使用活动目录API DirectoryEntry进行身份验证
[英]Authentication with active directory API DirectoryEntry
问题描述
I have this method made by someone else and it works perfectly fine 
我有这个方法由别人制作,它工作得非常好
The problem is that if I change the domain for something not even existing, the searcher is still finding a result for that username even with a wrong domain 问题是,如果我为不存在的东西更改域名,搜索者仍然会找到该用户名的结果,即使是错误的域名
public bool Validarcredenciales(string domain, ControlarSesiones objeto)//Metodo que valida si las credenciales son correctas.
{
string username = objeto.Usuario;
string pwd = objeto.Clave;
String domainAndUsername = domain + @"\" + username;
DirectoryEntry entry = new DirectoryEntry(_path, domainAndUsername, pwd);
try
{ //Bind to the native AdsObject to force authentication.
//Object obj = entry.NativeObject;
DirectorySearcher search = new DirectorySearcher(entry) { Filter = "(SAMAccountName=" + username + ")" };
search.PropertiesToLoad.Add("cn");
SearchResult result = search.FindOne();
if (null == result)
{
MensajeError = Resources.ResourcesETB.ErrorCredenciales;
return false;
}
//Update the new path to the user in the directory.
_path = result.Path;
FilterAttribute = (string)result.Properties["cn"][0];
}
catch (Exception ex)
{
MensajeError = Resources.ResourcesETB.ErrorCredenciales;
return false;
}
return true;
}
1 个解决方案
解决方案1
3 已采纳 2016-08-22 11:56:34
LDAP connections use a weird authentication logic. LDAP连接使用奇怪的身份验证逻辑。 If the LDAP connection is created using a "Domain\\User" format, and the domain exists, the domain controller will try to use the specified credentials to connect. 如果使用“域\\用户”格式创建LDAP连接,并且域存在,则域控制器将尝试使用指定的凭据进行连接。
If, however, the specified domain does not exist, the domain controller will drop the domain part and will try to authenticate the user using the local domain (local for the DC). 但是,如果指定的域不存在,域控制器将删除域部分,并尝试使用本地域(本地为DC)对用户进行身份验证。
In your code, the domain name is only used for initiating a connection to the domain (creating the DirectoryEntry object). 在您的代码中,域名仅用于启动与域的连接(创建DirectoryEntry对象)。 Therefore, as explained above, the domain controller will drop the wrong domain and authenticate the user correctly. 因此,如上所述,域控制器将删除错误的域并正确地验证用户。
If you want to ensure that the user is indeed in the specified domain, you can either parse the distinguished name of the user, which is something like LDAP://cn=user,cn=Users,dc=yourDomain,dc=com , or parse the SID to get a NTAccount object, as explained in this answer : 如果要确保用户确实在指定的域中,您可以解析用户的可分辨名称,例如LDAP://cn=user,cn=Users,dc=yourDomain,dc=com ,或解析SID以获取NTAccount对象,如本答案中所述 :
DirectorySearcher search = new DirectorySearcher(entry) { Filter = "(SAMAccountName=" + username + ")" };
search.PropertiesToLoad.Add("cn");
search.PropertiesToLoad.Add("objectsid");
SearchResult result = search.FindOne();
ResultPropertyValueCollection propertyValues = result.Properties["objectsid"];
byte[] objectsid = (byte[])propertyValues[0];
SecurityIdentifier sid = new SecurityIdentifier(sid, 0)
NTAccount account = (NTAccount) sid.Translate(typeof (NTAccount));
account.ToString(); // This gives the DOMAIN\User format for the account
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.