[英]How would I validate a Username/Password using System.DirectoryServices.Protocol?
首先,我不能使用Active Directory ,所以我不能直接使用System.DirectoryServices
。 這將是一台PC向Novell網絡發送查詢,其中僅支持System.DirectoryServices.Protocol
。
我很確定我需要提供正確的SearchRequest。
這是我到目前為止:
private static String _certificatePath;
private static String _server;
private static SearchResponse Query(String user, String pwd, out String error)
{
SearchResponse result = null;
error = String.Empty;
if (File.Exists(_certificatePath))
{
var identifier = new LdapDirectoryIdentifier(_server, false, false);
try
{
using (var connection = new LdapConnection(identifier))
{
connection.SessionOptions.ProtocolVersion = 3;
var cert = new X509Certificate();
cert.Import(_certificatePath, null, X509KeyStorageFlags.DefaultKeySet);
connection.ClientCertificates.Add(cert);
connection.AuthType = AuthType.External;
connection.AutoBind = false;
var request = new SearchRequest()
{
DistinguishedName = user, //Find this person
Filter = "(objectClass=*)", //The type of entry we are looking for
Scope = System.DirectoryServices.Protocols.SearchScope.Subtree, //We want all entries below this ou
};
result = (SearchResponse)connection.SendRequest(request); //Run the query and get results
}
} catch (Exception err)
{
error = String.Format("SDSP::Query {0}: {1}", err.GetType(), err.Message);
}
}
else
{
error = "The system cannot find the Cryptography Certificate at the path specified in the Application Configuration file.";
}
return result;
}
如何創建SearchRequest以驗證user
/ pwd
組合?
var request = new SearchRequest()
{
DistinguishedName = user, //Find this person
Filter = "(objectClass=*)", //The type of entry we are looking for
Scope = System.DirectoryServices.Protocols.SearchScope.Subtree, //We want all entries below this ou
};
讓我告訴你我最好的嘗試來實現這個驗證,也許它會對你有用。
在我的上下文中這不起作用,因為我的管理員用戶無法讀取屬性“userPassword”,我無法弄清楚原因。 我猜是沒有分配一些許可。
無論如何這是代碼,希望它有所幫助:
var server = "<SERVER:PORT>";
var adminUser = "<USERNAME>";
var adminPass = "<PASSWORD>";
using (var ldap = new LdapConnection(server))
{
ldap.SessionOptions.ProtocolVersion = 3;
// To simplify this example I'm not validating certificate. Your code is fine.
ldap.SessionOptions.VerifyServerCertificate += (connection, certificate) => true;
ldap.SessionOptions.SecureSocketLayer = true;
ldap.AuthType = AuthType.Basic;
ldap.Bind(new System.Net.NetworkCredential($"cn={adminUser},o=<ORGANIZATION>", adminPass));
// Now I will search to find user's DN.
// If you know exact DN, then you don't need to search, go to compare request directly.
var search = new SearchRequest
{
//Here goes base DN node to start searching. Node closest to entry improves performance.
// Best base DN is one level above.
DistinguishedName = "<BASEDN>", //i.e.: ou=users,o=google
Filter = "uid=<USERNAME>",
Scope = SearchScope.OneLevel
};
// Adding null to attributes collection, makes attributes list empty in the response.
// This improves performance because we don't need any info of the entry.
search.Attributes.Add(null);
var results = (SearchResponse)ldap.SendRequest(search);
if (results.Entries.Count == 0)
throw new Exception("User not found");
// Because I'm searching "uid" can't exists more than one entry.
var entry = results.Entries[0];
// Here I use DN from entry found.
var compare = new CompareRequest(entry.DistinguishedName, new DirectoryAttribute("userPassword", "<PASSWORD>"));
var response = (CompareResponse)ldap.SendRequest(compare);
if (response.ResultCode != ResultCode.CompareTrue)
throw new Exception("User and/or Password incorrect.");
}
您可以為ValidateCredentials
(用戶名和密碼)附加ContextOptions.Negotiate
參數。
const int ldapErrorInvalidCredentials = 0x31;
const string server = "sd.example.com:636";
const string domain = "sd.example.com";
try
{
using (var ldapConnection = new LdapConnection(server))
{
var networkCredential = new NetworkCredential(_username, _password, domain);
ldapConnection.SessionOptions.SecureSocketLayer = true;
ldapConnection.AuthType = AuthType.Negotiate;
ldapConnection.Bind(networkCredential);
}
// If the bind succeeds, the credentials are valid
return true;
}
catch (LdapException ldapException)
{
// Invalid credentials throw an exception with a specific error code
if (ldapException.ErrorCode.Equals(ldapErrorInvalidCredentials))
{
return false;
}
throw;
}
DirectoryEntry和DirectorySearcher都是高級類工具,它們是Active Directory的包裝器。
//use the users credentials for the query
DirectoryEntry root = new DirectoryEntry(
"LDAP://dc=domain,dc=com",
loginUser,
loginPassword
);
//query for the username provided
DirectorySearcher searcher = new DirectorySearcher(
root,
"(sAMAccountName=" + loginUser + ")"
);
//a success means the password was right
bool success = false;
try {
searcher.FindOne();
success = true;
}
catch {
success = false;
}
提到了答案 。
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.