Name | Description |
---|---|
Host | The URL or IP address of the LDAP server you want to talk to. Similar to the URL of a web site. |
Port | The port number you are connecting to. The usual value is 389. (This is the also the default used by the class) |
Domain | Databases on the LDAP server side are
organized by "domain". This can be set to anything the
administrator likes, it is not bound to a web domain the company
owns or anything like that. It may correspond to the HOST address,
but does not need to do so. |
Bind | When a client authenticates with a server this is known as Binding to the server. Typically this requires a valid user name, and password, to access the database, but some servers allow anonymous authentication. NetTalk uses two properties, AuthUser and AuthPassword to contain these items. Not that the user that is BINDed is purely for access to the database - they may be able to extract data from the database for other users in addition to themselves. |
Attributes | These are like field names in a normal database. There are potentially a great many attributes assigned to an object. For example a user may have attributes like displayName, userPrincipalName, samAccountName, sn (for Surname) and so on. |
cn CommonName |
This is a property for each user, set by the Administrator
on the server. The Common Name is the whole name, as displayed in
the administrator panel below. (Notice also the Group Name
highlighted in the image below.) The Common Name of the
highlighted user is Wilson S. Demaggio. You do not change the Common Name by changing any of the properties of the user. (It _defaults_ to FirstName LastName, but changing those names does not change the common name.) To change the name right click on the list, and select the Rename option. |
Group name | The name of a Group in the directory. See the image above for an example of a group called Amazing Accounts. |
User Logon Name UserPrincipalName sAMAccountName DisplayName |
There are four common login approaches that are supported
by the server. The first is the userPrincipalName, the second is the sAMAccountName and the third is by using the DisplayName. The more modern (and hence preferred) name is the userPrincipalName. The fourth approach is to accept the user logon name, and then internally the code uses the Domain to construct the UserPrincipalName from that. (For more on this see What to Use as the User Login.) The first option uses both the user login name, AND the domain. In the picture below, the userPrincipalName of this user is wilson@Test.local. The sAMAccount name is wilson, but the login would be TESTIRONMAN\wilson The Third approach uses the Display Name. This approach does not include the domain. This approach is not recommended because the display name does not have to be unique. So multiple users could end up with the same display name. If multiple users have the same name then NONE of them can login using this approach. The Common Name is often the same as the Display Name, but they don't necessarily have to be the same. |
userPrincipalName | This is the attribute name which holds the login. In the Active Directory Administrator this is referred to as the Logon Name, however when constructing User Filters the correct name of the attribute is userPrincipalName. |
sAMAccountName | This is an older approach to logins. It consists of the
single-name domain, followed by a \ and the user name. In the picture above this would be TESTIRONMAN\wilson |
ou Organizational Unit |
This is like a group that is used to organize objects in the directory. In a large company this might be the users department. By default in Active Directory Directory Services there is an ou called Users. This may be required in the UserFilter. |
A good example of these features in action is in the \examples\nettalk\LDAP\ActiveDirectory folder.
User filter | Attributes | Description |
---|---|---|
cn=Wilson S. Demaggio | distinguishedName,mail | Get the distinguisedName and mail attributes for this user. |
cn=Wilson S. Demaggio | memberof | Returns a string containing a list of the groups that the
user is in. For example CN=AmazingAccounts,CN=Users,DC=Test,DC=Local |
cn=AmazingAccounts | member | Returns a queue of users that are members of this group.
Each line in the queue contains the member information.
