9

我有以下两种使用 LDAP 和 LDAPS 对用户进行身份验证的实现,我想知道哪个更好/更正确。作为记录,这些都适用于 SSL 和非 SSL 连接。

我也很好奇,因为在使用 Wireshark 观看该Non-SSL PrincipalContext版本时,我仍然看到端口 636 上的流量。在四种组合(Non-SSL LdapConnectionSSL LdapConnectionNon-SSL PrincipalContextSSL PrincipalContext)中,它是唯一一个在端口 389 和 636 上都有流量的组合,而不仅仅是一个或另一个。这可能是什么原因造成的?

LDAP 连接方法:

bool userAuthenticated = false;
var domainName = DomainName;

if (useSSL)
{
  domainName = domainName + ":636";
}

try
{
  using (var ldap = new LdapConnection(domainName))
  {
    var networkCredential = new NetworkCredential(username, password, domainName);
    ldap.SessionOptions.VerifyServerCertificate = new VerifyServerCertificateCallback((con, cer) => true);
    ldap.SessionOptions.SecureSocketLayer = useSSL;
    ldap.SessionOptions.ProtocolVersion = 3;
    ldap.AuthType = AuthType.Negotiate;
    ldap.Bind(networkCredential);
  }

  // If the bind succeeds, we have a valid user/pass.
  userAuthenticated = true;
}
catch (LdapException ldapEx)
{
  // Error Code 0x31 signifies invalid credentials, anything else will be caught outside.
  if (!ldapEx.ErrorCode.Equals(0x31))
  {
    throw;
  }
}

return userAuthenticated;

PrincipalContext 方法:

bool userAuthenticated = false;
var domainName = DomainName;

if (useSSL)
{
  domainName = domainName + ":636";
  ContextOptions options = ContextOptions.SimpleBind | ContextOptions.SecureSocketLayer;

  using (PrincipalContext pc = new PrincipalContext(ContextType.Domain, domainName, null, options))
  {
    userAuthenticated = pc.ValidateCredentials(username, password, options);
  }
}
else
{
  using (PrincipalContext pc = new PrincipalContext(ContextType.Domain, domainName))
  {
    userAuthenticated = pc.ValidateCredentials(username, password);
  }
}

return userAuthenticated;
4

2 回答 2

6

@DTI-Matt,在上面的示例中,您使用VerifyServerCertificate始终返回的回调true。这基本上违背了通过 SSL 连接到 LDAP 的目的,因为没有执行真正的证书检查。

X509Chain虽然您可以使用和/或类实现真正的证书检查X509Certificate2,但它似乎PrincipalContext会为您处理检查。

总而言之,两者都LdapConnection提供PrincipalContext非常相似的功能,即通过普通或 SSL 连接连接到 LDAP 服务器。您必须提供LdapConnection更多的手写代码才能使其正常工作。另一方面,PrincipalContext为您提供相同的功能,而手动编写的代码更少。

请注意,通过非 SSL 连接到端口 636(您的默认 LDAP over SSL 端口)PrincipalContext可能是因为此类尝试尽可能安全地连接。

于 2014-07-23T16:40:16.260 回答
0

这就是我们最终在 SSL/Non-SSL 上工作的结果。

public bool UserValid(string username, string password, bool useSSL)
{
    bool userAuthenticated = false;
    var domainName = DomainName;

    if (useSSL)
    {
        domainName = domainName + ":636";
    }

    try
    {
        using (var ldap = new LdapConnection(domainName))
        {
            var networkCredential = new NetworkCredential(username, password, DomainName); // Uses DomainName without the ":636" at all times, SSL or not.
            ldap.SessionOptions.VerifyServerCertificate += VerifyServerCertificate;
            ldap.SessionOptions.SecureSocketLayer = useSSL;
            ldap.AuthType = AuthType.Negotiate;
            ldap.Bind(networkCredential);
        }

        // If the bind succeeds, we have a valid user/pass.
        userAuthenticated = true;
    }
    catch (LdapException ldapEx)
    {
        // Error Code 0x31 signifies invalid credentials, so return userAuthenticated as false.
        if (!ldapEx.ErrorCode.Equals(0x31))
        {
            throw;
        }
    }

    return userAuthenticated;
}

private bool VerifyServerCertificate(LdapConnection connection, X509Certificate certificate)
{
    X509Certificate2 cert = new X509Certificate2(certificate);

    if (!cert.Verify())
    {
        // Could not validate potentially self-signed SSL certificate. Prompting user to install certificate themselves.
        X509Certificate2UI.DisplayCertificate(cert);

        // Try verifying again as the user may have allowed the certificate, and return the result.
        if (!cert.Verify())
        {
            throw new SecurityException("Could not verify server certificate. Make sure this certificate comes from a trusted Certificate Authority.");
        }
    }

    return true;
}
于 2015-01-15T15:52:53.077 回答