How to read Dynamic Access Control objects using LDAP

This code sample will enumerate all of the Dynamic Access Control objects in Active Directory.

Prerequisites

Note

This example contains queries that use Active Directory Schema attributes, such as msDS-ClaimAttributeSource. For information about specific attributes in the example, see All Attributes.

 

Instructions

Step 1:

/*********************************************** 
*  
* Find all of the Claim Types in the directory.
* 
***********************************************/

// Create a new Ldap endpoint with an empty server.  This call will use the 
// Standard DC locator methods to locate a Domain Controller.
var endpoint = new System.DirectoryServices.Protocols.LdapDirectoryIdentifier(string.Empty);

// Create a new Ldap connection.
var ldap_connection = new System.DirectoryServices.Protocols.LdapConnection(endpoint);

// Create a search request to locate the Configuration Naming Context for the forest.
var request = new System.DirectoryServices.Protocols.SearchRequest(
    "",
    "objectClass=*",
    System.DirectoryServices.Protocols.SearchScope.Base,
    new string[] { "configurationNamingContext" });

// Execute the search and cast the response as a SearchResponse
var response = (System.DirectoryServices.Protocols.SearchResponse)ldap_connection.SendRequest(request);

// Get the Configuration container DN for the forest.
string configuration_dn = response.Entries[0].Attributes["configurationNamingContext"][0].ToString();

// Calculate the Claims Configuration DN based on the Configuration DN.
string claims_dn =
    string.Format("CN=Claim Types,CN=Claims Configuration,CN=Services,{0}", configuration_dn);

// Create a new search request for Claim Types.
request = new System.DirectoryServices.Protocols.SearchRequest(
    claims_dn,
    "(cn=*)",
        System.DirectoryServices.Protocols.SearchScope.OneLevel,
        new string[] 
        {
            "name",
            "description",
            "displayname",
            "enabled",
            "msDS-ClaimAttributeSource",
            "msDS-ClaimSource",
            "msDS-ClaimTypeAppliesToClass",
            "msDS-ClaimSourceType",
            "msDS-ClaimIsSingleValued",
            "msDS-ClaimPossibleValues",
            "msDS-ClaimValueType",
            "msDS-ClaimIsValueSpaceRestricted"
        });

// Execute the search and cast the response as a SearchResponse
response = (System.DirectoryServices.Protocols.SearchResponse)ldap_connection.SendRequest(request);

// Enumerate the results
foreach (System.DirectoryServices.Protocols.SearchResultEntry entry in response.Entries)
{
    string claim_id = entry.Attributes["name"][0].ToString();
}

/*********************************************** 
*  
* Find all of the Resource Properties in the directory.
* 
***********************************************/

// Calculate the Resource Property Container DN based on the Configuration DN.
string resource_properties_dn = 
    string.Format("CN=Resource Properties,CN=Claims Configuration,CN=Services,{0}", configuration_dn);

// Create a new search request for Resource Properties.
request = new System.DirectoryServices.Protocols.SearchRequest(
    resource_properties_dn,
    "(cn=*)",
        System.DirectoryServices.Protocols.SearchScope.OneLevel,
        new string[] 
        {
            "name",
            "description",
            "displayname",
            "enabled",
            "msDS-IsUsedAsResourceSecurityAttribute",
            "msDS-ClaimSharesPossibleValuesWith",
            "msDS-ValueTypeReference",
            "msDS-MembersOfResourcePropertyListBL",
            "msDS-ClaimPossibleValues",
            "msDS-AppliesToResourceTypes"

        });

// Execute the search and cast the response as a SearchResponse
response = (System.DirectoryServices.Protocols.SearchResponse)ldap_connection.SendRequest(request);

// Enumerate the results
foreach (System.DirectoryServices.Protocols.SearchResultEntry entry in response.Entries)
{
    string rp_id = entry.Attributes["name"][0].ToString();
}

/*********************************************** 
*  
* Find all of the Central Access Rules in the directory.
* 
***********************************************/

// Calculate the Central Access Rules Container DN based on the Configuration DN.
string car_dn =
    string.Format("CN=Central Access Rules,CN=Claims Configuration,CN=Services,{0}", configuration_dn);

// Create a new search request for Resource Properties.
request = new System.DirectoryServices.Protocols.SearchRequest(
    car_dn,
    "(cn=*)",
        System.DirectoryServices.Protocols.SearchScope.OneLevel,
        new string[] 
        {
            "name",
            "description",
            "displayname",
            "enabled",
            "msAuthz-EffectiveSecurityPolicy",
            "msAuthz-LastEffectiveSecurityPolicy",
            "msAuthz-ProposedSecurityPolicy",
            "msAuthz-ResourceCondition"
        });

// Execute the search and cast the response as a SearchResponse
response = (System.DirectoryServices.Protocols.SearchResponse)ldap_connection.SendRequest(request);

// Enumerate the results
foreach (System.DirectoryServices.Protocols.SearchResultEntry entry in response.Entries)
{
    string car_id = entry.Attributes["name"][0].ToString();
}

/*********************************************** 
*  
* Find all of the Central Access Policies in the directory.
* 
***********************************************/

// Calculate the Central Access Policies Container DN based on the Configuration DN.
string cap_dn =
    string.Format("CN=Central Access Policies,CN=Claims Configuration,CN=Services,{0}", configuration_dn);

// Create a new search request for Resource Properties.
request = new System.DirectoryServices.Protocols.SearchRequest(
    cap_dn,
    "(cn=*)",
        System.DirectoryServices.Protocols.SearchScope.OneLevel,
        new string[] 
        {
            "name",
            "description",
            "displayname",
            "enabled",
            "msAuthz-EffectiveSecurityPolicy",
            "msAuthz-LastEffectiveSecurityPolicy",
            "msAuthz-ProposedSecurityPolicy",
            "msAuthz-ResourceCondition"
        });

// Execute the search and cast the response as a SearchResponse
response = (System.DirectoryServices.Protocols.SearchResponse)ldap_connection.SendRequest(request);

// Enumerate the results
foreach (System.DirectoryServices.Protocols.SearchResultEntry entry in response.Entries)
{
    string cap_id = entry.Attributes["name"][0].ToString();
}

System.DirectoryServices.Protocols

Introduction to System.DirecotoryServices.Protocols