用于应用程序角色映射的 Active Directory 集成
[英]Active Directory integration for app role mapping
问题描述
I'm building a REST API (.NET Core with Entity Framework) and Angular frontend.
我正在构建一个 REST API(.NET Core with Entity Framework)和 Angular 前端。 What I want to achieve in terms of security is some sort of AD integration.我想在安全方面实现的是某种 AD 集成。 I'd like to grant application permissions to AD groups and users.我想向 AD 组和用户授予应用程序权限。 There will be an admin user mapping those users/groups to roles.将有一个管理员用户将这些用户/组映射到角色。 What is the best way to do that?最好的方法是什么? Should I make a microservice that queries AD every minute and refreshes all groups and users in the app?我应该创建一个每分钟查询 AD 并刷新应用程序中所有组和用户的微服务吗? Or maybe a live connection to AD everytime admin user wants to grant/revoke someone's permission?或者也许每次管理员用户想要授予/撤销某人的权限时都与 AD 建立实时连接? I think the second way might not work, because everytime user logs in I'd need to query AD to see his/hers AD groups and check if the user has access.我认为第二种方法可能不起作用,因为每次用户登录时,我都需要查询 AD 以查看他/她的 AD 组并检查用户是否具有访问权限。
So what I came up with so far is JWT token authentication and a microservice that will import all users/groups and mappings between them, so all authentication takes place inside the app/app's database, instead of constantly querying AD (which is pretty slow from what I remember).所以到目前为止我想出的是 JWT 令牌身份验证和一个微服务,它将导入所有用户/组以及它们之间的映射,因此所有身份验证都在应用程序/应用程序的数据库中进行,而不是不断查询 AD(从我记得的)。
Can you give me some ideas for improvement?你能给我一些改进的想法吗? Maybe I'm missing some solutions?也许我错过了一些解决方案? Is JWT token the best way to go here? JWT 令牌是前往这里的最佳方式吗?
1 个解决方案
解决方案1
0 2020-03-20 03:04:24
Maybe this code Helps you.也许此代码可以帮助您。 Beware that Parameter.GetStringValue is a personnal custom method, replace it with whatever you want.请注意Parameter.GetStringValue是个人自定义方法,请将其替换为您想要的任何内容。
using System;
using System.Text;
using System.DirectoryServices;
public class Ldap
{
private string _path;
private string _filterAttribute;
/// <summary>
/// prepares LDAP path to use in this class. Something like LDAP://myLANdomain.local
/// </summary>
/// <param name="path">If empty will get the value on Parameter 'LANdomain'</param>
public Ldap(string path = "")
{
if (String.IsNullOrEmpty(path))
{
string domain = Parameter.GetStringValue("LANdomain");
if (String.IsNullOrEmpty(domain))
throw new Exception("Domain is not defined");
path = "LDAP://" + domain; //Fully-qualified Domain Name
}
_path = path;
}
//Error Error 0x80005000 go to IIS and recycle App Pool
public bool IsAuthenticated(string username, string pwd, string domain ="")
{
if (String.IsNullOrEmpty(domain))
domain = Parameter.GetStringValue("LANdomain");
if (String.IsNullOrEmpty(domain))
throw new Exception("Domain is not defined");
string domainAndUsername = domain + @"\" + username;
using (DirectoryEntry entry = new DirectoryEntry(_path, domainAndUsername, pwd))
{
try
{
//Bind to the native AdsObject to force authentication.
object obj = entry.NativeObject;
using (DirectorySearcher search = new DirectorySearcher(entry))
{
//"(&(objectClass=user)(objectCategory=person)(|(SAMAccountName=*{0}*)(cn=*{0}*)(gn=*{0}*)(sn=*{0}*)(email=*{0}*)))"
search.Filter = "(&(objectCategory=person)(objectClass=user)(SAMAccountName=" + username + "))";
search.PropertiesToLoad.Add("cn");
SearchResult result = search.FindOne();
if (null == result)
{
return false;
}
//Update the new path to the user in the directory.
_path = result.Path;
_filterAttribute = (String)result.Properties["cn"][0];
return true;
}
}
//catch (DirectoryServicesCOMException cex)
catch //(Exception ex)
{
throw;
//throw new Exception("Error authenticating LDAP user. " + ex.Message);
}
}
}
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.