[英]Mapping User.Identity in .NET MVC app to active directory user
I'm writing a .NET MVC 5 app which is on an intranet, uses Windows Authentication and needs to query Active Directory to see what groups are available and then check if a user is in that role. 我正在编写一个内部网上的.NET MVC 5应用程序,使用Windows身份验证,需要查询Active Directory以查看可用的组,然后检查用户是否在该角色中。
The source of group and user names will be active directory. 组和用户名的来源将是活动目录。 I then need to check identity and membership using .NET Identity. 然后,我需要使用.NET Identity检查身份和成员身份。 I'm not sure what fields map to what. 我不确定哪些字段映射到什么。
Fields of interest in AD seem to be: AD中感兴趣的领域似乎是:
So, I think SamAccountName == User.Identity.Name , but the docs say that SamAccountName is for earlier operating systems. 所以,我认为SamAccountName == User.Identity.Name ,但文档说SamAccountName适用于早期的操作系统。 Does this effectively mean this is deprecated and I should be using something else? 这是否有效意味着这已被弃用,我应该使用别的东西?
Also, are my assertions about CN and objectGUID correct? 我的关于CN和objectGUID的断言是否正确?
First step: setting the parameters to use AD: 第一步:设置参数以使用AD:
In your the section of your web.config file, set the following: 在web.config文件的部分中,设置以下内容:
<authentication mode="Windows" />
<roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider">
<providers>
<clear />
<add
name="AspNetWindowsTokenRoleProvider"
type="System.Web.Security.WindowsTokenRoleProvider"
applicationName="/" />
</providers>
</roleManager>
Now, you will be able to directly use methods from the System.Web.Security namespace. 现在,您将能够直接使用System.Web.Security命名空间中的方法。
If you want to restrict the access to a View to only people members of the "groupName" group of your AD: 如果要将对View的访问权限仅限于AD的“groupName”组的成员:
You only have to decorate your controller action like that: 你只需要像这样装饰你的控制器动作:
[Authorize(Roles = @"DOMAIN\groupName")]
Public ActionResult Index()
{...}
If you want to do treatments based on the AD groups of users: 如果您想根据AD用户群进行治疗:
Use methods such as "IsInRole(rolename)" in your treatments: 在治疗中使用“IsInRole(rolename)”等方法:
if (User.IsInRole("DOMAIN\\groupName"))
{
// Do what you want
}
EDIT: implementation of the problematic: here you should save the sAMAccountName of the group affected to your task when you create the task. 编辑:有问题的实现:在这里,您应该在创建任务时保存受影响的组的sAMAccountName。 Then when a user wants to mark the task as complete, just check: 然后,当用户想要将任务标记为完成时,只需检查:
if (User.IsInRole("DOMAIN\\" + sAMAccountNameOfTheGroupDedicatedToYourTask))
{
// Mark as complete
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.