我想使用任何目录服务在 Windows 操作系统上验证我的应用程序的用户名和密码。 例如,它可以是 Microsoft Active Directory、Novell eDirecotry 或 SunOne。 我已经知道如何使用 c# 为 Microsoft Active Direcotry 本地执行此代码。 (我完全放弃使用 ADSI 并创建低级 com 组件)
我尝试使用 Novel eDirecotory 进行身份验证的方式是我已经安装了 Mono 项目。 在 mono 项目中,他们为您提供 Novell.Directory.ldap.dll 代码看起来与 Microsoft Active Directory 有点相同。(http://www.novell.com/coolsolutions/feature/11204.html)
对于 SunOne,我被告知使用与活动目录相同的代码,但 ldap 连接字符串有点不同。(http://forums.asp.net/t/354314.aspx)
(http://technet.microsoft.com/en-us/library/cc720649。 aspx)
为了使我的项目复杂化,大多数客户使用“服务帐户:”这意味着我需要绑定管理用户名和密码,然后才能验证常规用户名和密码。 我的问题分为两部分。
1)根据我上面的解释,这是我应该针对每个单独的目录服务进行身份验证的正确方向吗?
2)我觉得我根本不需要做任何这些代码。 我还觉得使用服务帐户的规定根本不重要。 如果我只关心在 Windows 计算机上验证用户名和密码,为什么我还需要使用 ldap? 我想说的是,考虑一下。 当您早上登录计算机时,您不必提供服务帐户即可登录。 我可以使用 runas 功能在 DOS 提示符下轻松验证用户名和密码,无论是否被拒绝,我都可以解析文本文件。 我确信还有其他方法可以将用户名和密码传递到我所在的 Windows 操作系统,并且会告诉我用户名和密码对于其所在的域是否有效。 我对吗? 如果是这样,你们有什么建议的方法?
迈克尔·伊万奇克
www.MikeEvanchik.com
I would like to authenticate username and passwords for my application on a windows operating system with any directory service. For example it could be microsoft active directory, Novell eDirecotry, or SunOne. I already know how to do this code natively for Microsoft Active Direcotry with c#. ( I totally gave up using ADSI and creating a low level com component)
The way im attempting to authenticate with Novel eDirecotory is i have installed the Mono project. Inside the mono project they provide you with Novell.Directory.ldap.dll The code looks somewhat the same as for Microsoft Active Directory.(http://www.novell.com/coolsolutions/feature/11204.html)
For SunOne, i have been told to use the same code as active direcotry, but the ldap connecton string is a little different.(http://forums.asp.net/t/354314.aspx)
(http://technet.microsoft.com/en-us/library/cc720649.aspx)
To complicate my project, most customers use a "Service account:" which means i need to bind with an administrative username and password before i can authenticate a regular username and password. My questions is in 2 parts.
1) From what I have explained above, is this the correct direction I should be going to authenticate against each individual direcotory service?
2) I feel that i dont not need to do any of this code at all. I also feel the stipulation of using a service account is not imporant at all. If all I care about is authenticating a username and password on a windows machine why do i even need to use ldap? I mean think about it. When you login to your machine in the morning, you do not have to provide a service account just to login. I can easily authenticate a username and password at a DOS prompt by using the runas feature and i will be denied or not and could parse the text file. Im sure there are other ways i could pass a username and password to the windows operating system that i am on and will tell me if a username and password is valid for the domain that it is on. Am i right? If so what suggested ways do you guys have?
Michael Evanchik
www.MikeEvanchik.com
发布评论
评论(3)
我不确定我完全理解这个问题,但在某些情况下,我发现只需搜索用户的帐户并使用其凭据作为用户名和密码即可轻松对用户进行身份验证。
查询成功意味着提供的所有内容都是正确的,找不到帐户意味着出现问题。
可能不是“最佳实践”,但可能会解决您遇到的问题......
I'm not sure I entirely understand the question, but in some situations I've found it easy to authenticate a user by simply doing a search for their account and using their credentials as the username and password.
A successful query means everything provided was correct, not finding the account means something was wrong.
Probably not "best practice", but might get around your issue you are having...
所有这些都可以通过 System.DirectoryServices.Protocols 来完成。 如果您创建到目录的 LdapConnection,则可以使用服务帐户进行绑定,然后进行后续绑定以验证凭据。
服务帐号一般用于限制对服务器认证机制的访问。 这样,街上的任何人都无法尝试使用您的 LDAP 服务器进行身份验证。
另外,您是否希望每个用户在登录时提供其专有名称? 对于 Active Directory,仅需要 sAMAccountName,而 eDirectory 和 SunONE 等其他提供程序则需要可分辨名称进行身份验证。
要执行这种类型的身份验证,您需要使用提供的服务帐户来对服务器进行身份验证,使用给定的用户名搜索用户,并获取该用户的专有名称。 然后,您可以使用该专有名称和提供的密码进行身份验证。
这适用于所有 LDAP 系统,但 Active Directory 除外,它只需要 sAMAccountName。
All this can be done with System.DirectoryServices.Protocols. If you create an LdapConnection to the directory you can use the service account to bind with, and then make a subsequent bind to authenticate the credentials.
The service account is generally used to limit access to the authentication mechanism of the server. This way no random person on the street can try to auth with your LDAP server.
Also, do you expect that each user will provide their distinguished name when logging in? With Active Directory, only the sAMAccountName is required, yet other providers like eDirectory and SunONE require the distinguished name for authentication.
To perform this type of authentication, you would need to use the service account that is provided to authenticate to the server, perform a search for a user with the given username, and grab that users distinguished name. You can then authenticate using that distinguished name and the password that was provided.
This will work for all LDAP systems, with the exception of Active Directory which will be happy with just the sAMAccountName.
我们有一个网站需要根据域凭据验证用户名和密码,并使用 LogonUser API 函数。 使用它进行网络登录(它的参数之一是登录类型),它所做的只是验证凭据,它不会像 runas 那样执行加载用户配置文件之类的操作。
唯一需要注意的是,服务帐户确实需要足够的访问权限来调用 LogonUser。 我建议您检查 MSDN 文档以了解该访问权限,因为它因操作系统而异。
We had a website that needed to authenticate a username and password against domain credentials and used the LogonUser API function. Use it for a network logon (one of its arguments is logon type) and all it does is validate credentials, it doesn't do things like load the users profile that runas would.
Only caveat is that the service account does require sufficient access to call LogonUser. I suggest you check the MSDN documentation for what that access is though because it varies by OS.