6

我在将我的 ASP.NET Web 服务与 Active Directory 设置集成时遇到问题,并使用它来验证用户并检查他们所属的 AD 组以及他们是否有权使用我的自定义应用程序。

我的自定义应用程序有自己的权限,管理员配置允许使用自定义应用程序的 Active Directory 组。

我遇到的问题是,当来自不同受信任 AD 林的用户(具有完全双向信任)尝试登录时,我无法从我的 ASP.NET Web 服务与之通信的 AD 服务器获取他的组列表。ASP.NET Web 服务只能访问 AD 服务器 (AD Main),而不是信任 AD 控制器 (AD Secondary)。

用户是(AD 辅助)域的成员,我可以针对(AD 主)域对该用户进行身份验证,但是当用户在(AD 辅助)域。

我试过这段代码。

StringCollection groupids = new StringCollection();
try
{
    DirectoryLibrary dirLib = new DirectoryLibrary();
    DirectoryEntry directoryEntry = new DirectoryEntry("LDAP://" + domain,username, password);   
    if (directoryEntry != null)
    {
        //Enum the properties so we can see what is in them
        foreach (string propname in directoryEntry.Properties.PropertyNames)
        {
            Debug.WriteLine(propname);
        }

        object obGroups = directoryEntry.Invoke("Groups");
        foreach (object ob in (IEnumerable)obGroups)
        {
        // Create object for each group.
            DirectoryEntry obGpEntry = new DirectoryEntry(ob);
            groupids.Add(obGpEntry.NativeGuid);
        }
    }
}
catch (DirectoryServicesCOMException ex) { throw ex; }

我试图从 DirectoryEntry 对象移到类似这样的东西。

List<GroupPrincipal> result = new List<GroupPrincipal>();
StringCollection groupids = new StringCollection();

PrincipalContext yourDomain = new PrincipalContext(ContextType.Domain, domain, userName, password);

// find your user
UserPrincipal user = UserPrincipal.FindByIdentity(yourDomain, userName);

// if found - grab its groups
if (user != null)
{
    PrincipalSearchResult<Principal> groups = user.GetGroups();

    // iterate over all groups
    foreach (Principal p in groups)
    {
        // make sure to add only group principals
        if (p is GroupPrincipal)
        {
            groupids.Add(p.DisplayName);
        }
    }

}

但是,我没有得到用户,也无法得到另一个域中该用户的组列表。任何帮助,将不胜感激。

4

2 回答 2

1

这似乎是 AD 派生属性 memberOf 的一个很好的用例。使用该DirectoryEntry directoryEntry对象,您可以枚举用户所属的组。

foreach (object group in directoryEntry.Properties["memberOf"])
{
    DirectoryEntry obGpEntry = New DirectoryEntry("LDAP://" + (String)group);
    groupids.Add(obGpEntry.NativeGuid);
}

如果您在 ob 前面加上“LDAP://”,您也可能会使用第一个代码段

于 2012-04-10T15:06:42.660 回答
0

I think you have to connect to the remote AD and get the data you want.

I wrote a replication once, where i replicate from many AD's

Some code out of it:

Public Function GetDirectoryEntry() As Object

    If InStr(1, m_sLdapPath, "DC=") > 0 Then
      Dim directory_service As New PrincipalContext(ContextType.Domain, m_sDomain, m_sLdapPath)
      Return directory_service
    Else
      Dim directory_service As New PrincipalContext(ContextType.Machine, m_sDomain, m_sLdapPath)
      Return directory_service
    End If

  End Function

  Public Function GetUserList() As PrincipalSearchResult(Of Principal)

    Dim directory_service As PrincipalContext = CType(GetDirectoryEntry(), PrincipalContext)
    Dim directory_user As New UserPrincipal(directory_service)

    Dim directory_userlist As New PrincipalSearcher(directory_user)
    directory_userlist.QueryFilter = directory_user
    Return directory_userlist.FindAll

  End Function

  Public Function GetGroupList() As PrincipalSearchResult(Of Principal)

    Dim directory_service As PrincipalContext = CType(GetDirectoryEntry(), PrincipalContext)
    Dim directory_group As New GroupPrincipal(directory_service)

    Dim directory_grouplist As New PrincipalSearcher(directory_group)
    directory_grouplist.QueryFilter = directory_group
    Return directory_grouplist.FindAll

  End Function

I know this is not exactly what you need, but this shows how to connect and fetch data from any AD. In my case I get a userlist, grouplist or whatever and then work with those collections.

Dim l_oGroupList As Object = oDirectory.GetGroupList()
For Each l_oGroup In l_oGroupList
  If l_oGroup.Members.Count > 0 Then
  If l_oGroup.Members.Contains(directory_service, IdentityType.UserPrincipalName, Username) Then
    ' he is part of the group
  End If
  End If
Next

I hope this helps a bit to solve the problem...

于 2012-04-10T17:05:08.140 回答