For example CN=Wilson S. Demaggio,CN=Users,DC=Test,DC=local |
cn=Wilson S. Demaggio | * | Gets all the attributes for a single user, as a queue. |
objectClass=group | cn | Lists the common name for all the groups in the directory. |
objectClass=group | distinguishedName | Lists the CN of each group, and also its location in the tree. |
objectClass=group | cn,member | Lists the groups, and the direct members in each group |
objectCategory=user | cn | Lists all the users in the directory |
objectCategory=user | distinguishedName | Lists the CN of each user, and also their location in the tree. |
&(objectclass=group)(cn=EcoTime) | cn,member | Lists the members in the group called EcoTime. |
(&(objectClass=group)(member:1.2.840.113556.1.4.1941:=CN=Wilson S. Demaggio,CN=Users,DC=Test,DC=local)) | cn | Lists all the groups that Wilson S. Demaggio is a member of. This is a recursive group search (ie supports groups in groups) and is Active Directory (2003 R2 and later) only. |
(&(objectCategory=person)(sAMAccountName=wilson)) or (&(objectClass=user)(sAMAccountName=wilson)) |
accountExpires | The date when the account expires. This value represents the number of 100-nanosecond intervals since January 1, 1601 (UTC). A value of 0 or 0x7FFFFFFFFFFFFFFF (9223372036854775807) indicates that the account never expires. |
lockoutTime | The date and time (UTC) that this account was locked out. This value is stored as a large integer that represents the number of 100-nanosecond intervals since January 1, 1601 (UTC). A value of zero means that the account is not currently locked out. | |
userAccountControl | Various flags for the account - including (but not limited
to) Net:ADS_UF_ACCOUNTDISABLE Net:ADS_UF_LOCKOUT Net:ADS_UF_PASSWORD_EXPIRED |
Name | Type | Description |
---|---|---|
pHost | String | The URL or IP address of the LDAP server you are connecting to. |
pPort | String | The port number of the LDAP server you are connecting to. Defaults to 389. |
pAuthUser | String | The user name for the user when authenticating against the LDAP server. |
pAuthPassword | String | The password for the user when authenticating against the LDAP server. |
pDomain | String | The domain of the LDAP server. |
pUser | String | A user filter. |
pInGroup | String | A group name (used for UserInGroup method.) |
pActiveDirectory | Byte | New in build 11.30. Set this if the server is Windows Server 2003 R2 or later. This will allow recursive group searches to be done. |
pDontValidatePassword | Byte | New in build 12.34. this allows for ValidateUser to be called without getting the user password, but still checking the account for activeness. |
Property | Description |
---|---|
AccountExpires (real) | Set after a call to GetUserActive. Contains the date/time of the user account expiry in Unix Epoch (seconds) format. |
ActiveDirectory | Set this to true if the LDAP server being used is an Active Directory server. Defaults to true. Allows for some "Active Directory Only" features to be used. Should only be set if the Active Directory Server is on Windows Server 2003 R2 or later. |
AllowAnonymous | Set this to true if the LDAP server allows anonymous access. Usually the server does not allow anonymous access, and requires the AuthUser and AuthPassword properties to be set. |
AttributesQueue | A Queue which holds the results of an attribute search. Populated after a call to GetAttributes. Can be inspected in the SearchDone method, after the parent call. |
AuthPassword | The password, of the user who is requesting data from the server. |
AuthUser | The login of the user who is requesting data from the server. |
DebugPackets | If this is set to true then the contents of outgoing packets are sent to Debugview. Used for internal debugging only. |
DistinguishedName | This is the Distinguished name of the user. Populate this using the GetDistinguishedName method. this field is auto-populated by a call to the UserInGroup method (if it's not already populated.) |
Domain | The domain of the server that you are connecting to. This
is of the form dc=test,dc=local It is set be a call to SetDomain. |
DomainType | One of NetLDAP:UserPrincipalName,
NetLDAP:DisplayName, NetLDAP:sAMAccountName. Defaults to NetLDAP:UserPricipalName. |
Host | The IP address, or DNS name of the LDAP server machine. |
LockoutTime | Set after a call to GetUserActive. Contains the date/time when the user account was locked in Unix Epoch (seconds) format. |
LoginDomain | This is of the form c.b.a,
for example test.local or com.capesoft. It is set be a call to SetDomain. |
Port | The Port of the LDAP server machine. The default port number is 389 for an unencrypted connection. For encrypted connections the port will likely be 636. |
SearchPrefix | Allows the search for attributes, and users in a group, to be refined to a narrower scope. |
User | The user being checked for in the UserInGroup method. |
UserAccountControl | Set after a call to GetUserActive. Contains the UserAccountControl property of the user. |
UserError | If the ValidateUser method is
called, and the user login is invalid, then this property
contains one of net:WrongUserOrPassword, net:UserDisabled, net:UserExpired, net:UserLocked This property can then be used when reporting the error to the user to indicate why the login was refused. |
UserIsInGroup | If the UserInGroup method is called, then the result can be tested in the Done method. |
ValidUser | This is set to net:userValid if
a request is made to ValidateUser.
