查看用户是否是 C# 中 Active Directory 组的一部分 + ASP.net
我需要一种方法来查看用户是否属于我的 .Net 3.5 asp.net c# 应用程序中的活动目录组。
我正在使用 msdn 上的标准 ldap 身份验证示例,但我真的不知道如何检查组。
I need a way to see if a user is part of an active directory group from my .Net 3.5 asp.net c# application.
I am using the standard ldap authentication example off of msdn but I don't really see how to check against a group.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(15)
对于 3.5 和 System.DirectoryServices.AccountManagement 这是干净一点:
With 3.5 and System.DirectoryServices.AccountManagement this is a bit cleaner:
Nick Craver 的解决方案在 .NET 4.0 中不适用于我。我收到有关已卸载 AppDomain 的错误。我没有使用它,而是使用了这个(我们只有一个域)。这将检查组的组以及直接组成员资格。
Nick Craver's solution doesn't work for me in .NET 4.0. I get an error about an unloaded AppDomain. Instead of using that, I used this (we only have one domain). This will check groups of groups as well as direct group membership.
下面的代码将在 .net 4.0 中运行
The code below will work in .net 4.0
最简单的解决方案
Simplest Solution
如果您尝试确定经过 Windows 身份验证的当前用户是否处于特定角色,此方法可能会有所帮助。
This method might be helpful if you're trying to determine if the Windows authenticated current user is in a particular role.
这取决于您所说的用户是否位于 AD 组中是什么意思。在 AD 中,组可以是安全组或分发组。即使对于安全组,这也取决于是否需要将“域用户”或“用户”等组包含在成员资格检查中。
IsUserInSecurityGroup 将仅检查安全组,并且适用于主要组类型的组,例如“域用户”和“用户”,而不是通讯组。它还将解决嵌套组的问题。
IsUserInAllGroup 还将检查通讯组,但我不确定您是否会遇到权限问题。如果这样做,请使用 WAAG 中的服务帐户(请参阅 MSDN)
。使用 UserPrincipal.GetAuthorizedGroups() 是因为它有很多问题,例如要求调用帐户位于 WAAG 中并要求 SidHistory 中没有条目 (请参阅 David Thomas 的评论)
It depends on what you mean by if a user is in an AD group. In AD, groups can be a Security group or Distribution group. Even for security groups, it depends on if groups like "Domain Users" or "Users" need to be included in the membership check.
IsUserInSecurityGroup will only check for security groups and will work for Primary Group kind of groups like "Domain Users" and "Users", and not distribution groups. It will also solve the issue with nested groups.
IsUserInAllGroup will also check for Distribution groups, but I am not sure if you would run into permission issues. If you do, use a service account that is in WAAG (See MSDN)
The reason I am not using UserPrincipal.GetAuthorizedGroups() is because it has a lot of issues, such as requiring the calling account to be in WAAG and requiring there isn't an entry in SidHistory (See David Thomas' comment)
这是我的 2 美分。
Here is my 2 cents.
这看起来简单得多:
This seems much simpler:
怎么样
如何编写 LDAP 查询来测试用户是否是组的成员?
How about this
How to write LDAP query to test if user is member of a group?
您可以尝试以下代码:
You could try the following code:
布兰登·约翰逊,喜欢它,我使用了你所拥有的,但做了以下更改:
Brandon Johnson, loved it, I used what you had, but made the following change:
如果您想检查用户组成员资格,包括间接链接到用户父组的嵌套组,您可以尝试使用“tokenGroups”属性,如下所示:
Using System.DirectoryServices public static bool IsMemberOfGroupsToCheck(string DomainServer, string LoginID, string LoginPassword) { string UserDN = "CN=John.Doe-A,OU=Administration Accounts,OU=User Directory,DC=ABC,DC=com" string ADGroupsDNToCheck = "CN=ADGroupTocheck,OU=Administration Groups,OU=Group Directory,DC=ABC,DC=com"; byte[] sid, parentSID; bool check = false; DirectoryEntry parentEntry; DirectoryEntry basechildEntry; string octetSID; basechildEntry = new DirectoryEntry("LDAP://" + DomainServer + "/" + UserDN, LoginID, LoginPassword); basechildEntry.RefreshCache(new String[] { "tokenGroups" }); parentEntry = new DirectoryEntry("LDAP://" + DomainServer + "/" + ADGroupsDNToCheck, LoginID, LoginPassword); parentSID = (byte[])parentEntry.Properties["objectSID"].Value; octetSID = ConvertToOctetString(parentSID, false, false); foreach(Object GroupSid in basechildEntry.Properties["tokenGroups"]) { sid = (byte[])GroupSid; if (ConvertToOctetString(sid,false,false) == octetSID) { check = true; break; } } basechildEntry.Dispose(); parentEntry.Dispose(); return check; }If you want to check the user groups membership including the nested groups which is indirectly linked to the user parent group you can try use the "tokenGroups" properties as below:
Using System.DirectoryServices public static bool IsMemberOfGroupsToCheck(string DomainServer, string LoginID, string LoginPassword) { string UserDN = "CN=John.Doe-A,OU=Administration Accounts,OU=User Directory,DC=ABC,DC=com" string ADGroupsDNToCheck = "CN=ADGroupTocheck,OU=Administration Groups,OU=Group Directory,DC=ABC,DC=com"; byte[] sid, parentSID; bool check = false; DirectoryEntry parentEntry; DirectoryEntry basechildEntry; string octetSID; basechildEntry = new DirectoryEntry("LDAP://" + DomainServer + "/" + UserDN, LoginID, LoginPassword); basechildEntry.RefreshCache(new String[] { "tokenGroups" }); parentEntry = new DirectoryEntry("LDAP://" + DomainServer + "/" + ADGroupsDNToCheck, LoginID, LoginPassword); parentSID = (byte[])parentEntry.Properties["objectSID"].Value; octetSID = ConvertToOctetString(parentSID, false, false); foreach(Object GroupSid in basechildEntry.Properties["tokenGroups"]) { sid = (byte[])GroupSid; if (ConvertToOctetString(sid,false,false) == octetSID) { check = true; break; } } basechildEntry.Dispose(); parentEntry.Dispose(); return check; }如何检查用户是否在 AD 成员和特定 AD 组成员中
How to check user is in AD member and specific AD group member
这应该在 .NET 3.5+ 中工作
这与这里的很多答案类似,但是:
Dispose对象(使用using)This should work in .NET 3.5+
This is similar to a lot of answers here, but this:
Disposes the objects (usingusings)