有人知道如何WindowsPrincipal.IsInRole("domain\role")使用 Active Directory 通用组吗?
假设当前用户是名为 domain 的域中名为 Role 的组的成员,并且 Role 组是 Active Directory 中的全局组。然后以下代码将产生result = true:
WindowsPrincipal wp = new WindowsPrincipal(WindowsIdentity.GetCurrent());
bool result = wp.IsInRole(@"domain\Role");
但是,如果角色组更改为通用组,则代码会产生result = false。
我发现我的问题没有很好的答案,我必须做的是编写一个新的 Principal 类,它扫描用户所属的所有组的目录,并递归扫描所有这些组以解决组中组成员资格。为有相同问题的用户提供的代码。这不是我写过的最简洁的代码,但至少它有效。
像这样使用:
var wp = new WindowsPrincipalEx(WindowsIdentity.GetCurrent());
result = wp.IsInRole(@"domain\role");
public class WindowsPrincipalEx : IPrincipal
{
// Dictionary to store all groups, key = uppercase groupname, value = groupname as entered in AD
private Dictionary<string,string> completeGroupList = new Dictionary<string,string>();
// Private vars
private WindowsIdentity identity;
private string domain;
// Identity property
public IIdentity Identity
{
get { return identity; }
}
// Constructor, accepts identity
public WindowsPrincipalEx(IIdentity identity)
{
this.identity = (WindowsIdentity)identity;
// Find domain name and store it for filtering purposes
if (identity.Name.Contains('\\'))
this.domain = identity.Name.Substring(0, identity.Name.IndexOf('\\') + 1);
// Find all groups this user belongs to, and store the list for later use
getRoles(completeGroupList);
}
public bool IsInRole(string role)
{
// Remove domain
if (role.StartsWith(domain, StringComparison.CurrentCultureIgnoreCase))
role = role.Substring(domain.Length);
return completeGroupList.ContainsKey(role.ToUpper());
}
private void getRoles(Dictionary<string,string> groupList)
{
// Find username and remove domain
string name = Identity.Name.Replace(domain,"");
// Find user in AD
DirectorySearcher search = new DirectorySearcher("(&(sAMAccountName="+name+")(objectCategory=user))");
search.PropertiesToLoad.Add("memberof");
SearchResult result = search.FindOne();
if (result != null)
{
// Add all groups to the groupList dictionary
foreach (string s in result.Properties["memberOf"])
{
string[] elements = s.Split(new char[] { ',' });
foreach (string e in elements)
if (e.StartsWith("CN=", StringComparison.CurrentCultureIgnoreCase))
{
if (!groupList.ContainsKey(e.Substring(3).ToUpper()))
groupList.Add(e.Substring(3).ToUpper(),e.Substring(3));
break;
}
}
}
// Scan through all groups found, and find group on group memberships recursevly
foreach (var ng in groupList.ToArray())
getRolesInRoles(groupList, ng.Key);
}
private void getRolesInRoles(Dictionary<string, string> groupList, string roleName)
{
string name = roleName.Replace(domain, "");
// Find group in AD
DirectorySearcher search = new DirectorySearcher("(&(cn="+name+")(objectCategory=group))");
search.PropertiesToLoad.Add("memberof");
SearchResult result = search.FindOne();
if (result != null)
{
// Add all groups to the groupList dictionary
foreach (string s in result.Properties["memberOf"])
{
string[] elements = s.Split(new char[] { ',' });
foreach (string e in elements)
if (e.StartsWith("CN=", StringComparison.CurrentCultureIgnoreCase))
{
if (!groupList.ContainsKey(e.Substring(3).ToUpper()))
{
groupList.Add(e.Substring(3).ToUpper(),e.Substring(3));
getRolesInRoles(groupList, e.Substring(3));
}
break;
}
}
}
}
}