支持Openldap控制密码策略
列出的 Openldap 支持的控件: 1.3.6.1.4.1.42.2.27.8.5.1(密码策略)
使用 .Net DirectoryServices.Protocols,我已经用尽了检索此控件提供的响应信息的所有可能方法。
我正在使用最新的 Openldap 源代码,在 Cygwin 环境中本地构建/运行,并在构建中启用所有 PPolicy 相关配置,并配置和工作/测试 PPolicy。
通过修改目录服务编程指南中的示例,链接: http://dunnry.com/blog/2006/05/11/DotNetDevGuideToDirectoryServicesCompanionSiteLaunched.aspx
,使用由配置为请求
密码策略的 DirectoryControl 填充的 SearchRequest,对我没有任何帮助。 服务器源中的一切看起来都很好: http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=blob_plain;f=servers/slapd/overlays/ppolicy.c;hb=HEAD
有没有人在 SearchRequest 中使用 .Net DirectoryControls 有运气吗?
这是我一直在尝试的一些代码:
_authConnect.AuthType = AuthType.Basic;
// credentials.UserName is a user DN format, w/password and null domain
_authConnect.Credential = credentials;
Debug.WriteLine("PV: " + _authConnect.SessionOptions.ProtocolVersion);
var sr = //new ExtendedRequest();
new SearchRequest(credentials.UserName, "(objectclass=*)", SearchScope.Base, null);
//new DsmlAuthRequest(credentials.UserName);
var isCritical = false;
var ppolicy = "1.3.6.1.4.1.42.2.27.8.5.1";
// ppolicy request and response control is referred to by the same OID
sr.Controls.Add(new DirectoryControl(ppolicy, null, isCritical, true));
sr.Controls.Add(new DirectoryControl(ppolicy, new byte[8], isCritical, false));
try
{
var response = (SearchResponse)_authConnect.SendRequest(sr);
DirectoryControl[] c = response.Controls;
if (c.Rank > 0 && c.GetLength(0) > 0)
{
Debug.WriteLine(c[0].Type + " value: " + c[0].GetValue());
}
SearchResultEntry entry = response.Entries[0];
c = entry.Controls;
if (c.Rank > 0 && c.GetLength(0) > 0)
{
Debug.WriteLine(c[0].Type + " value: " + c[0].GetValue());
}
return true;
}
catch (LdapException ex)
{
Debug.WriteLine(ex.Message);
}
Openldap supportedControl listed: 1.3.6.1.4.1.42.2.27.8.5.1 (Password policy)
Using .Net DirectoryServices.Protocols, I've exhausted all possible methods of retrieving the response information provided by this control.
I'm using the latest Openldap Source built/running locally in a Cygwin environment with all PPolicy related config enabled in the build and the PPolicy configured and working/tested.
By modifying an example from the directory services programming guide, link:
http://dunnry.com/blog/2006/05/11/DotNetDevGuideToDirectoryServicesCompanionSiteLaunched.aspx
, to use a SearchRequest populated with a DirectoryControl configured to request the
Password Policy, gets me nothing.
Everything looks good in the Server Source:
http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=blob_plain;f=servers/slapd/overlays/ppolicy.c;hb=HEAD
Has anyone had any luck using .Net DirectoryControls in a SearchRequest?
Here is some code I've been trying:
_authConnect.AuthType = AuthType.Basic;
// credentials.UserName is a user DN format, w/password and null domain
_authConnect.Credential = credentials;
Debug.WriteLine("PV: " + _authConnect.SessionOptions.ProtocolVersion);
var sr = //new ExtendedRequest();
new SearchRequest(credentials.UserName, "(objectclass=*)", SearchScope.Base, null);
//new DsmlAuthRequest(credentials.UserName);
var isCritical = false;
var ppolicy = "1.3.6.1.4.1.42.2.27.8.5.1";
// ppolicy request and response control is referred to by the same OID
sr.Controls.Add(new DirectoryControl(ppolicy, null, isCritical, true));
sr.Controls.Add(new DirectoryControl(ppolicy, new byte[8], isCritical, false));
try
{
var response = (SearchResponse)_authConnect.SendRequest(sr);
DirectoryControl[] c = response.Controls;
if (c.Rank > 0 && c.GetLength(0) > 0)
{
Debug.WriteLine(c[0].Type + " value: " + c[0].GetValue());
}
SearchResultEntry entry = response.Entries[0];
c = entry.Controls;
if (c.Rank > 0 && c.GetLength(0) > 0)
{
Debug.WriteLine(c[0].Type + " value: " + c[0].GetValue());
}
return true;
}
catch (LdapException ex)
{
Debug.WriteLine(ex.Message);
}
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
我遇到了和你一样的问题,尝试了很多方法但没有成功,然后就没有时间了。我注意到的问题是 openldap 仅在绑定请求中发送密码过期信息。我通过启用服务器上的所有日志记录发现了这一点。因此,我开始尝试寻找一种通过绑定请求使用目录控件的方法。我找不到使用 S.DS.P LdapConnection 类来完成此操作的方法。然后我开始尝试反射到连接对象并获取 ldaphandle 变量。这样我就可以像 S.DS.P 一样使用它直接调用 c-api。我查看了 openldap 源代码,注意到它的工具使用 sasl 绑定机制,没有任何机制在该库中诉诸于与控件的简单绑定。在 winldap 中它的工作方式不一样。如果这样做,它将返回错误的参数响应代码。我尝试的最后一件事是调用 ldap_bind 的异步版本并读回消息。不幸的是,响应中没有任何控件。我认为因为我没有发送它们,所以即使 openldap 日志文件说它正在设置警告,它们也不会被返回。这是我使用任何内置 winldap 绑定方法的唯一希望。
我要尝试但没时间的最后一件事是用控件构建我自己的绑定消息,并使用 ldap_extended_operation_s 函数将它们发送到服务器。 http://msdn.microsoft.com/en- us/library/aa366580(v=VS.85).aspx 如果我在这个项目上有一些额外的时间,我可能会回去尝试一下。如果我这样做了,我会在这里报告。最终,如果这是解决方案,那么使用 Novell 的 ldapcsharp 库可能会更容易。看起来可以使用它来发送与服务器控件的绑定请求。我只是探索了 winldap api,因为我对它有些熟悉,而且我们已经非常习惯使用 DirectoryServices.Protocols 了。
I had the same problem as you and tried many things unsuccessfully and then ran out of time. The problem as I noticed was that openldap was only sending the password expiration information in the bind request. I found this out by enabling all logging on the server. So I went about trying to find a way to use directory controls with a bind request. There wasn't a way to do it using S.DS.P LdapConnection class that I could find. I then went about hacking around with reflecting into the connection object and grabbing the ldaphandle variable. With that I could use it to call into the c-api directly like S.DS.P does. I looked around at the openldap sources and noticed that its tools use a sasl bind mechanism with no mechanism which in that library resorts back to a simple bind with the controls. It doesn't work the same in winldap. If you do that it will return a bad parameter response code. The last thing I tried was calling the async version of ldap_bind and reading back the message. Unfortunately no controls were ever in the response. I think since I wasn't sending them they weren't getting returned even though the openldap log file said it was setting the warning. That was my only hope for using any of the built-in winldap bind methods.
The last thing I was going to try but ran out of time would be to construct my own bind message with the controls and send them to the server using the ldap_extended_operation_s function. http://msdn.microsoft.com/en-us/library/aa366580(v=VS.85).aspx If I get some extra time on this project I may go back and try that out. If I do I'll report back here. Ultimately though if this is the solution it may just be easier to use the ldapcsharp library from Novell. It looks like it is possible to send a bind request with server controls using it. I only explored the winldap api because I'm somewhat familiar with it and we're already pretty entrenched with using DirectoryServices.Protocols already.