on 02-07-2016 2:36 PM
Hi all
How do I get the user name + password from the domain sever for the current user that starts my application on that server from
the active directory ?
My client wants me to combine SSO protocol in the app ?
Does any one have code for it ?
Thanks
Moshe
Hi Moshe;
A complete Active Directory implementation is done in my framework. You are most welcome to pickup your required code from there.
Also, I have a presentation on how to go about AD implementation. The presentation is from last year's PB Conference. Let me know if you are interested.
Regards ... Chris
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
hi chris,
i hope you can pass that presentation to me also, as i'd been having headache finding solution on how to get ad group in pb 12.6 classic. i am trying to chk your oeb sample but since i not that much familiar with ldap and all so it was so hard for me to understand. hope this presentation can give us more clearer view. what i need is just the ad group of the logged in user.
your help is really appreciated.
Hi Chris,
Just send you the mail and I also have some query. I want to be honest I never worked with ADSI. I got your sample framework and put all the pbl in my lib list. Since you have an existing function for getting the ad group I just declare the nvo and used the function but null reference was coming out. Do I need to setup anything? usually I only declare the nvo and can used it. In my debug mode my other nvo has properties but the one from framework was blank maybe that is why it says null reference so I'm not sure if I'm missing out something here.
Regards,
Elena
Hi Chris,
Got the code for multithread sample and use the function of_get_groups in nc_active_directory_master, during debug it will stop in io_RecordSet = io_command.Execute().
Query contains <LDAP://DC=ap, DC=rabonet,DC=com>;(objectClass=group);Name;subtree
The result of this is the ad group that I'd been looking for. Not really sure, it will stop and cannot continue anymore.
Regards,
Hi Chris,
Since nc_active_directory_master was never created nor called in the code, I tried to create it in one of the event and call of_get_groups function. But when I execute an error message prompt and says that I need to check the log. I saw the log on the same directory and says Cannot convert oleobject in any variable to ns_oleobject_master at line 84 in function of_get_groups of object nc_active_directory_master (which is the execute command). The contents of the query is the one mentioned above.
Is there any configuration needed for this? As I didn't do anything just copy all the pbls and call the function.
Thanks and Regards,
Elena
Chris,
I am not so familiar with AD configuration, but upon searching I saw this link
https://technet.microsoft.com/en-us/library/dd251831.aspx which specify the path and dll name for ad provider Program Files\Microsoft Provisioning\Providers\MPFADProv.dll . Are you referring to this one?
Thanks so much for the help. I will give feedback once it works f or others also to know.
Regards,
Elena
Hi Elena;
My implementation is solely based on the ADSI standard by MS. The ADSI approach is independent (in theory) of the AD provider.
FYI: Active Directory Service Interfaces (Windows)
HTH
Regards ... Chris
Hi Chris,
Your answers to my query at least help me understand AD authentication. I got a simple code from SAP to return the value of a particular user AD group.
Just create a function with integer as return type and pass an array argument as a reference.
Here's the code:
any la_temp
integer li_rc, li_count
string ls_username, ls_classname
OLEObject l_olesysinfo, l_oleuser, l_temp
object ls_type
l_olesysinfo = CREATE OLEObject
l_oleuser = CREATE OLEObject
l_temp = CREATE OLEObject
try
li_rc = l_olesysinfo.ConnectToNewObject("ADSystemInfo")
if li_rc = 0 then
ls_username = l_olesysinfo.username
l_olesysinfo.DisconnectObect()
end if
l_oleuser = CREATE OLEObject
li_rc = l_oleuser.ConnectToObject("DAP://"+ ls_username
IF li_rc = 0 THEN
la_temp = l_oleuser.memberof
li_count = upperbound(la_temp)
if li_count <> -1 then
as_grops[] = l_oleuser.memberof
else
ls_classname = classname (la_temp)
if not isnull(ls_classname) then
if ls_classname = "string" then
as_groups[1] = l_oleuser.memberof
end if
end if
end if
END IF
l_oleuser.DisconnectObject()
li_count = UpperBound(as_groups[])
catch (throwable e)
Messagebox("LDAP Error", e.GetMessage() )
finally
Destroy l_olesysinfo
Destroy l_oleuser
Destroy l_temp
end try
Return li_count
Hope it can help others as well.
Regards,
Elena
Hi Elena;
The reason your having issues is that your trying to use the MS-Window's login client to connect to the AD Server directly. Where the client may not (and in most cases will not) have AD Server and/or AD DB privileges to read and interpolate the AD database directly.
In my approach, the ADSI is only used to get the already authenticated user's MS-Window Login AD signature.
From there, my systems call a PB Web Service that brokers the communication to the AD Server. The WS is registered against an IIs Application Pool that has an AD user account registered to it that has full AD read privileges.
Thus, the PB application only provides the AD Client signature to the WS who then uses an AD Account to introspect the Group, Role(s), Applications, Devices, etc that that AD Signature's account has the rights to.
As far as the SSO for the PB application, the direct SDK calls provide the MS-Windows login account. From there the Windows login account with ADSI provides the AD Signature and from there the WS then provides me the DBMS login credentials from AD.
HTH
Regards ... Chris
I do that in another Appeon Web application by keeping the all the authorized application user AD signatures in an encrypted DB table that only the application has access to. In your case where User1 is logging on but you want to be accredited using the AD signature for User2 - then I pickup the User2 AD Signature and pass that into the AD & DB login. Basically, what we call impersonation. This addresses the situation where User2 is on vacation, but management wants User1 to login as User2 and complete their work tasks.
Take a look at this discussion:
PowerBuilder 11.5 &amp; LDAP authentication (Ac... | SCN
Allways worth to visit:
But you will not be able to get the users password - this would be a big security issue.
hth
Arnd
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
90 | |
10 | |
10 | |
10 | |
7 | |
7 | |
6 | |
5 | |
4 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.