I'm maintaining a C++ application. We have to add a call to LDAP/AD for authorization. But I'm not expert on LDAP/AD (or COM calls), and there seems to be a lot of different ways to access LDAP/AD. I would be very grateful for some advice!
What I want to do is to "check if the current user is a member of a certain Active Directory group". (The user will then get special privileges in our application.) We have the group name - and we have a "fully distinguished name", looking like this: "CN=TheGroupName,OU=Groups,OU=_GlobalResources,OU=OrgCode,DC=domainpart1,DC=domainpart2,DC=net"
My plan was to do like this: Find current users active directory group C++ Read user information with GetCurrentProcessId + OpenProcess + OpenProcessToken + GetTokenInformation (with TokenGroups), iterate through the groups and do a LookupAccountSid for each group SID until I found the group. But the LookupAccountSid call was slow - it took way too long.
There was an easy solution in C#: Check whether current user is a member of an active directory group But how do I do this efficiently in C++?
Should I ...
(a) ... perform a direct query to the LDAP? Is there a way to make a "is the current user a member of this group?"-call? (Using the distinguished name in the call.)
-or-
(b) ... convert the distinguished name to a SID, get user information with GetTokenInformation/TokenGroups, and then see if the SID for the group matches any of the SIDs in the returned member-of-groups-array? Getting the SID array for the user's groups is easy, but how do I (quickly) convert the distinguished name for the group to a SID?
-or-
(c) ... use some completely different approach? :-)
