AD-Enabling Your Applications

As predicted, businesses small and large around the world are rapidly adopting the Windows 2000 Server OS. I saw a recent survey on a book publisher's Web site in which adoption of Win2K Server was greater than 50 percent, and more than 25 percent more businesses had it planned over the next 3 months. Customer adoption numbers included in upcoming independent surveys will be even more staggering.

Also as predicted, developers and administrators alike are struggling with the purpose and complexity of the Active Directory (AD). Many developers and administrators want to AD-enable their applications but don't know where to start. If you're in that perplexed stage, let me get you started.

Programming in Active Directory Service Interfaces (ADSI) in Active Server Pages (ASP) is simple. The Get method on the IADs interface to retrieve attributes from the AD has strange syntax with roots in X.500, but implementation is simple. You can render an attribute from the AD with two simple statements in an ASP. You need to modify the user object to match one in your AD, but it takes only the following two statements to retrieve the Display Name (e.g., Tim Huckaby) or any attribute in the AD and render it in the browser:

Set objADs = GetObject("LDAP://CN=Tim _ 
     Huckaby,CN=Users,DC=timhuck,DC=com")
   Response.Write("Display Name: " & objADs.Get("displayName"))

There's one caveat: This page fails if you don't run it under a security context that has rights to read from the AD. By default, AD lets authenticated users Read. If you create an ASP with the code above, and you use Integrated Windows authentication on your Web server and ASP to let Win2K identify you, your page will run fine.

The next trick to the Get method of IADs is that the method "casts" values it retrieves from the AD and sends them to your ASP without identifying them. What do I mean? In the example above, the displayName attribute is cast as a string, so a Response.Write works great. But the AD persists many values of attributes as multivalued. If you return a multivalued attribute with the Get method as in the code above and attempt to Response.Write it, you'll get an error because the value will be cast into an array. An example of a multivalued attribute is the memberOf attribute, which contains all the groups to which a user belongs. You need to iterate the variant-safe array. In this case, the syntax of the code changes slightly:

  varAttribute = objADs.Get("memberOf")
       for each varElement in varAttribute 
       Response.Write(varElement) & "<BR>"
       next

So, how do you figure out what's coming? Use the VBScript function TypeName as follows:

  If TypeName(varAttribute) = "Variant()" then
       'Iterate the array
       Else
       'response.write the value
       End if

I've written a few ASP that employ this and other ADSI functionality and exploit the power of the AD. If you subscribe to IIS Administrator, you can download these scripts from the Code Library.

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish