Wednesday, October 31, 2012

Accessing Domino LDAP with C# and DirectorySearcher

In enterprise software, it is a common task to look up information on users from the company, using one known property to return an unknown property; for instance, looking up a user's email from their account name.  The .Net framework makes this a relatively simple task, with the System.DirectoryServices namespace, which provides functionality for dealing with LDAP directories.  This integrates very nicely if the directory server being used is Microsoft's Active Directory.  Some customers use a non-Microsoft or mixed software stack, however, but in that case it is still possible to use the DirectoryServices namespace to access directory information; there are just a few gotchas involved.

Let us take for example the common task of looking up a user's CN from their email address.  Below is a function for doing so using DirectorySearcher going against Active Directory.

Equivalent code for accessing a Domino LDAP directory is below.
You'll notice two differences between the two functions.
  1. When accessing a Domino LDAP server, it is necessary to specify AuthenticationTypes.None as the fourth parameter of the DirectoryEntry constructor. This property defaults to AuthenticationTypes.Secure, which uses NTLM or Kerberos to authenticate the client against the server. Domino LDAP typically does not support these authentication types, so if this flag is omitted, the code would throw an error when binding to the server. (Note: this default changed to the current value with version 2.0 of the .Net framework, which may be a source of confusion if viewing out-of-date documentation or older example code)
  2. (objectClass=dominoPerson) vs (objectClass=user) - Active Directory and Domino LDAP use different schemas to represent user account objects. Certain of the attributes of these schemas are more-or-less standard, such as cn and mail, so both filters could have been written simply "(mail={0})", but it is more efficient to filter the results by objectClass first.
In comparison to the alternative of using the interop.Domino.dll COM library to perform lookups on a Domino LDAP server, this DirectoryServices implementation has the virtues of being very similar to standard Active Directory lookup code, which is well-documented and widely available in tutorials, examples, and stack overflow postings, and also does not have any non-framework dependencies, making deployment a simpler task.