Storing Photos in Active Directory - jpegPhoto attribute - User class

Re: Storing Photos in Active Directory - jpegPhoto attribute - User class

It is pretty easy to do in .NET. Not as easy in VBScript.

Essentially, you just read the data you want into a byte array (from a
filestream or something). Then, bind to the object with the DirectoryEntry
class and call the Add method on the PropertyValueCo llection for that
attribute with the byte array. Then call CommitChanges. Download would be
basically just the opposite.

I believe Matjaz Ladava posted a sample showing how to do this in .NET in
one of the MS newsgroups that you could find with a Google search pretty
easily.

Joe K.


"netcoder77 " <netcoder77-msnews@yahoo.co m> wrote in message
news:OquBii0bEH A.2972@TK2MSFTN GP12.phx.gbl...[color=blue]
> Has anyone tried this in VB .NET or via VBScript? Can it be done? How
> do we handle retrieving a binary data format (the photo) using ADSI or
> VB .NET? All my searching on the net yielded no useful results except
> for a half completed Perl script which claimed to be able to upload and
> download photos stored in AD as part of the User account.[/color]

Re: Storing Photos in Active Directory - jpegPhoto attribute - Userclass

Joe Kaplan (MVP - ADSI) wrote:[color=blue]
> It is pretty easy to do in .NET. Not as easy in VBScript.
>
> Essentially, you just read the data you want into a byte array (from a
> filestream or something). Then, bind to the object with the DirectoryEntry
> class and call the Add method on the PropertyValueCo llection for that
> attribute with the byte array. Then call CommitChanges. Download would be
> basically just the opposite.[/color]
Sounds straightforward s enough, don't know why I thought it was more
complicated than it sounds. I'll have to try it out.
[color=blue]
> I believe Matjaz Ladava posted a sample showing how to do this in .NET in
> one of the MS newsgroups that you could find with a Google search pretty
> easily.[/color]
Thanks for that information. I'll now search for the author's name.
Thanks for your suggestions.

On a different note, does anyone know if there would be any problems
with storing large number of jpeg images in the user object as part of
AD? How is replication affected? And caveats?
[color=blue]
>
> Joe K.
>
>
> "netcoder77 " <netcoder77-msnews@yahoo.co m> wrote in message
> news:OquBii0bEH A.2972@TK2MSFTN GP12.phx.gbl...
>[color=green]
>>Has anyone tried this in VB .NET or via VBScript? Can it be done? How
>>do we handle retrieving a binary data format (the photo) using ADSI or
>>VB .NET? All my searching on the net yielded no useful results except
>>for a half completed Perl script which claimed to be able to upload and
>>download photos stored in AD as part of the User account.[/color]
>
>
>[/color]

Re: Storing Photos in Active Directory - jpegPhoto attribute - User class

On the activedir.org mailing list, there was a discussion about this a few
months ago. Depending on the size of the objects, this may or may not be a
problem with replication. That tends to be very sensitive to your actual
deployment and how often they change (probably not very often I assume).
You might want to add them to the directory slowly if you are worried and
try to keep the sizes down.

However, one thing to consider is that by default, users have rights to
modify this property directly with their own account AND the attribute has
no max size. As such, it could be used maliciously by some users as a DoS
attack on your DC if they decided to upload their swap file or something
similarly large. You might want to think carefully about allowing users
rights to modify this attribute directly.

Joe K.

