Hi Moshe;

  I just saw your email and will respond with a copy of the presentation in a few minutes!   

Regards ... Chris

hi chris,

i hope you can pass that presentation to me also, as i'd been having headache finding solution on how to get ad group in pb 12.6 classic.  i am trying to chk your oeb sample but since i  not that much familiar with ldap and all so it was so hard for me to understand. hope this presentation can give us more clearer view. what i need is just the ad group of the logged in user.

your help is really appreciated. 

Hi Elena;

  No problem!

As I mentioned to Moshe - just send me an email and I can reply with the presentation.  

eMail:  cpollach.at.travel-net.dot.com    [edit accordingly)

Regards ... Chris

Hi Chris,

Just send you the mail and I also have some query.  I want to be honest I never worked with ADSI.  I got your sample framework and put all the pbl in my lib list.  Since you have an existing function for getting the ad group I just declare the nvo and used the function but null reference was coming out.  Do I need to setup anything? usually I only declare the nvo and can used it.  In my debug mode my other nvo has properties but the one from framework was blank maybe that is why it says null reference so I'm not sure if I'm missing out something here.

Regards,

Elena

Sounds like you are expecting the nvo to be autoinstantiated. You may need to create the object

n_cst_xyz lnv_xyz

lnv_xyz = CREATE n_cst_xyz

sorry, it was my mistake... thanks lars.

Hi Elena;

BTW: My code has been tested with MS Active Directory only.

FYI: my framework never auto-instantiates - so Lars is correct, you will need to create & destroy as required.

I'll check my email for your request ... nothing thus far though.

Regards .... Chris

Hi Chris,

Thanks, got it.

Regards,

Elena

Hi Chris,

Got the code for multithread sample and use the function of_get_groups in nc_active_directory_master, during debug it will stop in io_RecordSet = io_command.Execute(). 

Query contains <LDAP://DC=ap, DC=rabonet,DC=com>;(objectClass=group);Name;subtree

The result of this is the ad group that I'd been looking for.  Not really sure, it will stop and cannot continue anymore.

Regards,

Weird ... by stop and cannot continue - do you mean that on the Execute ( ) function it never returns control back to your PB application?

Hi Chris,

Since nc_active_directory_master was never created nor called in the code, I tried to create it in one of the event and call of_get_groups function.  But when I execute an error message prompt and says that I need to check the log.  I saw the log on the same directory and says Cannot convert oleobject in any variable to ns_oleobject_master at line 84 in function of_get_groups of object nc_active_directory_master (which is the execute command).  The contents of the query is the one mentioned above.

Is there any configuration needed for this?  As I didn't do anything just copy all the pbls and call the function.

Thanks and Regards,

Elena

Hi Elena;

  This error could be due to a) you do not have an Active Directory Provider installed properly on your PC;  b) the provider you have installed in not MS compliant or c) your account may not have AD privileges. Sounds like either "A" or "B".

Regards ... Chris

Chris,

I am not so familiar with AD configuration, but upon searching I saw this link

https://technet.microsoft.com/en-us/library/dd251831.aspx which specify the path and dll name for ad provider Program Files\Microsoft Provisioning\Providers\MPFADProv.dll .  Are you referring to this one?

Thanks so much for the help.  I will give feedback once it works f     or others also to know.

Regards,

Elena

Hi Elena;

  My implementation is solely based on the ADSI standard by MS. The ADSI approach is independent (in theory) of the AD provider. 

FYI: Active Directory Service Interfaces (Windows)

HTH

Regards ... Chris

Hi Chris,

Your answers to my query at least help me understand AD authentication.  I got a simple code from SAP to return the value of a particular user AD group.

Just create a function with integer as return type and pass an array argument as a reference.

Here's the code:

any  la_temp

integer li_rc, li_count

string ls_username, ls_classname

OLEObject l_olesysinfo, l_oleuser, l_temp

object ls_type

l_olesysinfo = CREATE OLEObject

l_oleuser = CREATE OLEObject

l_temp  = CREATE OLEObject

try

    li_rc = l_olesysinfo.ConnectToNewObject("ADSystemInfo")

    if li_rc = 0 then

       ls_username = l_olesysinfo.username

       l_olesysinfo.DisconnectObect()

    end if

    l_oleuser = CREATE OLEObject 

    li_rc = l_oleuser.ConnectToObject("DAP://"+ ls_username

    IF li_rc = 0 THEN

        la_temp  = l_oleuser.memberof

        li_count = upperbound(la_temp)

        if li_count <> -1 then

            as_grops[] = l_oleuser.memberof

        else

             ls_classname = classname (la_temp)

             if not isnull(ls_classname) then

                if ls_classname = "string" then

                   as_groups[1] = l_oleuser.memberof

                end if

             end if

        end if

     END IF

     l_oleuser.DisconnectObject()

     li_count = UpperBound(as_groups[])

catch (throwable e)

          Messagebox("LDAP Error", e.GetMessage() )

finally

          Destroy l_olesysinfo

          Destroy l_oleuser

          Destroy l_temp

end try

Return li_count

Hope it can help others as well.

Regards,

Elena

Hi Elena;

The reason your having issues is that your trying to use the MS-Window's login client to connect to the AD Server directly. Where the client may not (and in most cases will not) have AD Server and/or AD DB privileges to read and interpolate the AD database directly.  

In my approach, the ADSI is only used to get the already authenticated user's MS-Window Login AD signature.

From there, my systems call a PB Web Service that brokers the communication to the AD Server. The WS is registered against an IIs Application Pool that has an AD user account registered to it that has full AD read privileges.

Thus, the PB application only provides the AD Client signature to the WS who then uses an AD Account to introspect the Group, Role(s), Applications, Devices, etc that that AD Signature's account has the rights to.

As far as the SSO for the PB application, the direct SDK calls provide the MS-Windows login account. From there the Windows login account with ADSI provides the AD Signature and from there the WS then provides me the DBMS login credentials from AD. 

HTH

Regards ... Chris

For the last part, but it will use the Windows logged in credential right? Meaning if user1 was logged then the ad signature to be provided to logged to db is for user1.  What about if user1 logged in but I want to use user2 credential to logged in to DB?

I do that in another Appeon Web application by keeping the all the authorized application user AD signatures in an encrypted DB table that only the application has access to. In your case where User1 is logging on but you want to be accredited using the AD signature for User2 -  then I pickup the User2 AD Signature and pass that into the AD & DB login. Basically, what we call impersonation. This addresses the situation where User2 is on vacation, but management wants User1 to login as User2 and complete their work tasks.