WindowsPrincipal.IsInRole和通用与全局活动目录组
[英]WindowsPrincipal.IsInRole and universal vs. global active directory groups
问题描述
Does anybody know how to make WindowsPrincipal.IsInRole("domain\\role") work with active directory universal groups? 
有没有人知道如何使WindowsPrincipal.IsInRole("domain\\role")与活动目录通用组一起使用?
Let's say the current user is a member of a group called Role in a domain called domain, and that the Role group is a Global group in active directory. 假设当前用户是名为Domain的域中名为Role的组的成员,并且Role组是Active Directory中的Global组。 The following code would then yield result = true : 然后,以下代码将产生result = true :
WindowsPrincipal wp = new WindowsPrincipal(WindowsIdentity.GetCurrent());
bool result = wp.IsInRole(@"domain\Role");
But if the Role group is changed to a universal group the code yields result = false . 但是,如果将Role组更改为通用组,则代码将生成result = false 。
1 个解决方案
解决方案1
11 已采纳 2008-11-28 14:10:41
I found no good answer to my question, what I had to do was to write a new Principal class that scanned the directory for all groups that the user belongs to, and recursivly scan all those groups to solve group-in-group memberships. 我发现我的问题没有得到很好的答案,我要做的是编写一个新的Principal类,扫描用户所属的所有组的目录,并递归扫描所有这些组以解决组内成员资格。 Code provided for users with the same problem. 为具有相同问题的用户提供的代码。 It's not the prittiest code I've written, but atleast it works. 这不是我写过的最狡猾的代码,但至少它是有效的。
Use like this: 使用这样:
var wp = new WindowsPrincipalEx(WindowsIdentity.GetCurrent());
result = wp.IsInRole(@"domain\role");
public class WindowsPrincipalEx : IPrincipal
{
// Dictionary to store all groups, key = uppercase groupname, value = groupname as entered in AD
private Dictionary<string,string> completeGroupList = new Dictionary<string,string>();
// Private vars
private WindowsIdentity identity;
private string domain;
// Identity property
public IIdentity Identity
{
get { return identity; }
}
// Constructor, accepts identity
public WindowsPrincipalEx(IIdentity identity)
{
this.identity = (WindowsIdentity)identity;
// Find domain name and store it for filtering purposes
if (identity.Name.Contains('\\'))
this.domain = identity.Name.Substring(0, identity.Name.IndexOf('\\') + 1);
// Find all groups this user belongs to, and store the list for later use
getRoles(completeGroupList);
}
public bool IsInRole(string role)
{
// Remove domain
if (role.StartsWith(domain, StringComparison.CurrentCultureIgnoreCase))
role = role.Substring(domain.Length);
return completeGroupList.ContainsKey(role.ToUpper());
}
private void getRoles(Dictionary<string,string> groupList)
{
// Find username and remove domain
string name = Identity.Name.Replace(domain,"");
// Find user in AD
DirectorySearcher search = new DirectorySearcher("(&(sAMAccountName="+name+")(objectCategory=user))");
search.PropertiesToLoad.Add("memberof");
SearchResult result = search.FindOne();
if (result != null)
{
// Add all groups to the groupList dictionary
foreach (string s in result.Properties["memberOf"])
{
string[] elements = s.Split(new char[] { ',' });
foreach (string e in elements)
if (e.StartsWith("CN=", StringComparison.CurrentCultureIgnoreCase))
{
if (!groupList.ContainsKey(e.Substring(3).ToUpper()))
groupList.Add(e.Substring(3).ToUpper(),e.Substring(3));
break;
}
}
}
// Scan through all groups found, and find group on group memberships recursevly
foreach (var ng in groupList.ToArray())
getRolesInRoles(groupList, ng.Key);
}
private void getRolesInRoles(Dictionary<string, string> groupList, string roleName)
{
string name = roleName.Replace(domain, "");
// Find group in AD
DirectorySearcher search = new DirectorySearcher("(&(cn="+name+")(objectCategory=group))");
search.PropertiesToLoad.Add("memberof");
SearchResult result = search.FindOne();
if (result != null)
{
// Add all groups to the groupList dictionary
foreach (string s in result.Properties["memberOf"])
{
string[] elements = s.Split(new char[] { ',' });
foreach (string e in elements)
if (e.StartsWith("CN=", StringComparison.CurrentCultureIgnoreCase))
{
if (!groupList.ContainsKey(e.Substring(3).ToUpper()))
{
groupList.Add(e.Substring(3).ToUpper(),e.Substring(3));
getRolesInRoles(groupList, e.Substring(3));
}
break;
}
}
}
}
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.