针对 Active Directory 进行身份验证后如何确定用户 DN?

发布于 2024-08-28 07:45:45 字数 895 浏览 12 评论 0原文

我正在使用 DirectoryServices 根据 ADLDS(轻量级 Active Directory)对用户进行身份验证。当我通过认证后。如何确定当前登录用户的 DN 或 SID?

using (DirectoryEntry entry = new DirectoryEntry(<a>LDAP://XYZ:389</a>,
userName.ToString(),
password.ToString(),
AuthenticationTypes.Secure))
{
try
{
// Bind to the native object to force authentication to happen
Object native = entry.NativeObject;
MessageBox.Show("User authenticated!");
}
catch (Exception ex)
{
throw new Exception("User not authenticated: " + ex.Message);
}
...

谢谢

更新:

我得到一个例外,

src = search.FindAll() 
There is no such object on the server.

我意识到登录的用户在 Active Directory 轻量级中有一个类类型“foreignSecurityPrincipal”,所以我想也许我可以将您的过滤器修改为:

search.Filter = "(&(objectclass=foreignSecurityPrincipal)" + "(sAMAccountName=" + userName + "))";

但这给了我同样的例外。知道我缺少什么吗?

I'm using DirectoryServices to authenticate a user against an ADLDS (the lighteweight Active Directory). After I pass authentication. How can I determine the DN or SID of the currently logged in user?

using (DirectoryEntry entry = new DirectoryEntry(<a>LDAP://XYZ:389</a>,
userName.ToString(),
password.ToString(),
AuthenticationTypes.Secure))
{
try
{
// Bind to the native object to force authentication to happen
Object native = entry.NativeObject;
MessageBox.Show("User authenticated!");
}
catch (Exception ex)
{
throw new Exception("User not authenticated: " + ex.Message);
}
...

Thanks

Update:

I get an exception at

src = search.FindAll() 
There is no such object on the server.

I realized the user logging in has a class type "foreignSecurityPrincipal" in the Active Directory lightweight so I figured perhaps I can just modify your filter to be:

search.Filter = "(&(objectclass=foreignSecurityPrincipal)" + "(sAMAccountName=" + userName + "))";

But that gave me the same exception. Any idea what I am missing?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

习惯成性 2024-09-04 07:45:45

据我所知,您必须对用户进行 LDAP 搜索并从 AD 获取 distinguishedName 属性。见下文:

// you can use any root DN here that you want provided your credentials
// have search rights
DirectoryEntry searchEntry = new DirectoryEntry("LDAP://XYZ:389");

DirectorySearcher search = new DirectorySearcher(searchEntry);
search.Filter = "(&(objectclass=user)(objectCategory=person)" +
  "(sAMAccountName=" + userName + "))";    

if (search != null)
{
  search.PropertiesToLoad.Add("sAMAccountName");
  search.PropertiesToLoad.Add("cn");
  search.PropertiesToLoad.Add("distinguishedName");

  log.Info("Searching for attributes");

  // find firest result
  SearchResult searchResult = null;
  using (SearchResultCollection src = search .FindAll())
  {
 if (src.Count > 0)
   searchResult = src[0];
  }

  if (searchResult != null)
  {
    // Get DN here
    string DN = searchResult.Properties["distinguishedName"][0].ToString();
  }

To my knowledge you will have to do an LDAP Search for the user and get the distinguishedName property from AD. See below:

// you can use any root DN here that you want provided your credentials
// have search rights
DirectoryEntry searchEntry = new DirectoryEntry("LDAP://XYZ:389");

DirectorySearcher search = new DirectorySearcher(searchEntry);
search.Filter = "(&(objectclass=user)(objectCategory=person)" +
  "(sAMAccountName=" + userName + "))";    

if (search != null)
{
  search.PropertiesToLoad.Add("sAMAccountName");
  search.PropertiesToLoad.Add("cn");
  search.PropertiesToLoad.Add("distinguishedName");

  log.Info("Searching for attributes");

  // find firest result
  SearchResult searchResult = null;
  using (SearchResultCollection src = search .FindAll())
  {
 if (src.Count > 0)
   searchResult = src[0];
  }

  if (searchResult != null)
  {
    // Get DN here
    string DN = searchResult.Properties["distinguishedName"][0].ToString();
  }
千年*琉璃梦 2024-09-04 07:45:45

当我在活动目录中手动添加新用户时,无法手动定义“专有名称”,但约定似乎是名字+“”+姓氏。在这种情况下,为什么不尝试按照这种模式获取“专有名称”。我还发现,如果我只是指定一个名字来创建非人类用户,则“可分辨名称”等于名字后面不带空格。

我在我的应用程序中遵循这种模式,它有效,并且比尝试创建自定义查询来搜索用户要简单得多。

When I add a new user manually in the active directory, the 'distinguished Name' cannot be define manually but the convention seems to be the first name + ' ' + the last name. In this case, why not trying to get the 'distinguished name' following this pattern. I also found that if I just specified a first name to create a non-human user, the 'distinguihed name' is the equal to the first name without space after.

I follow this pattern in my application and it works and it's much simple than trying to create custom query to search user.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文