Search code examples
.netactive-directoryldapdirectoryservices

Get Organizational Unit from Active Directory using C#

I want to differentiate between two different types of users on an ASP.NET Web Forms site I'm building.

All the users are within my AD and the way I differentiate between the two is by putting them in two different Organizational Units called: LRDB and IPPDB.

When I try to validate them at login by using this LDAP Path:

<add name="ADConnectionString" connectionString="LDAP://test.example.com:389/DC=test,DC=com,OU=IPPDB" />

I get a server error saying:

Description: An error occurred during the processing of a configuration file required to service this request. Please review the specific error details below and modify your configuration file appropriately.

Parser Error Message: An operations error occurred.

And the line where I have my Membership Provider is highlighted as where the error is coming from.

<add enableSearchMethods="true" connectionStringName="ADConnectionString" name="MembershipADProvider" type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A" />

However, when I change my LDAP path to exclude the OU part, it 'works.' Works in a sense that ANYONE who is within the AD gets authenticated, not just members within the organizational unit.

If I can't avoid this whole mess, I was thinking maybe that I COULD allow the LDAP path to not have the OU, and then once it figures out that the user is a part of the AD, it then checks which OU it's a part of. However, I don't see a property for the OU. Here's what I would want the code to look like. Is there a way to get the OU from the user?

Thanks for the help!

-----------------SOLUTION------------------

Thanks to marc_s:

I believe it should be 

connectionString="LDAP://test.example.com:389/OU=IPPDB,DC=test,DC=com"

OU= first before the DC= parts

Solution
    • ou=ippdb,dc=test,dc=com is a distinguished name.
    • Distinguished names are constructed from a sequence of relative distinguished names (RDN) and separated by commas (,).
    • Relative distinguished names are constructed from attribute value assertions where the left-hand side of the assertion is an attribute description with no options (meaning cn;lang-en=Bart Simpson is not a valid relative distinguished name but cn=Bart Simpson is valid) and the right-hand side is an attribute constructed according to the syntax of the attribute description.
    • The attribute description used as the left-hand side must have an equality matching rule.
    • In a relative distinguished name, the left-hand side (attribute description) is often called the naming attribute.

    Distinguished names are constructed such that the immediate superior RDN is to the right of its immediate subordinate RDN (separated by commas). In the example given (assuming the normal convention of dc=test,dc=com being superior in the directory information tree), ou=ippdb would then be immediately subordinate to dc=test.