Am I doing that in the wrong place? Do you know any example projects, that show how to do this properly? (I looked into Adventure Works, but didn't find these lines over there) Or am I missing some references, that I'm not aware of?
public async Task UpdateDestinationPhraseList()
{
try
{
// Update the destination phrase list, so that Cortana voice commands can use destinations added by users.
// When saving a trip, the UI navigates automatically back to this page, so the phrase list will be
// updated automatically.
VoiceCommandDefinition commandDefinitions;
string countryCode = CultureInfo.CurrentCulture.Name.ToLower();
if(countryCode.Length == 0)
{
countryCode = "en-us";
}
if (VoiceCommandDefinitionManager.InstalledCommandDefinitions.TryGetValue("AdventureWorksCommandSet_" + countryCode, out commandDefinitions))
{
List<string> destinations = new List<string>();
foreach (Model.Trip t in store.Trips)
{
destinations.Add(t.Destination);
}
await commandDefinitions.SetPhraseListAsync("destination", destinations);
}
}
catch (Exception ex)
{
System.Diagnostics.Debug.WriteLine("Updating Phrase list for VCDs: " + ex.ToString());
}
}
I have a requirement to check if the users in my application are active users in active directory.
I need to send a notification when one of the user alias becomes invalid.
In most of the examples I see validating only one user at a time against ADFS using LDAP which is going to take a very long time large number of users.
Is there any way by which I can validate by sending a list of users and validate, so that it will be faster?
Thanks.
Out the box in ADFS, no.
This sounds like something you should call from your app. using the AD C# API's.
Refer Howto: (Almost) Everything In Active Directory via C#.
Or (in some cases) Everything in Active Directory via C#.NET 3.5 (Using System.DirectoryServices.AccountManagement)
Starting with .Net 3.5 there's System.DirectoryServices.AccountManagement
I'd code something like
public List<string> InvalidUsernames (List<string> usernames)
{
var result = new List<string>();
var domainName = "OkieDokie";
var ldapContext = new PrincipalContext(ContextType.Domain, domainName);
foreach (var username in usernames)
{
var user = UserPrincipal.FindByIdentity(ldapContext, username);
if (user == null) //null means it couldn't be found
{
result.Add(username);
}
}
return result;
}
But it all depends on what you consider active/invalid. In the if you could check for the user.AccountExpirationDate (?date) or user.Enabled (?bool).
Or if you do have a common group for all of them, you could replace the previous foreach and use:
var usersGroup = UsernamesInGroup("theONEgroup");
foreach (var username in usernames)
{
var user = UserPrincipal.FindByIdentity(ldapContext, username);
if (user == null) //null means it couldn't be found
{
result.Add(username);
}
}
public List<string> UsernamesInGroup(string groupName)
{
GroupPrincipal grupo = GroupPrincipal.FindByIdentity(MainOU, groupName);
return UsernamesInGroup(group);
}
public List<string> UsernamesInGroup(GroupPrincipal gp)
{
List<string> userNames = new List<string>();
var principalsInGroup = gp.GetMembers(true);
foreach (Principal principal in principalsInGroup)
{
if (principal.StructuralObjectClass == "user")
{
userNames.Add(principal.SamAccountName);
}
}
return userNames;
}
I was going through the SOQL documentation , but couldn't find query to fetch all the field data of an entity say , Account , like
select * from Account [ SQL syntax ]
Is there a syntax like the above in SOQL to fetch all the data of account , or the only way is to list all the fields ( though there are lot of fields to be queried )
Create a map like this:
Map<String, Schema.SObjectField> fldObjMap = schema.SObjectType.Account.fields.getMap();
List<Schema.SObjectField> fldObjMapValues = fldObjMap.values();
Then you can iterate through fldObjMapValues to create a SOQL query string:
String theQuery = 'SELECT ';
for(Schema.SObjectField s : fldObjMapValues)
{
String theLabel = s.getDescribe().getLabel(); // Perhaps store this in another map
String theName = s.getDescribe().getName();
String theType = s.getDescribe().getType(); // Perhaps store this in another map
// Continue building your dynamic query string
theQuery += theName + ',';
}
// Trim last comma
theQuery = theQuery.subString(0, theQuery.length() - 1);
// Finalize query string
theQuery += ' FROM Account WHERE ... AND ... LIMIT ...';
// Make your dynamic call
Account[] accounts = Database.query(theQuery);
superfell is correct, there is no way to directly do a SELECT *. However, this little code recipe will work (well, I haven't tested it but I think it looks ok). Understandably Force.com wants a multi-tenant architecture where resources are only provisioned as explicitly needed - not easily by doing SELECT * when usually only a subset of fields are actually needed.
You have to specify the fields, if you want to build something dynamic the describeSObject call returns the metadata about all the fields for an object, so you can build the query from that.
