At 9:16 +0000 11/11/05, Martin Crane wrote:
Sorry, maybe I phrased my original question badly. I don't want to authenticate the user, as seems to be the requirement in the CryptNoMore sample. I simply want to find out the server which already authenticated the user at the Login Window and retrieve its LDAP search base - that which is set either in the Directory Access app or supplied via a DHCP offer.
Right. My point in directing you to CryptNoMore is that:
a) you need to find out which directory node (that is, which LDAP server) authenticated the user
b) CryptNoMore gets that information (the AppleMetaNodeLocation attribute of the user's Directory Services record) as part of its operation
c) the Directory Services API is complex, so it's better for you to start with CryptNoMore than to try and figure it out from scratch yourself
I answered a similar question for a developer quite recently. They were doing advanced printer authentication, and wanted to know, for a given user ID, whether that user was authenticated via Active Directory and, if so, what their Active Directory user name and Active Directory domain was. Sounds similar, huh?
I solved this problem by starting with CryptNoMore and bashing the code until it returned the attributes I needed. The vast bulk of the code didn't change. I've included the new code at the end of this email.
[btw Just for the record, the technique shown in this code is slightly wrong. After consulting with Apple's Active Directory DS plugin engineer, we decided that the best solution for getting the AD domain is to simply string the "/Active Directory/" from the front of the AppleMetaNodeLocation attribute's value. This is preferred over accessing the "dsAttrTypeNative:ADDomain" attribute. However, this change is highly AD specific, and thus irrelevant to my proposed solution to your LDAP problem.]
S+E
--
Apple Developer Technical Support * Networking, Communications, Hardware