Qlik Community

QlikView Scripting

Discussion Board for collaboration on QlikView Scripting.

Announcements
QlikView Fans! We’d love to hear from you.
Share your QlikView feedback with the product team… Click here to participate in our 5-minute survey.
Rules, plus terms and conditions, can be found here.
Not applicable

VBScript to check for LDAP group membership

I have been working on this problem for days, and I am struggling to find a solution that works.

Basically, I want a function in the following form:

in_group(username, groupname)

That returns 1 if the the username is in the group, and 0 otherwise.  Does anyone have any sources or solutions for this problem?  I am trying to work with the following code:

Function GetMembers(gDN)

    Set objGroup = GetObject("LDAP://" & gDN)

    objGroup.GetInfo

    arrMemberOf = objGroup.GetEx("member")

   

    For Each strMember in arrMemberOf

        Set objMember = GetObject("LDAP://" & strMember)

        ObjDisp = objMember.Name

        oDL = Len(ObjDisp) - 3

        ObjDisp = Right(ObjDisp,oDL)

        ObjCatArray = Split(objMember.objectCategory,",")

        oType = ObjCatArray(0)

        oTL = Len(oType) - 3

        oType = Right(oType,oTL)

        msgbox "Member:" & ObjDisp & Space(20-Len(ObjDIsp)) &" Type:" & oType

        If oType = "Group" Then

            GetMembers(strMember)

        End If

        Set objMember = Nothing

    Next

End Function

Public Function SearchGroup(ByVal vSAN)

    Dim oRootDSE, oConnection, oCommand, oRecordSet

    Set oRootDSE = GetObject("LDAP://rootDSE")

    Set oConnection = CreateObject("ADODB.Connection")

    oConnection.Open "Provider=ADsDSOObject;"

    Set oCommand = CreateObject("ADODB.Command")

    oCommand.ActiveConnection = oConnection

    oCommand.CommandText = "<LDAP://" & oRootDSE.get("defaultNamingContext") & _

        ">;(&(objectCategory=Group)(samAccountName=" & vSAN & "));distinguishedName;subtree"

    Set oRecordSet = oCommand.Execute

    On Error Resume Next

    SearchGroup = oRecordSet.Fields("distinguishedName")

    On Error GoTo 0

    oConnection.Close

    Set oRecordSet = Nothing

    Set oCommand = Nothing

    Set oConnection = Nothing

    Set oRootDSE = Nothing

End Function

and, alternatively:

Function IsMember(ByVal objADObject, ByVal strGroupNTName)

  ' Function to test for group membership.

  ' objADObject is a user or computer object.

  ' strGroupNTName is the NT name (sAMAccountName) of the group to test.

  ' objGroupList is a dictionary object, with global scope.

  ' Returns True if the user or computer is a member of the group.

  ' Subroutine LoadGroups is called once for each different objADObject.

    Dim objRootDSE, strDNSDomain

  ' The first time IsMember is called, setup the dictionary object

  ' and objects required for ADO.

    If (IsEmpty(objGroupList) = True) Then

        Set objGroupList = CreateObject("Scripting.Dictionary")

        objGroupList.CompareMode = vbTextCompare

        Set adoCommand = CreateObject("ADODB.Command")

        Set adoConnection = CreateObject("ADODB.Connection")

        adoConnection.Provider = "ADsDSOObject"

        adoConnection.Open "Active Directory Provider"

        adoCommand.ActiveConnection = adoConnection

        Set objRootDSE = GetObject("LDAP://RootDSE")

        strDNSDomain = objRootDSE.Get("defaultNamingContext")

        adoCommand.Properties("Page Size") = 100

        adoCommand.Properties("Timeout") = 30

        adoCommand.Properties("Cache Results") = False

        ' Search entire domain.

        strBase = "<LDAP://" & strDNSDomain & ">"

        ' Retrieve NT name of each group.

        strAttributes = "sAMAccountName"

        ' Load group memberships for this user or computer into dictionary

        ' object.

        Call LoadGroups(objADObject)

        Set objRootDSE = Nothing

    End If

    If (objGroupList.Exists(objADObject.sAMAccountName & "\") = False) Then

        ' Dictionary object established, but group memberships for this

        ' user or computer must be added.

        Call LoadGroups(objADObject)

    End If

    ' Return True if this user or computer is a member of the group.

    IsMember = objGroupList.Exists(objADObject.sAMAccountName & "\" & strGroupNTName)

End Function

Thoughts?  Bonus points if the solution uses "Safe Mode" instead of "System Access."  Thanks for your help.

1 Solution

Accepted Solutions
nstefaniuk
Contributor III

Re: VBScript to check for LDAP group membership

Example.

Test user : ADMIN / ADMIN

USER1 / USER1

USER2 / USER2

10 Replies
nstefaniuk
Contributor III

Re: VBScript to check for LDAP group membership

Why do you need to create a function ? Why don't you retrieve content of all groups then manage it in your script?

Alternatively, can you create OLEDB connections with OLEDB Provider for Microsoft Directory Services ?

Not applicable

Re: VBScript to check for LDAP group membership

I use this function to control the display of tabs by setting variables based on AD group membership.

I am not sure if I can created OLEDB connections.

nstefaniuk
Contributor III

Re: VBScript to check for LDAP group membership

Hu?

You mean that, in the dashboard, you want to test if user belongs to AD group, and if yes, you fill a variable and do an action?

If yes, I suggest you to do this test in script, then use Section Access.

Not applicable

Re: VBScript to check for LDAP group membership

Thank you.  How would you suggest that I do this in the script?  I use section access to assign the variable?

nstefaniuk
Contributor III

Re: VBScript to check for LDAP group membership

In script you load all values Group - AD Account. Then you calculate in script if an AD account matches with your condition and store content in table USER_SECURITY.

Then you create a section access and link the security table to USER_SECURITY on upper(AD account) ( upper(AD account) is the value used to join). From now it means that, when user opens the application, he will have only 1 line in table USER_SECURITY, the line of his own account.

And you can add security in the tab to control that only(SECURITY_FLAG) = 1

nstefaniuk
Contributor III

Re: VBScript to check for LDAP group membership

Example.

Test user : ADMIN / ADMIN

USER1 / USER1

USER2 / USER2

Not applicable

Re: VBScript to check for LDAP group membership

Does this mean I will need to maintain a list of users manually?  I have a working solution in VBScript right now that has explicit lists of users, but I was hoping to use AD groups as a way of avoiding that.  Although, if I could have this list maintained in an external text file and loaded somehow, that would work.  I recently learned about including external text files as scripts.  We will likely need Section Access in the future anyway.  Thank you for helping me realize this.

nstefaniuk
Contributor III

Re: VBScript to check for LDAP group membership

No no, you can do Section Access with AD groups, that was just a portable example.

MVP
MVP

Re: VBScript to check for LDAP group membership

There should be some samples on how to access LDAP and retrieve group information here in the forum, have you checked e.g. this?

http://community.qlik.com/thread/8342

Community Browser