[英]Authentication with active directory API DirectoryEntry
我有這個方法由別人制作,它工作得非常好
問題是,如果我為不存在的東西更改域名,搜索者仍然會找到該用戶名的結果,即使是錯誤的域名
public bool Validarcredenciales(string domain, ControlarSesiones objeto)//Metodo que valida si las credenciales son correctas.
{
string username = objeto.Usuario;
string pwd = objeto.Clave;
String domainAndUsername = domain + @"\" + username;
DirectoryEntry entry = new DirectoryEntry(_path, domainAndUsername, pwd);
try
{ //Bind to the native AdsObject to force authentication.
//Object obj = entry.NativeObject;
DirectorySearcher search = new DirectorySearcher(entry) { Filter = "(SAMAccountName=" + username + ")" };
search.PropertiesToLoad.Add("cn");
SearchResult result = search.FindOne();
if (null == result)
{
MensajeError = Resources.ResourcesETB.ErrorCredenciales;
return false;
}
//Update the new path to the user in the directory.
_path = result.Path;
FilterAttribute = (string)result.Properties["cn"][0];
}
catch (Exception ex)
{
MensajeError = Resources.ResourcesETB.ErrorCredenciales;
return false;
}
return true;
}
LDAP連接使用奇怪的身份驗證邏輯。 如果使用“域\\用戶”格式創建LDAP連接,並且域存在,則域控制器將嘗試使用指定的憑據進行連接。
但是,如果指定的域不存在,域控制器將刪除域部分,並嘗試使用本地域(本地為DC)對用戶進行身份驗證。
在您的代碼中,域名僅用於啟動與域的連接(創建DirectoryEntry對象)。 因此,如上所述,域控制器將刪除錯誤的域並正確地驗證用戶。
如果要確保用戶確實在指定的域中,您可以解析用戶的可分辨名稱,例如LDAP://cn=user,cn=Users,dc=yourDomain,dc=com ,或解析SID以獲取NTAccount對象,如本答案中所述 :
DirectorySearcher search = new DirectorySearcher(entry) { Filter = "(SAMAccountName=" + username + ")" };
search.PropertiesToLoad.Add("cn");
search.PropertiesToLoad.Add("objectsid");
SearchResult result = search.FindOne();
ResultPropertyValueCollection propertyValues = result.Properties["objectsid"];
byte[] objectsid = (byte[])propertyValues[0];
SecurityIdentifier sid = new SecurityIdentifier(sid, 0)
NTAccount account = (NTAccount) sid.Translate(typeof (NTAccount));
account.ToString(); // This gives the DOMAIN\User format for the account
如何使用DirectoryEntry更新Active Directory中的數據?
[英]How to update data in Active Directory using DirectoryEntry?
Active Directory登錄-DirectoryEntry不一致異常
[英]Active Directory login - DirectoryEntry inconsistent exception
檢索Active Directory DirectoryEntry的街道地址屬性
[英]Retrieving Street Address property of Active Directory DirectoryEntry
Active Directory訪問拒絕DirectoryEntry上的異常。調用ChangePassword
[英]Active Directory access denied exception on DirectoryEntry.Invoke ChangePassword
Active Directory:DirectoryEntry成員列表<> GroupPrincipal.GetMembers()
[英]Active Directory: DirectoryEntry member list <> GroupPrincipal.GetMembers()
在 Active Directory C# 中創建用戶的 PrincipalContext 或 DirectoryEntry 哪個更好
[英]Which is better PrincipalContext or DirectoryEntry for user creation in Active Directory C#
檢查DirectoryEntry是否是Active Directory C#中組的最后一個
[英]Check if a DirectoryEntry is the last of a Group in Active Directory C#
刪除 DirectoryEntry 中的某些屬性(Active Directory、C#)
[英]Removing certain properties in DirectoryEntry (Active Directory, C#)
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.