How I can get group name to which the user belongs?

[SadTroll]

Hello!

I study the UserDatabase API from WinGateSDK. I use UDBSearchOpen to browse UDB with UDB_SEARCH_USERS | UDB_SEARCH_GROUPS flags.
But I can not understand how to define the group name to which the user belongs in the case when UDBhandle param in UDBSearchCallbackFunc corresponds user object.
The current UDB provider is Windows UDB.
Is it possible to do this using the User Database API and if so what is the best way to do it

Thanks

[adrien]

Hi

the first thing you need to know is that a user can be a member of many groups, including groups that one or more of the groups can be a member of.

When you search for groups a user is member of, you choose how to specify the user you are searching for membership. For example in our code to display Membership of for an object, we use this code for the search.

Code:

   // OK, we need to kick off a search which returns all the groups this object is a member of
   UDB_SEARCH_INFO Search;
   Search.dwFlags = UDB_SEARCH_USESTRINGVALUE | UDB_SEARCH_ALLOBJECTS | UDB_SEARCH_MEMBEROF;
   Search.strValue = m_strObjectGUID.c_str();
   Search.dwField = UDB_SEARCH_FIELD_GUID;
   Search.dwItems = 0;
   Search.pContext = this;
   Search.pCallbackFunc = GetMemberofCallbackFunc;

   UDBHandle hSearch;
   SPI::UDBSearchOpen(&Search, &hSearch);
   SPI::UDBCloseHandle(hSearch);


So we take the GUID of the object (since not just user can be a member of a group, but also group, computer, security principal etc). then we specify that the search value is the GUID of the object in dwField.

Could use SID, but they are not always guaranteed unique or invariant. SID can be doubled up in some cases (e.g. well known security principals) and can change for a user if the user is moved to a different domain.

Note: can get the GUID of a user object with

Code:

HRESULT UDBObjectGetInfo(WinGateSDK::UDBHandle hObject, WinGateSDK::UDB_OBJECT_INFO** ppInfo);
HRESULT UDBObjectFreeInfo(WinGateSDK::UDB_OBJECT_INFO* pInfo);

Also note we free the handle after calling the search function, it's reference counted and cleaned up after last search result is delivered to the callback function. It's easier to do this than to check for end of search results and clean up search handle then (saves having to remember the handle). If you want to cancel the search however you would need to remember the search handle.


Regards

Adrien

[SadTroll]

thanks for the help

[SadTroll]

And how to check for the end of search results?

[adrien]

And how to check for the end of search results?

end of search is denoted by delivery of a NULL handle.

[SadTroll]

Hi!

Thanks for the help!

One more question.
Is it correct that with each call to UDBSearchOpen, a separate thread will be started?
And is it correct that in this thread the transferred callback will be called?

[adrien]

Hi

In the GUI, the call does not spawn a new thread, but uses the existing communication thread to post the request to the engine. Callbacks come in the context of the user interface thread of the gatekeeper.exe process

In the engine, the call spawns a new thread and callbacks come in that thread. So you are correct in your assumption. You should not throw any exceptions from your callback.

Regards

Adrien

[SadTroll]

Thanks for the help!

[SadTroll]

Hi!

Thanks for the help!

And one more question.

I use this code to search all users into group with given object GUID:

Code:

info.dwFlags = UDB_SEARCH_USESTRINGVALUE | UDB_SEARCH_USERS | UDB_SEARCH_MEMBERS;
info.strValue = obj->strGUID;
info.dwField = UDB_SEARCH_FIELD_GUID;
info.dwItems = 0;

It is work perfect

but when I try to search all users into group using the given object name, like this:

Code:

info.dwFlags = UDB_SEARCH_USESTRINGVALUE | UDB_SEARCH_USERS | UDB_SEARCH_MEMBERS;
info.strValue = obj->strName;
info.dwField = UDB_SEARCH_FIELD_NAME;
info.dwItems = 0;

I can not find anything

How can I find all users into the group using the object name?

Thanks!

[adrien]

Hi

only the following are supported:

UDB_SEARCH_FIELD_DNAME
UDB_SEARCH_FIELD_SID
UDB_SEARCH_FIELD_GUID
UDB_SEARCH_FIELD_ACCOUNTNAME

you will get a warning log message about "search string empty, invalid search field for members of group"

I think only DName, SID, GUID and accountname can be relied on to obtain a group object. I don't think group name is indexed in the AD, and can also change.

So I suggest if you are storing configuration about groups and you want membership, to do a search for the group yourself first, and get its UUID (never changes) or SID (changes if group changes domain and in some cases isn't unique) or DNAME

Or even better store the UUIDs.

Adrien

[SadTroll]

Thanks for the help!

[adrien]

you're welcome!