"Net Coder" <netcoder77-msnews@yahoo.co m> wrote in message
news:%23mTgiv9b EHA.1764@TK2MSF TNGP10.phx.gbl. ..[color=blue]
> Joe Kaplan (MVP - ADSI) wrote:[color=green]
> > It is pretty easy to do in .NET. Not as easy in VBScript.
> >
> > Essentially, you just read the data you want into a byte array (from a
> > filestream or something). Then, bind to the object with the[/color][/color]
DirectoryEntry[color=blue][color=green]
> > class and call the Add method on the PropertyValueCo llection for that
> > attribute with the byte array. Then call CommitChanges. Download would[/color][/color]
be[color=blue][color=green]
> > basically just the opposite.[/color]
> Sounds straightforward s enough, don't know why I thought it was more
> complicated than it sounds. I'll have to try it out.
>[color=green]
> > I believe Matjaz Ladava posted a sample showing how to do this in .NET[/color][/color]
in[color=blue][color=green]
> > one of the MS newsgroups that you could find with a Google search pretty
> > easily.[/color]
> Thanks for that information. I'll now search for the author's name.
> Thanks for your suggestions.
>
> On a different note, does anyone know if there would be any problems
> with storing large number of jpeg images in the user object as part of
> AD? How is replication affected? And caveats?
>[color=green]
> >
> > Joe K.
> >
> >
> > "netcoder77 " <netcoder77-msnews@yahoo.co m> wrote in message
> > news:OquBii0bEH A.2972@TK2MSFTN GP12.phx.gbl...
> >[color=darkred]
> >>Has anyone tried this in VB .NET or via VBScript? Can it be done? How
> >>do we handle retrieving a binary data format (the photo) using ADSI or
> >>VB .NET? All my searching on the net yielded no useful results except
> >>for a half completed Perl script which claimed to be able to upload and
> >>download photos stored in AD as part of the User account.[/color]
> >
> >
> >[/color][/color]

Re: Storing Photos in Active Directory - jpegPhoto attribute - Userclass

Joe Kaplan (MVP - ADSI) wrote:[color=blue]
> On the activedir.org mailing list, there was a discussion about this a few
> months ago. Depending on the size of the objects, this may or may not be a
> problem with replication. That tends to be very sensitive to your actual
> deployment and how often they change (probably not very often I assume).
> You might want to add them to the directory slowly if you are worried and
> try to keep the sizes down.
> However, one thing to consider is that by default, users have rights to
> modify this property directly with their own account AND the attribute has
> no max size. As such, it could be used maliciously by some users as a DoS
> attack on your DC if they decided to upload their swap file or something
> similarly large. You might want to think carefully about allowing users
> rights to modify this attribute directly.[/color]

Hmm. The object does not have maximum or minimum size set but the ACL
on a W2K3 AD server in native mode doesn't seem to allow SELF write to
the jpegPhoto attribute/property, or am I missing something?

Re: Storing Photos in Active Directory - jpegPhoto attribute - User class

Sorry, I misled you a little bit. The attribute I was thinking of is the
thumbnailPhoto attribute which is a Win2K attribute with the same syntax and
size limitations. It is in the Personal-Information control access right,
so users do generally have rights to write to it. jpegPhoto is new for 2K3
and is not in the Personal-Information CAR. I'm still not that used to 2K3
schema.

So, the warning still applies to thumbnailPhoto in terms of security/DoS,
but not to jpegPhoto.

Joe K.

"Net Coder" <netcoder77-msnews@yahoo.co m> wrote in message
news:OxlSNwacEH A.2352@TK2MSFTN GP09.phx.gbl...[color=blue]
> Joe Kaplan (MVP - ADSI) wrote:[color=green]
> > On the activedir.org mailing list, there was a discussion about this a[/color][/color]
few[color=blue][color=green]
> > months ago. Depending on the size of the objects, this may or may not[/color][/color]
be a[color=blue][color=green]
> > problem with replication. That tends to be very sensitive to your[/color][/color]
actual[color=blue][color=green]
> > deployment and how often they change (probably not very often I assume).
> > You might want to add them to the directory slowly if you are worried[/color][/color]
and[color=blue][color=green]
> > try to keep the sizes down.
> > However, one thing to consider is that by default, users have rights to
> > modify this property directly with their own account AND the attribute[/color][/color]
has[color=blue][color=green]
> > no max size. As such, it could be used maliciously by some users as a[/color][/color]
DoS[color=blue][color=green]
> > attack on your DC if they decided to upload their swap file or something
> > similarly large. You might want to think carefully about allowing users
> > rights to modify this attribute directly.[/color]
>
> Hmm. The object does not have maximum or minimum size set but the ACL
> on a W2K3 AD server in native mode doesn't seem to allow SELF write to
> the jpegPhoto attribute/property, or am I missing something?[/color]