从 C++ 应用程序中,如何检查 Active Directory 中的特定用户是否属于特定安全组?
[英]From a C++ application, how can I check if a specific user in Active Directory is part of a particular security group?
问题描述
I'm currently working on a C++ application that needs to authenticate a user against the Active Directory on our domain (which I have working), and then also check if that user is part of a particular security group in that Active Directory.
我目前正在开发一个 C++ 应用程序,该应用程序需要针对我们域上的 Active Directory(我正在工作)对用户进行身份验证,然后还要检查该用户是否属于该 Active Directory 中的特定安全组。 I've been using WinLDAP to authenticate ( https://docs.microsoft.com/en-us/previous-versions/windows/desktop/ldap/establishing-an-ldap-session ), and I've had no problems there.我一直在使用 WinLDAP 进行身份验证( https://docs.microsoft.com/en-us/previous-versions/windows/desktop/ldap/establishing-an-ldap-session ),我在那里没有问题. The problem is that there doesn't seem to be anything in the API for checking which security groups a user belongs to (in our Active Directory), or checking if they are a member of a specific group.问题是 API 中似乎没有任何内容可用于检查用户属于哪些安全组(在我们的 Active Directory 中),或者检查他们是否是特定组的成员。
I've found some answers in other threads, but they either (1) are written in C# or (2) only tell you how to check the Active Directory groups for the current user on that Windows machine, which is not what I need.我在其他线程中找到了一些答案,但它们要么(1)用 C# 编写,要么(2)只告诉你如何在 Windows 机器上检查当前用户的 Active Directory 组,这不是我需要的。 The current user on the PC might not be the same person logging into our application, or they might use a different account to log into their PC than they use for authenticating against the Active Directory. PC 上的当前用户可能不是登录到我们的应用程序的同一个人,或者他们可能使用不同的帐户登录到他们的 PC,而不是他们用于针对 Active Directory 进行身份验证的帐户。 I need to be able to specify the user I'm checking the security groups for.我需要能够指定我正在为其检查安全组的用户。
The solution doesn't need to use LDAP, but it does need to work in C++ and Windows.该解决方案不需要使用 LDAP,但它确实需要在 C++ 和 Windows 中工作。 Our application also uses Qt, so I'm certainly open to options that require Qt.我们的应用程序还使用 Qt,所以我当然愿意接受需要 Qt 的选项。 I'm really just looking for a simple way to say "Does user [X] belong to group [Y] in the Active Directory on domain [Z]".我真的只是在寻找一种简单的方式来表达“用户 [X] 是否属于域 [Z] 上的 Active Directory 中的组 [Y]”。 Alternatively, it could work as "List all groups that user [X] belongs to in the Active Directory on domain [Z]".或者,它可以作为“列出用户 [X] 在域 [Z] 上的 Active Directory 中所属的所有组”。 Either one is perfectly fine, as long as I can specify the user name in the AD, meaning it doesn't just operate on the current Windows user account.任何一个都很好,只要我可以在 AD 中指定用户名,这意味着它不仅仅对当前的 Windows 用户帐户进行操作。 Any help would be greatly appreciated!任何帮助将不胜感激!
1 个解决方案
解决方案1
0 2021-12-16 18:55:53
You can use Active Directory Service Interfaces (ADSI) to do this.您可以使用Active Directory 服务接口 (ADSI)来执行此操作。 There's a C++ example of binding to a user account using ADsGetObject here: Binding With GetObject and ADsGetObject这里有一个使用ADsGetObject绑定到用户帐户的 C++ 示例: Binding With GetObject and ADsGetObject
If you specify IID_IADsUser as the riid parameter, you can get an IADsUser object, and then use IADsUser::Groups to get all the groups that the user is a member of.如果指定IID_IADsUser作为riid参数,则可以获取一个IADsUser object,然后使用IADsUser::Groups获取该用户所属的所有组。
The C# examples can still be helpful to you, since the System.DirectoryServices namespace is really just a wrapper around ADSI. C# 示例仍然对您有帮助,因为System.DirectoryServices命名空间实际上只是 ADSI 的包装器。 For example, this C#:例如,这个 C#:
var user = new DirectoryEntry("LDAP://CN=jeffsmith,DC=fabrikam,DC=com");
is equivalent to this in C++:相当于 C++ 中的这个:
hr = ADsGetObject(L"LDAP://CN=jeffsmith,DC=fabrikam,DC=com", IID_IADsUser, (void**) &pUser);
DirectoryEntry.Properties is equivalent to IADs::Get / IADs::GetEx DirectoryEntry.Properties等价于IADs::Get / IADs::GetEx
DirectoryEntry.RefreshCache is equivalent to IADs::GetInfo / IADs::GetInfoEx DirectoryEntry.RefreshCache等价于IADs::GetInfo / IADs::GetInfoEx
DirectoryEntry.CommitChanges is equivalent to IADs::SetInfo DirectoryEntry.CommitChanges等价于IADs::SetInfo
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.