stackoom
  简体   繁体   中英

LDAP Authentication with memberOf

 原文  2012-04-05 18:45:54       c#/ asp.net/ active-directory/ ldap

Question

I have an asp.net (C#) set up to authenticate with LDAP. Everything works fine, I can log in with any users in our directory. The thing is, I need to restrict certain pages to people in specific groups. I'm using the login view + the account folder approach.

My website design is simple, it has three pages, one is viewable for everyone (outside of the account folder), the two others require authentication. I want one group to have access to both web pages, and a second group to have access to only ONE of the pages.

I've tried:

String group = "group";
if (!User.IsInRole(group)) {
    Response.Redirect("login.aspx");
}

But no matter what my user isn't in that group. I have an LDAP browser on and I know for SURE I'm in the group. The LDAP browser shows "memberOf" and "CN=group".

Is there something I'm doing wrong?

3 answers

solution1
 0  2012-04-05 18:52:44

Have you tried adding the domain name?

You could also implement this using the App.Config: http://bytes.com/topic/asp.net/answers/300187-web-config-authorization-help

Edit:

Here is a better link for role-based security in ASP.NET using the App.Config.

solution2
 0  2012-04-05 18:56:55

When you create your FormsAuthenticationTicket for the user, the UserData is what specifies the "Role(s)" for that user.

http://msdn.microsoft.com/en-us/library/system.web.security.formsauthenticationticket.aspx

Just for example:

FormsAuthenticationTicket authTicket = new FormsAuthenticationTicket(1,
    username, DateTime.Now, DateTime.Now.AddMinutes(30),
    isPersist, "group");

//I'll add more example code for the sake of completing the example
string encryptTick = FormsAuthentication.Encrypt(authTicket);
HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName,
                encryptTick);
if (isPersist)
    cookie.Expires = authTicket.Expiration;
Response.Cookies.Add(cookie);

This should allow your code above to work.

solution3
 0  2012-04-05 20:27:57

If you are using Integrated Authentication against your domain, and you've set impersonation to true, you can lock down areas of your application by removing AS.NET (and any other global groups) from having permissions to the directory, and add in the designated AD groups you want to have access.

I would definitely document this, as I inherited a system that used this method and it tripped me up for a few hours figuring out where the Access Control was enforced.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question LDAP DirectorySearcher with MemberOf property LDAP - Use of wildcard on MemberOf filter LDAP DirectorySearcher memberOf property only returns 1 group Loop LDAP memberOf as return to show all for single user Secure LDAP Authentication Issue LDAP authentication on server LDAP Authentication pass credentials LDAP Authentication using DirectoryEntry LDAP Authentication on Windows Phone LDAP and ActiveDirectory authentication in C#
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM