System.DirectoryServices - 如何不查询 Active Directory 以获取设置了机密位的属性
我正在使用 DirectoryServices 查询个人或组的 DirectoryEntries,如下所示:
var propsToLoad = new string {"sAMAccountName","objectClass", "memberOf", "distinguishedName", "manager","mail","name","objectCategory"};
DirectoryEntry dEntry = new DirectoryEntry("LDAP://<MyDomainController>/DC=foo,FC=com","user","pass");
DirectorySearcher dSearch = new DirectorySearcher(dEntry, "(&(|(objectClass=person)(objectClass=group))
(samAccountName=jsmith))", propsToLoad);
var searchResult = s.FindOne();
var searchResultDirEntry = result.GetDirectoryEntry();
我遇到的问题是,上述获取 SearchResult 的 DirectoryEntry 的调用是获取比我查询的属性更多的属性。 如果我在调试时将鼠标悬停在 searchResult 上,它只包含我查询的 8 个属性,但在 searchResult 查询上调用 "GetDirectoryEntry()"更多 属性(大约 77 - 80 个属性值)。
真正的问题是它还在查询设置了“机密位”的属性,例如'UnixUserPassword' 导致 DC 审核失败。
有没有办法指定不查询任何设置了机密位的属性或尊重 result.GetDirectoryEntry(); 我的“propsToLoad”,并且仅获取我在 DirectorySearcher 上指定的属性的属性值。
I'm using DirectoryServices to query for DirectoryEntries for a person or group like so:
var propsToLoad = new string {"sAMAccountName","objectClass", "memberOf", "distinguishedName", "manager","mail","name","objectCategory"};
DirectoryEntry dEntry = new DirectoryEntry("LDAP://<MyDomainController>/DC=foo,FC=com","user","pass");
DirectorySearcher dSearch = new DirectorySearcher(dEntry, "(&(|(objectClass=person)(objectClass=group))
(samAccountName=jsmith))", propsToLoad);
var searchResult = s.FindOne();
var searchResultDirEntry = result.GetDirectoryEntry();
The issue I'm having is that the above call for getting the DirectoryEntry for the SearchResult is fetching more properties than what I'm querying for.
If I hover over the searchResult while debugging, it contains just the 8 properties I queried for but calling "GetDirectoryEntry()" on the searchResult queries for a ton more
properties(approx 77 - 80 more property values).
The real problem is that it is also querying for properties whose "confidential bit" is set such as 'UnixUserPassword'
causing audit failures on the DC.
Is there any way to specify NOT to query for any properties having the confidential bit set OR have the result.GetDirectoryEntry(); respect
my "propsToLoad" and only fetch property values for properties that I've specified on the DirectorySearcher.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
不,不是真的。您的 propsToLoad 数组将传递到 LDAP 搜索。当您调用 GetDirectoryEntry() API 时,这是一个完全不同的代码路径。如果您想要这种级别的控制,您将需要使用 S.DS.Protocols 直接反对 LDAP。
No, not really. Your propsToLoad array is passed in to the LDAP search. When you call the GetDirectoryEntry() API, it's a totally different codepath. If you want this level of control you're going to need to go against LDAP directly with S.DS.Protocols.