We wrote this book with the vision that it would be the definitive guide for helping developers leverage directory services from Active Directory and Active Directory/Application Mode (ADAM) in their .NET applications. Even though version 1.0 of the .NET Framework shipped in 2001 with a namespace called System.DirectoryServices (SDS) for doing this kind of work, the resources available to developers using these technologies have lagged behind. This is the book that we fervently wished we had back when we were first developing software for Active Directory. It was an idea that took a little while to come to fruition: Perhaps a bit of our back story will help to frame our perspective.
Ryan was working at a very large professional services firm that was selling off its consulting services capabilities. As part of the separation, a new IT infrastructure needed to be created. It fell to Ryan to figure out how to automate HR data feeds to provision Active Directory accounts and how to manage all of it with only a skeleton crew and a few custom apps. This was in the .NET version 1.0 beta 2 timeframe and .NET seemed promising.
Separately, but in an eerily similar vein, Joe was working in the IT organization of a large professional services firm that was contemplating a massive email system migration from a popular groupware platform to Microsoft’s Exchange 2000 Server. Exchange works on top of Active Directory, and Joe was asked to help out on the integration project between Active Directory and the groupware system’s directory.
Both projects required a heavy dose of directory services magic to tie the systems together and migrate from the competing platforms. The applications were not simple scripts, but complex systems and web applications requiring a more in-depth approach. But as we began to wade into the code, we noticed there were quite a few rough edges to be sorted out. Exactly how do we make the Lightweight Directory Access Protocol (LDAP) code work correctly in ASP.NET? What were all of those flags used for? How do we make these objects behave the way we expect? How do we extend the schema to accommodate our own custom business logic?
Naturally, we went to the web-based message boards and newsgroups seeking advice, but found very little. Some people had some of the answers if we translated their logic from scripts or C++ programs, but more people were asking than answering. With hard work and sometimes-fortuitous chance, we eventually pieced it together, but it was far more difficult than it needed to be.
Flash forward to 2006: The .NET Framework has matured significantly, with a milestone 2.0 release, and so has the .NET development community. Books and resources abound for just about every topic you could imagine. However, directory services programming still remains obscure and confusing.
This lack of guidance is somewhat ironic given that the enterprise directory continues to gain prominence in the organization. It is no longer just the province of a team of administrators writing scripts. It has become a key source of data for many full-scale applications, with some even building complex identity life cycle management processes on top of it.
We stuck around the message boards, and over the last several years, we worked actively in the online development community to help developers of all stripes solve their directory services development problems. We know from our work in the community that there tends to be a lot of confusion on how best to leverage what became of Active Directory Service Interfaces (ADSI) in the new managed model of System.DirectoryServices.
We took the most common problems that developers wrestle with in this space and tried to address them in turn. By the time you finish reading this book, we hope that your directory services programming will be much more effective than before.
Our approach for this book tends to be very pragmatic. We focus heavily on code samples showing how to do things the right way, sometimes at the expense of brevity. However, we do not hesitate to dig under the covers and provide answers for how things really work. We start with the basic skills that every directory services developer should understand and build a solid foundation. We then layer on more advanced topics and scenarios that we have run into firsthand and that we know from our work in the community that developers still struggle with. When we are done, you should have all the tools needed to tackle the advanced scenarios and build the types of applications you need.
Outside of this book, we endeavor to support our readers by making examples, errata, additional topics, and tools available on our companion web site, www.directoryprogramming.net.
What Is Covered?
The book primarily focuses on programming LDAP with the System.DirectoryServices namespace. At times, we address the new additions to .NET, System.DirectoryServices.ActiveDirectory (SDS.AD) and System.DirectoryServices.Protocols (SDS.P), when there is functionality or a scenario that is not addressed with System.DirectoryServices, although complete coverage of all of the new bits will require another book.
We take the approach of covering both the 1.1 and 2.0 versions of the .NET Framework. We realize that many developers will be working in both environments for years to come. Even for developers who may never use older versions, it is useful to learn the newer features by understanding the previous shortcomings.
The book also focuses on Microsoft’s primary LDAP directory service product, Active Directory, with a fair amount of coverage of ADAM as well. While we do not provide specific examples of targeting non-Microsoft directories, we do try to point out the issues that are most likely to affect you, and how to avoid them.
The book is divided into two parts. Part I (Chapters 1-9) is all about the fundamentals of LDAP programming. It introduces the key concepts and provides a solid foundation upon which to build any type of directory services application. Part II (Chapters 10-12) is about applying the fundamentals from Part I to real-world problems and provides more of a “cookbook” approach. The topics in these last chapters come from what we see developers wrestling with everyday and our own experiences as we struggled to learn this.
Chapter 1 introduces the basic concepts of LDAP and discusses the key directory services that the book focuses on, Active Directory and ADAM. In Chapter 2, we continue the introduction with a survey of the APIs available for programming LDAP using the .NET Framework and discuss how they relate to each other.
Starting with Chapters 3 and 4, we cover the basic mechanics of accessing Active Directory or ADAM. In Chapter 3, we focus in detail on connecting to the directory, as well as creating, moving, renaming, and deleting objects. Chapter 4 covers the basics of searching. Searching is the fundamental activity of LDAP programming, so a solid grounding is essential.
Chapter 5 continues with the searching theme, but goes into detail on the advanced topics. The 2.0 release of the .NET Framework has added a host of new searching features, so we cover all of these here and provide complete samples.
Chapter 6 focuses on the intricacies of reading and writing attributes in the directory. We discuss all of the different attribute syntaxes, including the ones that tend to give developers the most trouble.
Chapter 7 covers LDAP schema and extensions, explaining key points that the enterprise developer should know for designing new schema.
We delve into the Windows security model in Chapter 8, addressing not only LDAP security and how it integrates with Windows security, but also the challenges of the security context in the ASP.NET environment. We will show you how to use Kerberos delegation and teach you common issues to look for. We also cover access control lists (ACLs) in Active Directory and ADAM and discuss the code access security (CAS) model in the .NET Framework, as well as how it applies to directory services programming.
Chapter 9 explores System.DirectoryServices.ActiveDirectory. This new namespace was introduced with .NET 2.0 and included many new capabilities for managing Active Directory and ADAM. We focus on one of the most useful features, the Locator service built into Active Directory that finds domain controllers on the network.
In Chapters 10, 11, and 12, we shift our focus from fundamentals to practical solutions for common problems. Some of these scenarios are advanced, but by this point, we should have you prepared to tackle them. Chapter 10 discusses user management in detail and provides a wealth of useful samples, as well as real answers to common problems. Chapter 11 covers group management in detail. We conclude in Chapter 12 with a variety of different approaches for authentication with LDAP, including a discussion of the alternatives.
We also include three appendices. Appendix A shows some different approaches for doing COM interop in .NET. COM interop is often required when working with these technologies, so it is useful to know the options here. Appendix B provides our list of “must-have” tools for LDAP programmers working with Active Directory and ADAM. Finally, Appendix C attempts to provide a cross-reference of common errors to topics in the book that deal with those problems. If you are stuck and need an answer fast, Appendix C might help you to use the book more effectively. We also tell you how to get in touch with us if you can’t find what you are looking for here.
This book was written with the .NET enterprise appli...