If the call is successful to the server then the Done
method will be called. If the user is not valid then see the
UserError property for the reason. It can be one of
net:userInvalid, net:WrongUserOrPassword, net:UserDisabled, net:UserExpired, net:UserLocked or net:NoConnectionToServer. |
Method | Description |
---|---|
Done | This method is called when a request to the server has received a response. |
ErrorTrap | This method is called if an error occurs while communicating with the server. |
GetAttributes | Get attributes for a specific user. |
GetAttributeValue | Reads an entry from the Attributes Queue after a call to GetAttributes. |
GetUserActive | |
MessageDone | |
Search | Do an Addhoc search against the LDAP server. |
SearchDone | Is called when the results of a search are available. |
SetAttributesQueue | Set the Queue to receive the results from a call to GetAttributes. |
SetAuthUser | Sets the AuthUser property, and possibly Domain property. |
SetUser | Sets the User property |
SetDomain | Sets the domain of the server that the program is connecting to. |
Start | RReturns the object to a virgin state. |
UserInGroup | Check to see if a specific user is in a Group or not. |
ValidateUser | Validates the AuthUser and AuthPassword properties against the server, and allows other methods to execute. If another method is called before this method is called, then this method will be called automatically. |
Parameter | Description |
---|---|
MessageID | The MessageID of the request which has just completed. |
Parameter | DDescription |
---|---|
MessageId | The ID of the message being attempted. |
ErrorCode | The NetTalk Error Code |
Error | The NetTalk Error Message |
Parameter | Description |
---|---|
UserFilter | A user filter to determine which user(s) to get the attribute(s) for. |
Attributes | A comma delimited list of the attributes to fetch. If omitted (or blank) then all the attributes for the user are returned. |
Parameter | Description |
---|---|
Attribute | The name of the attribute to read out the queue. This parameter is not case sensitive. |
Instance | The instance number to retrieve. If this parameter is omitted then the first instance of the attribute in the queue is returned. |
Parameter | Description |
---|---|
pUser | A user account name (passed through SetUser for expansion) |
Parameter | Description |
---|---|
pBase | The root for the search. Most often contains a search prefix, and domain to search. |
pFilter | The search term to search on. This filter is a User Filters. |
pAttributes | The attributes to be included in the search result. This is a comma separated list. |
pScope | The scope of the search. On of NetLDAP:SCOPE_BASEOBJECT, NetLDAP:SCOPE_ONELEVEL, NetLDAP:SCOPE_SUBTREE, NetLDAP:SCOPE_SUBORDINATE. If not sure try NetLDAP:SCOPE_SUBTREE. |
pDerefAliases | One of NetLDAP:DEREF_NEVER, NetLDAP:DEREF_SEARCHING, NetLDAP:DEREF_FINDING, NetLDAP:DEREF_ALWAYS. If not sure try NetLDAP:DEREF_NEVER. |
pSizeLimit | If omitted set to 0. The size limit of the response. If 0 then no limit is applied. |
pTimeLimit | If omitted set to 0. The time limit for the search. If 0 then no limit is applied. |
pTypesOnly | If omitted set to false. If true only types are included in the returned set. |
Parameter | Description |
---|---|
MessageId | The MessageID of the request which has just completed. |
ObjectName | The object name as returned by the server |
pAttributes | The attribute list as returned by the server |
Parameter | Description |
---|---|
AttributesQueue | The Queue to receive the results of a call to GetAttributes. |
Parameter | Description |
---|---|
AuthUser | A user name. This may be a UserPrincipalName (of the format user@c.b.a), a sAMAccountName (of the form DOMAIN\USER), or a simple user displayName. |
Type | If the preferred login type cannot be auto-detected by the
AuthUser (ie it does not include an @ or \ or space symbol)
then the type can be set using this parameter. (This parameter
is ignored if the login type can be determined from the
AuthUser). This parameter can be omitted or can be one of NetLDAP:UserPrincipalName, NetLDAP:samAccountName or NetLDAP:DisplayName. NetLDAP:UserPrincipalName is recommended. |
Parameter | Description |
---|---|
Domain | The domain, on the LDAP (aka Active Directory) server, that you are connecting to. |
Parameter | Description |
---|---|
User | If this already contains an attribute=value form then the
attribute part is removed. If the value contains just a user id, then it is adjusted to an appropriate attribute=value form. Values containing an @ symbol are adjusted to userPrincipalName=user Values containing an \ symbol are adjusted to sAMAccountName=user Values containing a space are adjusted to displayName=user If none of these are detected then the login domain of the AuthUser (if it's been set) is used to create the userPrincipalName or samAccountName, based on the Type parameter, or failing that the AuthUser's type. |
Type | If this is not set then the domain type of the AuthUser is used (if this parameter is used at all.) |
Parameter | Description |
---|---|
User | A user filter to determine which user to check. If omitted then the current User property is used. (Typically as set by a call to SetUser) |
Group | The name of the group to check. |
ActiveDirectory | Set this to true if the LDAP server is a Windows Server 2003 R2 or later server. This switch defaults to false, and allows the class to use some Active-Directory-Only features. |
Parameter | Description |
---|---|
pParms (optional) |
A LDAPParametersGroup containing all the details for the LDAP server, and specifics about the request. |