[AccessD] Active Directory Authentication or Lookup for DB

Drew Wutka DWUTKA at Marlow.com
Tue Nov 18 11:26:23 CST 2008 

Ok, well getting the local NT user (the account name of the user
currently logged into a machine) is pretty easy: (watch for word wrap)

Private Declare Function GetUserName Lib "advapi32.dll" Alias
"GetUserNameA" (ByVal lpBuffer As String, nSize As Long) As Long

Private Function GetCurrentLoggedOnUser() As String
Dim intBuffer As Long
Dim strNTUser As String
Dim dwReturn As Long
intBuffer = 255
strNTUser = Space(intBuffer)
dwReturn = GetUserName(strNTUser, intBuffer)
If dwReturn <> 0 Then
    strNTUser = Left(strNTUser, intBuffer - 1)
Else
    strNTUser = "Unable to Determine"
End If
GetCurrentLoggedOnUser = strNTUser
end Function

If you want to authenticate a user:

Friend Function ValidateNTUser(strUserName As String, strPassword As
String) As Boolean
On Error Resume Next
Dim strDomain As String
Dim conLDAP As ADODB.Connection
Dim strSQL As String
Dim strLDAPConn As String
Dim rsUser As ADODB.Recordset
strDomain = GetObject("LDAP://RootDSE").Get("defaultNamingContext")
Set conLDAP = New ADODB.Connection
conLDAP.Provider = "ADSDSOOBject"
strSQL = "Select AdsPath, cn From 'LDAP://" & strDomain & "' where
objectClass='user' and objectcategory='person' and SamAccountName='" &
strUserName & "'"
conLDAP.Provider = "ADsDSOObject"
conLDAP.Properties("User ID") = strUserName
conLDAP.Properties("Password") = strPassword
conLDAP.Properties("Encrypt Password") = True
conLDAP.Open "DS Query", strUserName, strPassword
Err.Clear
Set rsUser = conLDAP.Execute(strSQL)
ValidateNTUser = False
If Err.Number = 0 Then
    If Not (rsUser Is Nothing) Then
        If Not (rsUser.EOF And rsUser.BOF) Then
                ValidateNTUser = True
        End If
    End If
End If
End Function

Drew

-----Original Message-----
From: accessd-bounces at databaseadvisors.com
[mailto:accessd-bounces at databaseadvisors.com] On Behalf Of Lawrence
Mrazek
Sent: Tuesday, November 18, 2008 11:10 AM
To: 'Access Developers discussion and problem solving'
Subject: Re: [AccessD] Active Directory Authentication or Lookup for DB

Hi Drew:

Sorry about the delay in responding; trying to get over some sort of
illness
brought home by the kids!

Basically, I think they'd like to do a lookup against AD, compare
against a
username in the application table, if both match, then allow them to
proceed. These apps are already secured by Active Directory permissions,
most of them are custom reporting and analysis tools I developed to
provide
them with functionality lacking in their enterprise software. 

Do you think the above scenario is doable?

Larry Mrazek
ph. 314-432-5886
lmrazek at lcm-res.com
http://www.lcm-res.com


-----Original Message-----
From: accessd-bounces at databaseadvisors.com
[mailto:accessd-bounces at databaseadvisors.com] On Behalf Of Drew Wutka
Sent: Monday, November 17, 2008 9:59 AM
To: Access Developers discussion and problem solving
Subject: Re: [AccessD] Active Directory Authentication or Lookup for DB

So what kind of code are you looking for to get there?  Just the basic
logged in user stuff, or do you want some code to query/authenticate
against
AD?

Drew

-----Original Message-----
From: accessd-bounces at databaseadvisors.com
[mailto:accessd-bounces at databaseadvisors.com] On Behalf Of Lawrence
Mrazek
Sent: Saturday, November 15, 2008 1:19 AM
To: 'Access Developers discussion and problem solving'
Subject: Re: [AccessD] Active Directory Authentication or Lookup for DB

Hi Drew:

Thanks for the great response; it really helped bring everything into
focus.


I might only need to query against Active Directory, so a common user
framework running on all of their apps might do the trick.

Larry Mrazek
ph. 314-432-5886
lmrazek at lcm-res.com
http://www.lcm-res.com


-----Original Message-----
From: accessd-bounces at databaseadvisors.com
[mailto:accessd-bounces at databaseadvisors.com] On Behalf Of Drew Wutka
Sent: Friday, November 14, 2008 3:49 PM
To: Access Developers discussion and problem solving
Subject: Re: [AccessD] Active Directory Authentication or Lookup for DB

Ok, you asked, so sit back and read.  I am not going to include any code
at
this point, because there would be too much to throw at you at once!

