Pin NTFS AD operations to domain controller

2026-05-19 19:12:33 +02:00
parent ea0517d1dc
commit 0cad46ddef
6 changed files with 119 additions and 13 deletions
--- a/LiamNtfs/C4IT_IAM_SET/SecurityGroup.cs
+++ b/LiamNtfs/C4IT_IAM_SET/SecurityGroup.cs
@@ -21,6 +21,7 @@ namespace C4IT_IAM_Engine
    public class SecurityGroups
    {
        public string domainName;
+        public string effectiveDomainController;
        public string username;
        public SecureString password;
        public bool ForceStrictAdGroupNames;
@@ -32,6 +33,11 @@ namespace C4IT_IAM_Engine
        {
            IAM_SecurityGroups = new List<IAM_SecurityGroup>();
        }
+
+        private string GetLdapServer()
+        {
+            return string.IsNullOrWhiteSpace(effectiveDomainController) ? domainName : effectiveDomainController;
+        }
        public bool GroupsAllreadyExisting(string ouPath)
        {
            LogMethodBegin(MethodBase.GetCurrentMethod());
@@ -47,7 +53,7 @@ namespace C4IT_IAM_Engine
                        {
                            DirectoryEntry entry = new DirectoryEntry
                            {
-                                Path = "LDAP://" + domainName,
+                                Path = "LDAP://" + GetLdapServer(),
                                Username = username,
                                Password = new NetworkCredential("", password).Password,
                                AuthenticationType = AuthenticationTypes.Secure | AuthenticationTypes.Sealing
@@ -86,7 +92,7 @@ namespace C4IT_IAM_Engine
                {
                    DirectoryEntry entry = new DirectoryEntry
                    {
-                        Path = "LDAP://" + domainName,
+                        Path = "LDAP://" + GetLdapServer(),
                        Username = username,
                        Password = new NetworkCredential("", password).Password,
                        AuthenticationType = AuthenticationTypes.Secure | AuthenticationTypes.Sealing
@@ -431,7 +437,7 @@ namespace C4IT_IAM_Engine
        {
            DirectoryEntry entry = new DirectoryEntry
            {
-                Path = "LDAP://" + domainName,
+                Path = "LDAP://" + GetLdapServer(),
                Username = username,
                Password = new NetworkCredential("", password).Password,
                AuthenticationType = AuthenticationTypes.Secure | AuthenticationTypes.Sealing
@@ -473,7 +479,7 @@ namespace C4IT_IAM_Engine
                return null;
            }

-            var basePath = "LDAP://" + domainName;
+            var basePath = "LDAP://" + GetLdapServer();
            if (!string.IsNullOrWhiteSpace(ouPath))
                basePath += "/" + ouPath;

@@ -528,7 +534,7 @@ namespace C4IT_IAM_Engine
                return null;

            DefaultLogger.LogEntry(LogLevels.Debug, $"Reusing existing AD group '{matchedName}' via wildcard '{wildcardPattern}'.");
-            return new DirectoryEntry("LDAP://" + domainName + "/" + matchedDistinguishedName, username, new NetworkCredential("", password).Password, AuthenticationTypes.Secure | AuthenticationTypes.Sealing);
+            return new DirectoryEntry("LDAP://" + GetLdapServer() + "/" + matchedDistinguishedName, username, new NetworkCredential("", password).Password, AuthenticationTypes.Secure | AuthenticationTypes.Sealing);
        }

        private DirectoryEntry FindGroupEntryFromFolderAcl(string folderPath, string wildcardPattern)
@@ -555,7 +561,7 @@ namespace C4IT_IAM_Engine
                    .Cast<FileSystemAccessRule>();
                var matchedNames = new HashSet<string>(StringComparer.OrdinalIgnoreCase);

-                using (var domainContext = new PrincipalContext(ContextType.Domain, domainName, username, new NetworkCredential("", password).Password))
+                using (var domainContext = new PrincipalContext(ContextType.Domain, GetLdapServer(), username, new NetworkCredential("", password).Password))
                {
                    foreach (var rule in rules)
                    {
@@ -735,7 +741,7 @@ namespace C4IT_IAM_Engine
                if (!GroupAllreadyExisting(groupName))
                {

-                    DirectoryEntry entry = new DirectoryEntry("LDAP://" + domainName + "/" + ouPath, username, new NetworkCredential("", password).Password, AuthenticationTypes.Secure | AuthenticationTypes.Sealing);
+                    DirectoryEntry entry = new DirectoryEntry("LDAP://" + GetLdapServer() + "/" + ouPath, username, new NetworkCredential("", password).Password, AuthenticationTypes.Secure | AuthenticationTypes.Sealing);
                    DefaultLogger.LogEntry(LogLevels.Debug, $"Creating ad entry with CN / sAmAccountName: {groupName}");
                    DirectoryEntry group = entry.Children.Add("CN=" + groupName, "group");
                    group.Properties["sAmAccountName"].Value = groupName;
@@ -763,7 +769,7 @@ namespace C4IT_IAM_Engine
                        }

                    group.CommitChanges();
-                    DirectoryEntry ent = new DirectoryEntry("LDAP://" + domainName + "/" + "CN=" + groupName + "," + ouPath, username, new NetworkCredential("", password).Password, AuthenticationTypes.Secure | AuthenticationTypes.Sealing);
+                    DirectoryEntry ent = new DirectoryEntry("LDAP://" + GetLdapServer() + "/" + "CN=" + groupName + "," + ouPath, username, new NetworkCredential("", password).Password, AuthenticationTypes.Secure | AuthenticationTypes.Sealing);

                    var objectid = SecurityGroups.getSID(ent);
                    DefaultLogger.LogEntry(LogLevels.Debug, $"Security group created in ad: {secGroup.technicalName}");