restricting access based on Org Unit (OU)

[SpaceMarine]

Hello,

I have an ASP.NET 2.0 web app w/ an Active Directory user base that I
need to lock down -- only one Organizational Unity should be able to
use the web app.

So I need to limit my app to only users w/i that Organizational Unit,
as maintained in our Active Directory by our admins.

Can anyone point me in the right direction as to how to do this? I
haven't really been able to find much on what I would have guessed to
be a common task.


thanks!
sm

 

[SpaceMarine]

In other words: How do I get a user's OU?

thanks!
sm

 

[Joe Kaplan]

This is a non-traditional method of doing authorization against AD as OU's
are supposed to be used for delegation of administration but not security.
The best way to do this would be to ask the AD admins to put all the users
in the OU in question into a group and then just authorize against that
group using one of the traditional methods.

That said, if you need to look up a user's OU, you can do that with either
an LDAP query or via an RPC call using either the DsCrackNames API or the
ADSI IADsNameTranslate interface (which is just a wrapper around
DsCrackNames designed in such a way as to make it easy to call for scripting
clients). IADsNameTranslate is probably the easiest thing although it would
require you to create some sort of runtime callable wrapper (usually done by
creating a referenc to activeds.tlb).

If you want to do an LDAP query, that isn't very difficult using
System.DirectoryServices. The main thing you need to know is what username
format you will be working with in order to form the query.

Joe K.

 

[SpaceMarine]

This is a non-traditional method of doing authorization against AD as OU's
are supposed to be used for delegation of administration but not security.
The best way to do this would be to ask the AD admins to put all the users
in the OU in question into a group and then just authorize against that
group using one of the traditional methods.

I see. I work in a very large organization with thousands of users;
sub-orgs are placed into Oraganizational Units, which seems natural
enough to me.

That being said, I'll ask our admins if we could perhaps put the OU I
work for into an AD group.

How then does one code security against an AD group?


thanks,
sm

 

[Joe Kaplan]

There are many methods. If you are using Windows authentication in your
application, then you can just use the IsInRole method on the
WindowsPrincipal class. ASP.NET will insert a WindowsPrincipal representing
the current Windows user into the HttpContext.User property and you can
access that from anywhere in a web app. You can also put this directly into
the authorization section of the web.config and just add the role name to
the appropriate config parameter there (no coding needed).

If you aren't using Windows auth, then you'll need to get the user's group
membership programmatically somehow.

Joe K.

 

[SpaceMarine]

There are many methods.  If you are using Windows authentication in your
application, then you can just use the IsInRole method on the
WindowsPrincipal class.  ASP.NET will insert a WindowsPrincipal representing
the current Windows user into the HttpContext.User property and you can
access that from anywhere in a web app.  You can also put this directly into
the authorization section of the web.config and just add the role name to
the appropriate config parameter there (no coding needed).

Yeah, we're using Windows authentication. So the AD's "Group"
assignment directly maps to the User.IsInRole() deal? great! That
sounds like a pretty good reason to use AD Groups.


Thanks,
sm

 

[SpaceMarine]

There are many methods.  If you are using Windows authentication in your
application, then you can just use the IsInRole method on the
WindowsPrincipal class.  ASP.NET will insert a WindowsPrincipal representing
the current Windows user into the HttpContext.User property and you can
access that from anywhere in a web app.  You can also put this directly into
the authorization section of the web.config and just add the role name to
the appropriate config parameter there (no coding needed).

Tho one question...How does this relate w/ using a Roles provider? I'm
not sure, but I think an ASP.NET could still use a custom Roles
provider, and use the the AD Group technique you've mentioned?


sm

 

[Joe Kaplan]

If you want to use the role provider with Windows authentication, you can
use the WindowsTokenRoleProvider. It does the same thing as
IPrincipal.IsInRole in this instance.

Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--

There are many methods. If you are using Windows authentication in your
application, then you can just use the IsInRole method on the
WindowsPrincipal class. ASP.NET will insert a WindowsPrincipal
representing
the current Windows user into the HttpContext.User property and you can
access that from anywhere in a web app. You can also put this directly
into
the authorization section of the web.config and just add the role name to
the appropriate config parameter there (no coding needed).

Tho one question...How does this relate w/ using a Roles provider? I'm
not sure, but I think an ASP.NET could still use a custom Roles
provider, and use the the AD Group technique you've mentioned?


sm

 

[SpaceMarine]

If you want to use the role provider with Windows authentication, you can
use the WindowsTokenRoleProvider.  It does the same thing as
IPrincipal.IsInRole in this instance.

i hadnt heard of that one, thanks for the tip.

yeah, i want to use a combo of: 1) the windows Group for basic
authentication, and then a role provider for app-level roles. our
admins were cool w/ putting the OU into a group, but we both feel
further roles specific to the app should be self-contained in the app.

that sound normal? and something that i could do w/ the
WindowsTokenRoleProvider?


thanks!
sm

 

[Joe Kaplan]

You will need a custom role provider if you want additional app specific
roles as the WindowsTokenRoleProvider only knows about windows groups.

I'd suggest looking at the AzMan framework for implementing app specific
roles and permissioning. It is very powerful. It also integrates well with
AD. I'm pretty sure there is a role provider for it as well, although it is
more powerful if you use it directly.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--

If you want to use the role provider with Windows authentication, you can
use the WindowsTokenRoleProvider. It does the same thing as
IPrincipal.IsInRole in this instance.

i hadnt heard of that one, thanks for the tip.

yeah, i want to use a combo of: 1) the windows Group for basic
authentication, and then a role provider for app-level roles. our
admins were cool w/ putting the OU into a group, but we both feel
further roles specific to the app should be self-contained in the app.

that sound normal? and something that i could do w/ the
WindowsTokenRoleProvider?


thanks!
sm