I have a function that needs to log into LDAP as a query user that has read-only access to AD LDAP.
I am able to query and find the user and enumerate most user properties except memberOf.
This only happens when I log in as the read only user. If I log in as the user in question all of the attributes can be retrieved. Any one have any ideas what I am doing wrong?
DirectorySearcher search = new DirectorySearcher(entry);
search.Filter = "(sAMAccountName=" + loginName + ")";
search.PropertiesToLoad.Add("CN");
search.PropertiesToLoad.Add("memberOf");
search.PropertiesToLoad.Add("SN");
search.PropertiesToLoad.Add("givenName");
if (_Attributes != null)
{
foreach (string attr in _Attributes)
{
search.PropertiesToLoad.Add(attr);
}
}
SearchResult result = search.FindOne();
if (result == null)
return null;
string usersName = "";
if (result.Properties.Count > 0)
{
if (result.Properties.Contains("CN"))
{
attributes.Add("CN", result.Properties["CN"].Cast<string>().ToList());
usersName = result.Properties["CN"].Cast<string>().FirstOrDefault();
}
if (result.Properties.Contains("SN"))
{
attributes.Add("SN", result.Properties["SN"].Cast<string>().ToList());
}
if (result.Properties.Contains("givenName"))
{
attributes.Add("givenName", result.Properties["givenName"].Cast<string>.ToList());
}
if (result.Properties.Contains("memberOf"))
ad_MemberOf = result.Properties["memberOf"].Cast<string>().ToList();
}
}
This is a security feature. Access to this attribute is restricted if you don't have the 'Pre-Windows 2000 Compatible Access' enabled.
If you enable this correctly at the root-level of the domain, you should have access to all 'memberOf' attributes of all user accounts, as well as some other attributes that are restricted when you don't have the correct privileges for access.
Alternatively, you could add the permissions to access the specific attributes that correspond to those that are provided as part of the 'Pre-Windows 2000 Compatible Access' mechanism.
If I am reading it correctly, the permissions you need to add are: