Hi,

I am using ActiveDirectoryProvider to authenticate users (AD). If I
point my provider to the root of AD every thing works fine.

If I point the provider to a CN which has a group of users under a
nested container under root I am getting the following error.

Root --> OU1--> OU12--> CN

My connection is pointing to the CN.


"User objects cannot be created in the specified container"

I tried reflect over the AD provider and found that the provider is
failing at the following method,

DirectoryAttribute objectClass =
response.Entries[0].Attributes["objectClass"];
        if (!this.ContainerIsSuperiorOfUser(objectClass))
        {
            throw new
ProviderException(SR.GetString("ADMembership_Container_not_superior"));
        }
Is there a problem with configuration of AD?

Thanks,
chand

What type of object is the CN=xxx object?  If it is not an OU or a 
container, this won't work.  It sounds like you are trying to use a group 
object.  Groups are not container types.

Joe K.

-- 
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"chand"  wrote in message 
news:1184956704.256139.265320@w3g2000hsg.googlegroups.com...

> Hi,
>
> I am using ActiveDirectoryProvider to authenticate users (AD). If I
> point my provider to the root of AD every thing works fine.
>
> If I point the provider to a CN which has a group of users under a
> nested container under root I am getting the following error.
>
> Root --> OU1--> OU12--> CN
>
> My connection is pointing to the CN.
>
>
> "User objects cannot be created in the specified container"
>
> I tried reflect over the AD provider and found that the provider is
> failing at the following method,
>
> DirectoryAttribute objectClass =
> response.Entries[0].Attributes["objectClass"];
>        if (!this.ContainerIsSuperiorOfUser(objectClass))
>        {
>            throw new
> ProviderException(SR.GetString("ADMembership_Container_not_superior"));
>        }
> Is there a problem with configuration of AD?
>
> Thanks,
> chand
> 

Hi Joe,

Thank you for replying.  Yes. CN is a group object. This CN has a list
of members that are allowed to access my application.  This
configuration is identical  to other CNs used by other applications
like "Business Objects" in the organization.

Unfortunately I don't have much control over the AD configuration. If
we put a test user directly under OU12 every thing works. But now our
Ad admin is not willing to add each user as a container directly under
OU12.  His argument is that, this kind of configuration won't allow
users to be under another OU which can be used by some other
application in the organization.  I am not sure whether that is a
correct assumption.

Is there any way to configure the AD to give a User, access to
multiple OUs without using group?

Thank you,
chand

Hi Joe,

Thank you for replying.  Yes. CN is a group object. This CN has a list
of members that are allowed to access my application.  This
configuration is identical  to other CNs used by other applications
like "Business Objects" in the organization.

Root --> OU1--> OU12--> CN (group)

1. If I point the connection to Root, every thing works fine. But this
would allow every one in the organization to access my application.
The goal is to restrict access to a group of users

2. If I point the LDAP connection to OU12, I am not getting the above
error. However provider's 'ValidateUser' method is returning false for
any member in the CN group. Either this method is not searching the
group or not finding the users in the group.  I am using
sAMAccountName attribute.

3. If we put a test user directly under OU12 every thing works. Is
this the only way to configure AD to work with
ActiveDirectoyMembershipProvider? Using the groups under OUs seems to
be the reasonable option as this allows the admin to manage users
without worrying about different applications.

Thank you,
chand

Groups are not containers.  Groups have membership.  These are totally 
different things.  In order to get users provisioned into the directory, 
they will have to be in a container.  They can be in only one container in 
the hierarchy (think of it like a folder in a file system).  Examples of 
container classes include organizational units and containers.

Objects can be members of multiple groups.  The membership of an object in a 
group is not related to its location in the directory hierarchy.

So, you'll need to provision your users to a container.  As to how to get 
them to a member of a group, you can do that in code as well, but I don't 
think it is supported by the membership provider by default.  You would need 
to implement that logic yourself.

Joe K.

-- 
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"chand"  wrote in message 
news:1185105351.297510.283090@n60g2000hse.googlegroups.com...

> Hi Joe,
>
> Thank you for replying.  Yes. CN is a group object. This CN has a list
> of members that are allowed to access my application.  This
> configuration is identical  to other CNs used by other applications
> like "Business Objects" in the organization.
>
> Root --> OU1--> OU12--> CN (group)
>
> 1. If I point the connection to Root, every thing works fine. But this
> would allow every one in the organization to access my application.
> The goal is to restrict access to a group of users
>
> 2. If I point the LDAP connection to OU12, I am not getting the above
> error. However provider's 'ValidateUser' method is returning false for
> any member in the CN group. Either this method is not searching the
> group or not finding the users in the group.  I am using
> sAMAccountName attribute.
>
> 3. If we put a test user directly under OU12 every thing works. Is
> this the only way to configure AD to work with
> ActiveDirectoyMembershipProvider? Using the groups under OUs seems to
> be the reasonable option as this allows the admin to manage users
> without worrying about different applications.
>
> Thank you,
> chand
> 

OK. We made our application users, members of a group and assigned
that group to a OU container. And I am using the container as my
connection string.  But it appears that asp.net membership provider
cannot Bind the users of that group. It simply returns invalid login
attempt error. Could it be that provider doesn't support users of a
group under a container?

Thanks,
chand