找出用户无法更改ldap的密码值 [英] Find out User cannot change password value of ldap

问题描述

我试图找出在广告中，用户是否允许更改密码.我已经使用SearchResponse来发现该用户存在或不存在.我只想发现用户无法更改密码是对还是不对.

Hi,
I am trying to find out that in ad, user has allowed to change password or not. I have used SearchResponse to find out that user exists or not. I just want to find out that user cannot change password is true or false.

LdapConnection connection = new LdapConnection(new LdapDirectoryIdentifier(domainname,636));

connection.SessionOptions.VerifyServerCertificate =
                new VerifyServerCertificateCallback((con, cer) => true);

connection.SessionOptions.ProtocolVersion = 3;
 
connection.AuthType = AuthType.Basic;
 
connection.Credential = new NetworkCredential("CN=adminusername,DC=Domain,DC=COM", "password");
 
connection.SessionOptions.SecureSocketLayer=true;
 
using(connection)
{

SearchRequest request = new SearchRequest("ou=users,DC=Domain,DC=COM", "CN=pmutest", System.DirectoryServices.Protocols.SearchScope.Subtree);

SearchResponse response = (SearchResponse)connection.SendRequest(request);
}

这就是我发现该用户是否存在的方式.

This is how I find that user exist or not.

推荐答案

我的问题的解决方案.

Solution of my problem.

SearchResponse response = (SearchResponse)connection.SendRequest(request);
               DirectoryAttribute attribute = response.Entries[0].Attributes["ntSecurityDescriptor"];

               if (attribute != null)
               {
                   const string PASSWORD_GUID = "{ab721a53-1e2f-11d0-9819-00aa0040529b}";
                   const int ADS_ACETYPE_ACCESS_DENIED_OBJECT = 6;
                   bool fEveryone = false;
                   bool fSelf = false;

                   ActiveDs.ADsSecurityUtility secUtility = new ActiveDs.ADsSecurityUtility();
                   ActiveDs.IADsSecurityDescriptor sd = (IADsSecurityDescriptor)secUtility.ConvertSecurityDescriptor((byte[])attribute[0], (int)ADS_SD_FORMAT_ENUM.ADS_SD_FORMAT_RAW, (int)ADS_SD_FORMAT_ENUM.ADS_SD_FORMAT_IID);
                   ActiveDs.IADsAccessControlList acl = (ActiveDs.IADsAccessControlList)sd.DiscretionaryAcl;

                   foreach (ActiveDs.IADsAccessControlEntry ace in acl)
                   {
                       if ((ace.ObjectType != null) && (ace.ObjectType.ToUpper() == PASSWORD_GUID.ToUpper()))
                       {
                           if ((ace.Trustee == "Everyone") && (ace.AceType == ADS_ACETYPE_ACCESS_DENIED_OBJECT))
                           {
                               fEveryone = true;
                           }
                           if ((ace.Trustee == @"NT AUTHORITY\SELF") && (ace.AceType == ADS_ACETYPE_ACCESS_DENIED_OBJECT))
                           {
                               fSelf = true;
                           }

                           break;
                       }
                   }

                   if (fEveryone || fSelf)
                   {
                       return Global.RequestContants.CANT_CHANGE_PASSWORD;
                   }
                   else
                   {
                       return string.Empty;
                   }
               }

这篇关于找出用户无法更改ldap的密码值的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！