LDAP 与 ADSI 在操作 Active Directory 用户方面的比较
我被要求公开一个 Web 服务,用于通过 Intranet 管理 Active Directory 用户。我被告知 LDAP 被视为安全漏洞,不应使用。
鉴于此限制,我已成功通过 ADSI 与 DirectoryEntry 对象进行连接,如下所示:
DirectoryEntry de = new DirectoryEntry();
de.Path = "WinNT://TheDomain.local";
de.Username = "NTUser1";
de.Password = "pwdpwdpwd2";
我可以循环访问此 DirectoryEntry 的子项,获取用户。在用户上,我可以看到这些基本属性:UserFlags、MaxStorage、PasswordAge、PasswordExpired、LoginHours、FullName、Description、BadPasswordAttempts、LastLogin、HomeDirectory、LoginScript、Profile、HomeDirDrive、Parameters、PrimaryGroupID、Name、MinPasswordLength、MaxPasswordAge、MinPasswordAge、PasswordHistoryLength 、AutoUnlockInterval、LockoutObservationInterval、MaxBadPasswordsAllowed、objectSid。
有许多在 Active Directory MMC 中可见的用户属性无法从 DirectoryEntry 对象访问,包括:LastName、NameSuffix、Department 等...
这些其他属性均记录在 msdn 中,由 IADsUser 公开(< a href="http://msdn.microsoft.com/en-us/library/aa746340%28VS.85%29.aspx" rel="nofollow noreferrer">http://msdn.microsoft.com/en-us /library/aa746340%28VS.85%29.aspx)。
1) LDAP 实际上是一个易受攻击的协议吗?比上面显示的 ADSI (WinNT) 连接更重要吗? LDAP 似乎很常见用于此目的。
2)如何检索/设置用户的这些其他属性?
TIA
I have been requested to expose a web service for managing Active Directory Users via an intranet. I have been advised that LDAP is viewed as a security vulnerability and is not to be used.
Given this constraint, I have managed to connect via ADSI with a DirectoryEntry object like this:
DirectoryEntry de = new DirectoryEntry();
de.Path = "WinNT://TheDomain.local";
de.Username = "NTUser1";
de.Password = "pwdpwdpwd2";
I can loop through the children of this DirectoryEntry get the ones that are users. On the Users, I can see these basic properties: UserFlags, MaxStorage, PasswordAge, PasswordExpired, LoginHours, FullName, Description, BadPasswordAttempts, LastLogin, HomeDirectory, LoginScript, Profile, HomeDirDrive, Parameters, PrimaryGroupID, Name, MinPasswordLength, MaxPasswordAge, MinPasswordAge, PasswordHistoryLength, AutoUnlockInterval, LockoutObservationInterval, MaxBadPasswordsAllowed, objectSid.
There are a number of User properties that are visible in the Active Directory MMC that are not accessible from the DirectoryEntry object including: LastName, NameSuffix, Department, etc...
These other properties are all documented in msdn as being exposed by IADsUser (http://msdn.microsoft.com/en-us/library/aa746340%28VS.85%29.aspx).
1) Is LDAP actually a vulnerable protocol? More so than the ADSI (WinNT) connection shown above? LDAP seems to be pretty common for this purpose.
2) How can I retrieve/set these other properties of the User?
TIA
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
1- LDAP 数据包传输以明文形式执行,因此有人可以捕获您的数据。
如果您使用 LDAPS 协议或启用 TLS 的 LDAP 连接,那么它是安全的。 ADSI只是微软对LDAP客户端的一个实现,它同时支持LDAP和LDAPS连接。
当您针对公司 Active Directory 使用 ADSI 时,它主要尝试启动 LDAPS 连接。
所以您使用 ADSI 是安全的;或者,如果您使用安全连接,您也可以使用任何其他客户端或编程库。 LDAPS 的默认端口是 636。
2- 要获取有关目录对象的更多信息,您可以使用 GetInfoEx 方法,它会准确加载您想要的属性。您可以在下面看到一个示例:
http://msdn.microsoft.com/en -us/library/aa746411%28v=vs.85%29.aspx
但您查找的某些属性通过与 MMC 控制台不同的属性名称存储在 Active Directory 中。例如,名字存储为“givenName”,姓氏存储为“sn”。请查看此处 查找您需要的属性名称;
您可以在此处找到更多信息。
1- LDAP packet transmission is performed as plaintext, so somebody can capture your data.
If you use LDAPS protocol or TLS-enable your LDAP connection, it is safe. ADSI is just an implementation of LDAP client by Microsoft, and it supports both LDAP and LDAPS connections.
When you use ADSI against your corporate Active Directory, it primarily tries to start a LDAPS connection.
So you are safe of you use ADSI; or you can use any other client or programming library as well if you use secure connection. the default port for LDAPS is 636.
2- To get more information about directory objects, you can use the GetInfoEx method, it loads exactly the attributes you want. Below you can see an example:
http://msdn.microsoft.com/en-us/library/aa746411%28v=vs.85%29.aspx
But some of the properties that you look for, are stored in the Active Directory by attribute names different from the MMC console. e.g. First name is stored as 'givenName' and Last name is stored as 'sn'. Look here to find names of attributes you need;
You can find more information here.
http://www.techgalaxy.net/Docs/Dev/Using_ADSI_and_LDAP_with_AD.htm解释 LDAP 和 ADSI 之间的区别: http:// technet.microsoft.com/en-us/library/cc755809(v=ws.10).aspx 包括插图。
简而言之,ADSI 是 LDAP 的简化包装。如果有任何不安全的地方,那就是绑定,这里看起来很简单(未加密的纯文本用户名和密码)。如果您使用任何其他方法(或通过 SSL 连接)绑定 LDAP 连接,它应该是安全的。
http://www.techgalaxy.net/Docs/Dev/Using_ADSI_and_LDAP_with_AD.htm explains the difference between LDAP and ADSI: http://technet.microsoft.com/en-us/library/cc755809(v=ws.10).aspx includes illustrations.
In short, ADSI is a simplified wrapper around LDAP. If there's any insecurity to it, it's in the binding, which here appears to be SIMPLE (unencrypted plaintext username and password). If you bind the LDAP connection using any other method (or over an SSL connection), it should be secure.