To start with, there are a few ways to get AD information.  The easiest
and
least code intensive is to just go off of NT User name (or Active
Directory
Account name).  To retrieve this name, is a very simple function (just a
few
lines of code).  You can also retrieve the name of the domain you are on
with a simple line of code too.  So if you just want to know that jsmith
on
MyCompany domain is getting into your database, you can use those two
simple
functions to verify that.

HOWEVER, the steps above are going to go off of the credentials of the
user
currently logged into the machine.  It will even work if the user is
technically 'offline', because the functions for those will go off of
the
local machine's cached credentials.  This is usually as far as most
Access
developers will go to integrate their systems with Active Directory.

However, if you want to go further, you can actually 'query' Active
Directory.  Querying AD is a little different then Access Queries.  The
language is a bit different, different qualifiers, structure, etc.
However, by querying AD, you can get a list of all current users,
groups,
group membership, etc.  You can also 'authenticate' a user against
Active
directory.  I have a function that will do that if you provide the
username
and password.  

So, if you truly want to make a system that is integrated with Active
Directory, I would build a 'user framework'.  I do this with a global
user
class.  When it initializes, it gets all the current user information
based
off of the logged in user, but it can be changed to represent another
user
through the authentication method I described earlier.  All
functions/features are then verified through this class.

I will caution you, however, that while Access is a great RAD tool, when
it
is used as a Front End, it is less then secure.  I personally have never
used AD integration with an Access FE, I have used it with a VB FE and
with
Web based front ends, where the database is not directly available to
the
users.  So if you are looking to use AD integration as a simple method
of
user administration, go ahead, but if you are planning on user AD
integration for security purposes, I would recommend a different
platform
for your front end.

Drew

-----Original Message-----
From: accessd-bounces at databaseadvisors.com
[mailto:accessd-bounces at databaseadvisors.com] On Behalf Of Lawrence
Mrazek
Sent: Friday, November 14, 2008 1:03 PM
To: 'Access Developers discussion and problem solving'
Subject: [AccessD] Active Directory Authentication or Lookup for DB

Hi Folks:

Is it possible to use Active Directory to login to an Access DB (XP in
this
case)? Can I access the current AD username and groups via VBA code?

I'm just trying to see what's possible in this area right now and if
anyone
is using this functionality in their apps. 

Thanks in advance. 

Larry Mrazek
ph. 314-432-5886
lmrazek at lcm-res.com
http://www.lcm-res.com



--
AccessD mailing list
AccessD at databaseadvisors.com
http://databaseadvisors.com/mailman/listinfo/accessd
Website: http://www.databaseadvisors.com The information contained in
this
transmission is intended only for the person or entity to which it is
addressed and may contain II-VI Proprietary and/or II-VI Business
Sensitive
material. If you are not the intended recipient, please contact the
sender
immediately and destroy the material in its entirety, whether electronic
or
hard copy. You are notified that any review, retransmission, copying,
disclosure, dissemination, or other use of, or taking of any action in
reliance upon this information by persons or entities other than the
intended recipient is prohibited.


--
AccessD mailing list
AccessD at databaseadvisors.com
http://databaseadvisors.com/mailman/listinfo/accessd
Website: http://www.databaseadvisors.com


-- 
AccessD mailing list
AccessD at databaseadvisors.com
http://databaseadvisors.com/mailman/listinfo/accessd
Website: http://www.databaseadvisors.com
The information contained in this transmission is intended only for the
person or entity to which it is addressed and may contain II-VI
Proprietary
and/or II-VI Business Sensitive material. If you are not the intended
recipient, please contact the sender immediately and destroy the
material in
its entirety, whether electronic or hard copy. You are notified that any
review, retransmission, copying, disclosure, dissemination, or other use
of,
or taking of any action in reliance upon this information by persons or
entities other than the intended recipient is prohibited.


-- 
AccessD mailing list
AccessD at databaseadvisors.com
http://databaseadvisors.com/mailman/listinfo/accessd
Website: http://www.databaseadvisors.com


-- 
AccessD mailing list
AccessD at databaseadvisors.com
http://databaseadvisors.com/mailman/listinfo/accessd
Website: http://www.databaseadvisors.com
The information contained in this transmission is intended only for the person or entity to which it is addressed and may contain II-VI Proprietary and/or II-VI Business Sensitive material. If you are not the intended recipient, please contact the sender immediately and destroy the material in its entirety, whether electronic or hard copy. You are notified that any review, retransmission, copying, disclosure, dissemination, or other use of, or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited.

More information about the AccessD mailing list