简体繁体 English

使用LDAP的Asp.Net Identity个人用户帐户

[英]Asp.Net Identity Individual User Accounts using LDAP

原文 2014-03-14 19:06:54 0 3 asp.net/ ldap/ asp.net-identity

I am using VS 2013 Asp.net 4.5.1 and created an internal webforms app using the Individual User Accounts option for Authentication. 我正在使用VS 2013 Asp.net 4.5.1并使用个人用户帐户选项创建内部webforms应用程序进行身份验证。 I want to use LDAP to authenticate the users and use the SQL DB that was created for Individual User Accounts option to hold the users info and roles. 我想使用LDAP对用户进行身份验证，并使用为“ 个人用户帐户”选项创建的SQL DB来保存用户信息和角色。 We don't have Active Directory Federation Services (AD FS) so I can't use the On-Premise Authentication method. 我们没有Active Directory联合身份验证服务（AD FS），因此我无法使用内部部署身份验证方法。

The AD username will be stored in the SQL DB AD用户名将存储在SQL DB中

How can I authenticate the users using LDAP and then use the AspNet.Identity.EntityFramework to get to the users info and roles from the SQL DB? 如何使用LDAP对用户进行身份验证，然后使用AspNet.Identity.EntityFramework从SQL DB获取用户信息和角色？

3 个解决方案

You can use this implementation like an example, it is a customer UserStore for RavenDB: 您可以像使用此实现一样，它是UserStore的客户UserStore：

Customizing ASPNET Authentication for RavenDB 为RavenDB自定义ASPNET身份验证

There's this series of videos explaining how to work with security in .NET (the second video explains how to do it). 这一系列视频解释了如何在.NET中使用安全性（第二个视频解释了如何操作）。

Customizing ASPNET Authentication with Identity 使用Identity自定义ASPNET身份验证

Brock Allen discusses how to implement an "external login" in his comprehensive article on the new identity patterns using External Logins . Brock Allen在他关于使用外部登录的新身份模式的综合文章中讨论了如何实现“外部登录”。

Active Directory Federation Services (ADFS) supports a lot of identity protocols including SSO. Active Directory联合身份验证服务（ADFS）支持许多身份协议，包括SSO。 However, If it's just POWA (plain ol' windows authentication), IIS will support that out of the box. 但是，如果它只是POWA（普通的'windows身份验证），IIS将支持开箱即用。 You would simply specify your Active Directory(AD) user/AD Group in your web.config Authentication node and leverage the Identity.Name field to look-up users' info in a lazy-load and / or request-cached fashion. 您只需在web.config Authentication节点中指定Active Directory（AD）用户/ AD组，并利用Identity.Name字段以延迟加载和/或请求缓存的方式查找用户的信息。

If 's claim's based authentication using ADFS, you can emulate how that works using the Identity and Access Tool and choosing the "Use Local STS" option. 如果使用ADFS进行基于声明的身份验证，则可以使用身份和访问工具并选择“使用本地STS”选项来模拟其工作方式。

Why not keep the profiles and roles in LDAP (ADLDS) as well? 为什么不在LDAP（ADLDS）中保留配置文件和角色？ ADLDS does an excellent job of tracking multi-valued attributes which I find useful. ADLDS可以很好地跟踪我认为有用的多值属性。 The role (group membership) in ADLDS is reflexive (you can query the role for members or query a user for their membership in roles). ADLDS中的角色（组成员身份）是自发的（您可以查询成员的角色或查询用户的角色成员身份）。 ADLDS also insures the referential integrity - you cannot have a member in a role if the member doesn't exist. ADLDS还可以确保参照完整性 - 如果该成员不存在，则不能在角色中拥有成员。 I think you are facing some severe referential integrity problems by having accounts and profiles in two separate stores or learn to love the distributed transaction coordinator. 我认为您通过在两个独立的商店中拥有帐户和配置文件或学会喜欢分布式事务协调器来面对一些严重的参照完整性问题。