2

是否可以只查询组的那些成员,这也是来自 AD 的组?

现在我正在使用以下代码:

var group = GroupPrincipal.FindByIdentity(ctx, identityType, domainGroup);
if (null != group)
{
    var subGroups = group.GetMembers().Where(g => g is GroupPrincipal).Select(g => g.Name);
................
}

问题是我的组有大量用户(超过 50 000),因此查询的工作时间非常长。此外,传输大量数据。

如何在单个请求中仅查询直接子组(而不是用户)?

编辑

我结束了DirectorySearcher。这是我完成的代码:

using (var searcher = new DirectorySearcher(string.Format("(&(objectCategory=group)(objectClass=group)(memberof={0}))", group.DistinguishedName), new[] { "cn" }))
{
    searcher.PageSize = 10000;
    var results = SafeFindAll(searcher);

    foreach (SearchResult result in results)
    {
        for (int i = 0; i < result.Properties["cn"].Count; i++)
        {
            subGroups.Add((string)result.Properties["cn"][i]);
        }
    }
}
4

1 回答 1

2

我建议使用较低级别的DirectoryServices.Protocols命名空间而不是DirectoryServices.AccountManagement这样的东西。

我(与许多其他人一起)使用这些AccountManagement库时遇到的问题是缺乏自定义和配置。话虽这么说,这也是我搜索 Active Directory 的方式,System.DirectoryServices.Protocols.SearchScope也是如此。

//Define the connection
var ldapidentifier = new LdapDirectoryIdentifier(ServerName, port);
var ldapconn = new LdapConnection(ldapidentifier, credentials);

//Set some session options (important if the server has a self signed cert or is transferring over SSL on Port 636)
ldapconn.SessionOptions.VerifyServerCertificate += delegate { return true; };
ldapconn.SessionOptions.SecureSocketLayer = true;

//Set the auth type, I'm doing this from a config file, you'll probably want either Simple or Negotatie depending on the way your directory is configured.
ldapconn.AuthType = config.LdapAuth.LdapAuthType;

这是DirectoryServices真正开始发光的地方。您可以轻松定义过滤器以按特定组或子组进行搜索。你可以做这样的事情:

string ldapFilter = "(&(objectCategory=person)(objectclass=user)(memberOf=CN=All Europe,OU=Global,dc=company,dc=com)";  

//Create the search request with the domain, filter, and SearchScope. You'll most likely want Subtree here, but you could possibly use Base as well. 
var getUserRequest = new SearchRequest(Domain, ldapFilter, SearchScope.Subtree)                                        

//This is crucial in getting the request speed you want. 
//Setting the DomainScope will suppress any refferal creation during the search
var SearchControl = new SearchOptionsControl(SearchOption.DomainScope);
getUserRequest.Controls.Add(SearchControl);

//Now, send the request, and get your array of Entry's back
var Response = (SearchResponse)ldapconn.SendRequest(getUserRequest);

SearchResultEntryCollection Users = Response.Entries;

这可能不是所需要的,但正如您所见,您将有更多的灵活性来更改和修改搜索条件。我使用这段代码来搜索海量的域结构,它几乎是瞬时的,即使有大量的用户和组。

于 2013-06-13T16:33:49.463 回答