我是c#的新手,我使用LDAP来1)验证用户的登录凭据,2)为我的应用程序获取有关用户的其他信息。我们的LDAP服务器不允许我请求匿名分发的一些数据,所以我必须等到我绑定了用户的完整凭据才能提取数据。然而,即使这样,我也无法获得简单的字段,如sn和givenName。使用JXplorer,我可以看到在匿名连接期间隐藏这些值的位置,但是使用完整的用户/SSL/密码组合,我可以看到JXplorer中的所有内容。我只是不能通过我的代码做同样的事情。
如果我在第一个FindOne()之后循环遍历属性,会发现9个属性(其中没有一个是我正在寻找的)。如果我在第二个 FindOne()之后循环遍历属性,则只有4个属性可用。这两个结果似乎都没有受到PropertiesToAdd.Add("…")的影响。
如有任何建议,不胜感激。
public string[] Authenticate(string user, string password)
{
string[] results = new string [2];
//Concatenate serverpath + username + container
//I.e. "LDAP://ldap.disney.com:636/CN=donaldDuck,ou=people,dc=la,dc=disney,dc=com"
DirectoryEntry de = new DirectoryEntry(_ldapserver + "cn=" + user + "," + _topContainer);
//User's password for initial verification
de.Password = password;
//initate anonymous bind
de.AuthenticationType = System.DirectoryServices.AuthenticationTypes.SecureSocketsLayer;
DirectorySearcher searcher = new DirectorySearcher(de);
searcher.SearchScope = System.DirectoryServices.SearchScope.Base;
//Search for first record
SearchResult result = searcher.FindOne();
//Check results
if (result == null) throw new Exception(ERR_NOT_FOUND);
de = result.GetDirectoryEntry();
//Return search results
//results[0] = (string)de.Properties["mail"].Value;
// results[1] = (string)de.Properties["givenName"].Value + " " + (string)de.Properties["sn"].Value;
// Distingushed Name of the found account
string DN = de.Path.Substring(de.Path.ToUpper().IndexOf("CN="));
// Close search connection
de.Close();
// now bind and verify the user's password,
de = new DirectoryEntry(_ldapserver + _topContainer);
de.Username = DN;
de.Password = password;
de.AuthenticationType = System.DirectoryServices.AuthenticationTypes.SecureSocketsLayer;
//Obtain additional information
searcher = new DirectorySearcher(de);
searcher.PropertiesToLoad.Add("sn");
searcher.PropertiesToLoad.Add("givenName");
SearchResult r = searcher.FindOne();
de = r.GetDirectoryEntry();
foreach (string property in de.Properties.PropertyNames)
{
Console.WriteLine("t{0} : {1} ", property, de.Properties[property][0]);
}
//End obtain additional information
//Validate password
Object obj = de.NativeObject;
de.Close();
//if we made it here, we successfully authenticated
return results;
}
如果你使用的是。net 3.5及以上版本,你应该检查一下System.DirectoryServices.AccountManagement
(S.DS.AM)命名空间。阅读这里的所有内容:
- 管理。net Framework 3.5中的目录安全主体
- System.DirectoryServices.AccountManagement上的MSDN文档
基本上,您可以定义域上下文并轻松地在AD中查找用户和/或组:
// set up domain context
using (PrincipalContext ctx = new PrincipalContext(ContextType.Domain))
{
// validate given user credentials
bool isValid = ctx.ValidateCredentials(user, password);
// find a user
UserPrincipal user = UserPrincipal.FindByIdentity(ctx, "SomeUserName");
if(user != null)
{
string surname = user.Surname;
string givenName = user.GivenName;
}
}
新的S.DS.AM使在AD中与用户和组进行交互变得非常容易!