Is there a C# library that behaves like Active Directory's Permissions and Groups?

Question

I like the way permissions and groups work in Active Directory, but I don't want to actually tie my application in with AD.

Is there an existing library out there that contains the same sort of functionality that AD has? In particular, the ability to create groups, assign users to groups, add permissions to groups, and view a user or group's applied permissions?

Answer 1

The ActiveDirectoryMembershipProvider class inherits MembershipProvider.

That means that you don't have to tie your application to AD per se, but to the MembershipProvider model. This model is used throughout .net and works well with built in controls and classes.

Here is a sample

//Any of these will work
ActiveDirectoryMembershipProvider provider = new ActiveDirectoryMembershipProvider();
//SqlMembershipProvider provider = new SqlMembershipProvider();
//MyCustomMemebershipProvider provider = new MyCustomMemebershipProvider();

MembershipProvider membershipProvider = provider;

if (membershipProvider.ValidateUser("username", "password"))
{
    MembershipUser user = membershipProvider.GetUser("username", true);
}
else
{
    //Do something
}

I am no expert on this model, but have had some experience sub classing MembershipProvider and implementing IPrincipal, IIdentity etc. Doing this is really flexible and maintains a consistent architecture

Answer 2

You can use Authorization Manager (AzMan) for this, its part of Windows Server. To integrate with it from .NET, Enterprize Library 5 has class library types for it you can use.

Answer 3

One library that I have read about is Rhino Security. It seems to handle authentication as well as authorization for business operations, and is probably worth a look. I have not actually implemented it though, so I do not know how well it works.

Answer 4

Two things.

First :

If you want to interact with a Directory you have to program on the top of LDAP APIs. As far as I undestand ADSI is working on the top of LDAP, but it does not seem to be so independant of Active Directory. I know that Novell who initiate the mono project edit a more independant C# library on the top of LDAP.

Second :

Permissions, I mean Access Control List (ACLs) are a non standard feature. The way permissions are implemented in Active directory, is different from the way they are implemented in Sun e-Directory (special attributes). For example in OpenLDAP permissions are implented in a kind of access filter.

I may (hope to) be wrong, but I never heard about a library that federate permission in Directories.

Answer 5

May be you can use Microsoft-s AzMan-Authorization Manager as a wrapper for Active directory.

It contains an API to program against to ask for permissions

and a gui (azman.msc) where you can define roles and map rights and store them in an xml-file.

It can be configured against Active Directory.

Answer 6

If AD is too heavy for you, you can use ADAM which is a light AD, that you can configure with ADSI Edit provided with the latter. Here is a good doc provided, and configuration question on SO.

Moreover you can browse ADAM with the same kind of .NET APIs (System.DirectoryServices.AccountManagement for instance).

Answer 7

You can setup a free LDAP server, e.g. OpenLDAP, and use DirectoryServices to access it, and any number of tools to administrate the LDAP directory. Some configuration required!

The advantage to using a standard directory service is in the plethora of administration tools and the ability to support any number of applications. The disadvantages is in learning to administrate and query the directory. Is there any particular reason you don't want to use AD? If you're working on Windows, I'd strongly recommend it over most objections.