1. Home
  2. Categories
  3. Coding Help
  4. Why does this ActiveDirectory lookup fail?

Why does this ActiveDirectory lookup fail?

  • Zenith

    I’m modifying some AD code that I wrote years ago. It’s so old it’s more like LDAP because .NET didn’t have an AD-specific namespace yet. Anyway, some of the functions are name conversion. Distinguished to AD and back, same for canonical. For some reason, it’s AD to X that stopped working.

    All of the code enters at the directory base, then searches for ‘’’(&(objectcategory=)(objectclass=)(field=value))’’’. There are fields for DistinguishedName, CanonicalName, and ADSPATH. It doesn’t look like a scoping issue because none of the scope types wotk.

    I know I can just log in at the ADSPATH instead of the base and skip the filter altogether, at the expense of making the functions look different, and have it work. My question is why I can’t filter on ADSPATH like the other properties.

    0 dkf Jaime 2 Replies
  • dkf
    Discourse touched me in a no-no place

    @Zenith said in Why does this ActiveDirectory lookup fail?:

    My question is why I can’t filter on ADSPATH like the other properties.

    The real reason is probably "there's no index set up for that" or possibly "the 'may filter by this property' checkbox isn't checked". The problem is I know very little about AD; from the perspective of anyone outside the actual sysadmins in charge of an installation, it's tremendously opaque.

    1 Zenith 1 Reply
  • Zenith

    @dkf Now I suspect ADSPATH is a property added by the BCL or whatever Win32 DLLs it’s calling. I can’t find it in any AD browser I’ve tried or any property lists I’ve been able to dig up. That’s just weird.

    0
  • Jaime

    @Zenith said in Why does this ActiveDirectory lookup fail?:

    My question is why I can’t filter on ADSPATH like the other properties.

    The filter is an LDAP filter, which is sent to the AD server. LDAP filters can only filter on the properties it can see, and ADSPATH is a "convenience property" added client side and the server isn't aware of it. There is DN property, but it can't be filtered directly. In the LDAP search API, there's a "base" that the search starts at, and to get a single object by its DN, you'd do a search starting at the DN, with a scope of "base", and searching for "(objectClass=*)". Since that works, apparently, the LDAP people felt no need to provide a second way to accomplish it.

    The DN (distinguished Name) and the ADSPATH are pretty much the same thing, they aren't properties of the object, but full paths to the object. Just like the full path to a file isn't an intrinsic property of a file.

    2
Log in to reply