How to determine whether an Active Directory user is admin or not via code in swift ?
Currently i am doing it this way which doesnot look correct. Please suggest a better approach.
let node = try ODNode(session: session, type: ODNodeType(kODNodeTypeAuthentication))
let query = try ODQuery(
node: node,
forRecordTypes: kODRecordTypeUsers,
attribute: nil,
matchType: ODMatchType(kODMatchAny),
queryValues: nil,
returnAttributes: [
kODAttributeTypeRecordName,
kODAttributeTypeEMailAddress
],
maximumResults: 0
)
let records = try query.resultsAllowingPartial(false) as! [ODRecord]
for record in records
{
let currRecordName = record.recordName
if(currRecordName == username)
{
// 'dsAttrTypeStandard:AppleMetaNodeLocation': '/Local/Default' for Local user
// 'dsAttrTypeStandard:AppleMetaNodeLocation': '/Active Directory/ABCD/abcd.in' for Domain user
let localOrDomainUser = try? record.values(forAttribute: "dsAttrTypeStandard:AppleMetaNodeLocation");
let localOrDomainUserString = localOrDomainUser?[0] as! String
if(localOrDomainUserString == "/Local/Default")
{
continue // Skip local user.. this is the case when we have both local and domain user with same name, but user has created a local user in the name "domainname\username"
}
let groupsAny = try? record.values(forAttribute: "memberOf");
let groups = groupsAny as? [String];
for currGroup in groups ?? []
{
/*
--- CN=Group Policy Creator Owners,CN=Users,DC=abcd,DC=ad,DC=def,DC=com
--- CN=Domain Admins,CN=Users,DC=abcd,DC=ad,DC=def,DC=com
--- CN=Enterprise Admins,CN=Users,DC=abcd,DC=ad,DC=def,DC=com
--- CN=Schema Admins,CN=Users,DC=abcd,DC=ad,DC=def,DC=com
--- CN=Administrators,CN=Builtin,DC=abcd,DC=ad,DC=def,DC=com
*/
var dnNames = currGroup.components(separatedBy: ",") // CN=Domain Admins
if(dnNames.count > 0)
{
var groupNames = dnNames[0].components(separatedBy: "=") // Domain Admins
let group = groupNames[1]
if(group == "Domain Admins" || group == "Enterprise Admins"
|| group == "Schema Admins" || group == "DnsAdmins" || group == "Administrators")
{
return true
}
}
}
break
}
}
I fail to fully understand this code.
Why attempt to retrieve records for ALL users? (kODMatchAny for kODRecordTypeUsers without limitations?) This WILL fail in large environments (most corporates) after few thousands of users.Why do this on the first place, if you want to "see whether a specific AD user is admin" ??This code only receives records from the LOCAL search-scope, not AD at all. Have you tested?Why the textual manipulation of group results? use OD objects..