I use the Force.com Explorer and within the schema filter you can click the checkbox next to the TableName and it will select all the fields and insert into your query window - I use this as a shortcut to typeing it all out - just copy and paste from the query window. Hope this helps.
In case anyone was looking for a C# approach, I was able to use reflection and come up with the following:
public IEnumerable<String> GetColumnsFor<T>()
{
return typeof(T).GetProperties(System.Reflection.BindingFlags.Public | System.Reflection.BindingFlags.Instance)
.Where(x => !Attribute.IsDefined(x, typeof(System.Xml.Serialization.XmlIgnoreAttribute))) // Exclude the ignored properties
.Where(x => x.DeclaringType != typeof(sObject)) // & Exclude inherited sObject propert(y/ies)
.Where(x => x.PropertyType.Namespace != typeof(Account).Namespace) // & Exclude properties storing references to other objects
.Select(x => x.Name);
}
It appears to work for the objects I've tested (and matches the columns generated by the API test). From there, it's about creating the query:
/* assume: this.server = new sForceService(); */
public IEnumerable<T> QueryAll<T>(params String[] columns)
where T : sObject
{
String soql = String.Format("SELECT {0} FROM {1}",
String.Join(", ", GetColumnsFor<T>()),
typeof(T).Name
);
this.service.QueryOptionsValue = new QueryOptions
{
batchsize = 250,
batchSizeSpecified = true
};
ICollection<T> results = new HashSet<T>();
try
{
Boolean done = false;
QueryResult queryResult = this.service.queryAll(soql);
while (!finished)
{
sObject[] records = queryResult.records;
foreach (sObject record in records)
{
T entity = entity as T;
if (entity != null)
{
results.Add(entity);
}
}
done &= queryResult.done;
if (!done)
{
queryResult = this.service.queryMode(queryResult.queryLocator);
}
}
}
catch (Exception ex)
{
throw; // your exception handling
}
return results;
}
For me it was the first time with Salesforce today and I came up with this in Java:
/**
* #param o any class that extends {#link SObject}, f.ex. Opportunity.class
* #return a list of all the objects of this type
*/
#SuppressWarnings("unchecked")
public <O extends SObject> List<O> getAll(Class<O> o) throws Exception {
// get the objectName; for example "Opportunity"
String objectName= o.getSimpleName();
// this will give us all the possible fields of this type of object
DescribeSObjectResult describeSObject = connection.describeSObject(objectName);
// making the query
String query = "SELECT ";
for (Field field : describeSObject.getFields()) { // add all the fields in the SELECT
query += field.getName() + ',';
}
// trim last comma
query = query.substring(0, query.length() - 1);
query += " FROM " + objectName;
SObject[] records = connection.query(query).getRecords();
List<O> result = new ArrayList<O>();
for (SObject record : records) {
result.add((O) record);
}
return result;
}
I used following to get complete records-
query_all("Select Id, Name From User_Profile__c")
To get complete fields of record, we have to mention those fields as mentioned here-
https://developer.salesforce.com/docs/atlas.en-us.soql_sosl.meta/soql_sosl/sforce_api_calls_soql_select.htm
Hope will help you !!!
I am using DirectorySearcher to get all AD users' display name from company AD server, we have around 100k records and most of results are correct.
But we got near 100 users' display name are "$CimsUserVersion2", it's really a odd result, I checked in outlook which also sync display name from AD, the name is correct
Have u facing same issue?
Thanks a lot
using (var de = new DirectoryEntry("LDAP://" + domain))
{
using (var search = new DirectorySearcher(de))
{
search.Filter = "CN=" + userName;
var results = search.FindAll();
string temp = results[0].Properties["displayname"][0].ToString();
if (string.IsNullOrEmpty(temp))
{
return string.Empty;
}
else
{
return temp;
}
}
}
Not sure if that's the problem - but I think you'd need to tell your searcher that you want the displayName attribute to be loaded:
using (var de = new DirectoryEntry("LDAP://" + domain))
{
using (var search = new DirectorySearcher(de))
{
search.Filter = "CN=" + userName;
search.PropertiesToLoad.Add("displayName"); // specify "displayname" to be returned from search
var results = search.FindAll();
string temp = results[0].Properties["displayname"][0].ToString();
if (string.IsNullOrEmpty(temp))
{
return string.Empty;
}
else
{
return temp;
}
}
}
Don't you automate the provisioning of UNIX users and groups into Microsoft Active Directory with "Centrify DirectControl".
This tool uses a simple object model to manage the UNIX-specific properties for users, groups, computers, and zones, as well as UNIX NIS services.
As far as I understand it uses Active-Directory attributes to register some special informations.
UserVersion is map to displayName :
UserVersion determines compatibility between a user profile object and the Centrify DirectControl Administrator Console. The only valid value for this attribute is $CimsUserVersion2.
For example:
displayName: $CimsUserVersion2