v1.1.0 - Fix DN comparison: look up assigned user DN in AD, compare DN-to-DN
This commit is contained in:
@@ -69,35 +69,59 @@ namespace Disco.Plugins.ADCompare.Features
|
|||||||
result.FoundInAD = true;
|
result.FoundInAD = true;
|
||||||
result.ADAccountDisabled = adAccount.IsDisabled;
|
result.ADAccountDisabled = adAccount.IsDisabled;
|
||||||
|
|
||||||
|
// Get the managedBy DN from the computer object
|
||||||
var managedByDN = adAccount.GetPropertyValue<string>("managedBy");
|
var managedByDN = adAccount.GetPropertyValue<string>("managedBy");
|
||||||
result.ADManagedByDN = managedByDN;
|
result.ADManagedByDN = managedByDN;
|
||||||
result.HasManagedBy = !string.IsNullOrEmpty(managedByDN);
|
result.HasManagedBy = !string.IsNullOrEmpty(managedByDN);
|
||||||
|
|
||||||
|
// Extract display name from the CN portion of the DN for display
|
||||||
if (result.HasManagedBy)
|
if (result.HasManagedBy)
|
||||||
|
{
|
||||||
|
result.ADManagedByDisplayName = ExtractCNFromDN(managedByDN);
|
||||||
|
}
|
||||||
|
|
||||||
|
// To compare correctly, look up the Disco assigned user in AD
|
||||||
|
// and compare their DN against the managedBy DN
|
||||||
|
string assignedUserDN = null;
|
||||||
|
if (result.HasAssignment)
|
||||||
{
|
{
|
||||||
try
|
try
|
||||||
{
|
{
|
||||||
var managedByUser = ActiveDirectory.RetrieveADUserAccount(managedByDN);
|
var assignedUserAD = ActiveDirectory.RetrieveADUserAccount(device.AssignedUserId);
|
||||||
if (managedByUser != null)
|
if (assignedUserAD != null)
|
||||||
{
|
{
|
||||||
result.ADManagedByUserId = managedByUser.Id;
|
assignedUserDN = assignedUserAD.DistinguishedName;
|
||||||
result.ADManagedByDisplayName = managedByUser.DisplayName;
|
result.ADManagedByUserId = device.AssignedUserId; // For display
|
||||||
}
|
|
||||||
else
|
|
||||||
{
|
|
||||||
result.ADManagedByUserId = managedByDN;
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
catch
|
catch
|
||||||
{
|
{
|
||||||
result.ADManagedByUserId = managedByDN;
|
// Can't look up assigned user in AD
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
result.IsMatch = DetermineMatch(result);
|
// Now compare: both have values -> compare DNs
|
||||||
|
if (!result.HasAssignment && !result.HasManagedBy)
|
||||||
|
{
|
||||||
|
result.IsMatch = true;
|
||||||
|
}
|
||||||
|
else if (result.HasAssignment && result.HasManagedBy && assignedUserDN != null)
|
||||||
|
{
|
||||||
|
// Compare DN-to-DN (case insensitive)
|
||||||
|
result.IsMatch = string.Equals(assignedUserDN, managedByDN, StringComparison.OrdinalIgnoreCase);
|
||||||
|
if (result.IsMatch)
|
||||||
|
{
|
||||||
|
result.ADManagedByUserId = device.AssignedUserId;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
result.IsMatch = false;
|
||||||
|
}
|
||||||
|
|
||||||
if (!result.IsMatch)
|
if (!result.IsMatch)
|
||||||
{
|
{
|
||||||
result.MismatchReason = DetermineMismatchReason(result);
|
result.MismatchReason = DetermineMismatchReason(result, assignedUserDN);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
catch (Exception ex)
|
catch (Exception ex)
|
||||||
@@ -109,21 +133,7 @@ namespace Disco.Plugins.ADCompare.Features
|
|||||||
return result;
|
return result;
|
||||||
}
|
}
|
||||||
|
|
||||||
private bool DetermineMatch(DeviceComparisonResult result)
|
private string DetermineMismatchReason(DeviceComparisonResult result, string assignedUserDN)
|
||||||
{
|
|
||||||
if (!result.HasAssignment && !result.HasManagedBy)
|
|
||||||
return true;
|
|
||||||
|
|
||||||
if (result.HasAssignment != result.HasManagedBy)
|
|
||||||
return false;
|
|
||||||
|
|
||||||
return string.Equals(
|
|
||||||
result.DiscoAssignedUserId,
|
|
||||||
result.ADManagedByUserId,
|
|
||||||
StringComparison.OrdinalIgnoreCase);
|
|
||||||
}
|
|
||||||
|
|
||||||
private string DetermineMismatchReason(DeviceComparisonResult result)
|
|
||||||
{
|
{
|
||||||
if (!result.FoundInAD)
|
if (!result.FoundInAD)
|
||||||
return "Computer not found in AD";
|
return "Computer not found in AD";
|
||||||
@@ -132,12 +142,39 @@ namespace Disco.Plugins.ADCompare.Features
|
|||||||
return "Assigned in Disco but AD managedBy is empty";
|
return "Assigned in Disco but AD managedBy is empty";
|
||||||
|
|
||||||
if (!result.HasAssignment && result.HasManagedBy)
|
if (!result.HasAssignment && result.HasManagedBy)
|
||||||
return "Not assigned in Disco but AD managedBy is set";
|
return string.Format("Not assigned in Disco but AD managedBy is set to {0}",
|
||||||
|
ExtractCNFromDN(result.ADManagedByDN));
|
||||||
|
|
||||||
if (result.HasAssignment && result.HasManagedBy)
|
if (result.HasAssignment && result.HasManagedBy)
|
||||||
return string.Format("Different users: Disco={0}, AD managedBy={1}", result.DiscoAssignedUserId, result.ADManagedByUserId);
|
{
|
||||||
|
var managedByName = ExtractCNFromDN(result.ADManagedByDN);
|
||||||
|
return string.Format("Different users: Disco={0} ({1}), AD managedBy={2}",
|
||||||
|
result.DiscoAssignedUserId,
|
||||||
|
result.DiscoAssignedUserDisplayName ?? "?",
|
||||||
|
managedByName);
|
||||||
|
}
|
||||||
|
|
||||||
return "Unknown mismatch";
|
return "Unknown mismatch";
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/// <summary>
|
||||||
|
/// Extract the CN value from a Distinguished Name.
|
||||||
|
/// e.g. "CN=Sue Lesnjak,OU=Teachers,..." -> "Sue Lesnjak"
|
||||||
|
/// </summary>
|
||||||
|
private string ExtractCNFromDN(string dn)
|
||||||
|
{
|
||||||
|
if (string.IsNullOrEmpty(dn))
|
||||||
|
return null;
|
||||||
|
|
||||||
|
if (dn.StartsWith("CN=", StringComparison.OrdinalIgnoreCase))
|
||||||
|
{
|
||||||
|
var commaIndex = dn.IndexOf(',');
|
||||||
|
if (commaIndex > 3)
|
||||||
|
return dn.Substring(3, commaIndex - 3);
|
||||||
|
return dn.Substring(3);
|
||||||
|
}
|
||||||
|
|
||||||
|
return dn;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user