从不属于域的PC中检查Active Directory中的用户名/密码 [英] Check username/password in Active Directory from PC that is NOT part of domain

问题描述

编辑：我根据Andrei Galatyn的评论修改了代码，并暗示我将不依赖令牌在无效时为nil，但对于不属于该域的PC仍然无效。

I modified the code according to Andrei Galatyn's comment and hints that I shall not rely on token being nil when invalid, but it's still not working for PC's that are not part of the domain.

我想验证用户是否输入了在LDAP服务器中有效的用户名/密码组合。

I want to verify if a user entered a username/password combination that is valid in a LDAP server.

当前我使用此代码：

function CheckWinUserAccount(Username, Password, Domain : string) : boolean;
var token: THandle;
begin
     result:=False;
     if LogonUser( PChar(Username), PChar(Domain), PChar(Password),
                   LOGON32_LOGON_NETWORK, LOGON32_PROVIDER_DEFAULT, token) then
     begin
          CloseHandle(token);
          result:=True;
     end;
end;

如果在属于LDAP域的PC上执行，则完美运行仅使用LDAP PC作为DNS，但不属于域。

It works perfectly if executed on a PC that is part of the LDAP domain, but not on a PC that only uses the LDAP PC as DNS but is not part of the domain.

我的数据：

• 域：graz.local


• 用户名：LDTest

我尝试过输入用户名 LDTest ， graz\LDTest 和 graz.local\ LDTest 。

I tried entering the username as LDTest, as graz\LDTest and as graz.local\LDTest.

我还尝试将域指定为 graz ， graz.local ， ldap：//graz.local

I also tried specifying the domain as graz, graz.local, ldap://graz.local

无起作用了。知道吗？

Btw：我不确定这是否完全可能（从非域PC访问域服务器），但是使用LDAP Administrator（

Btw: I was not sure if this is possible at all (accessing the domain server from a non-domain-PC), but using the LDAP Administrator (by Softerra) this works.

推荐答案

如Andrei Galatyn所述，调用时使用LOGON32_LOGON_NETWORK代替
LOGON32_LOGON_INTERACTIVE LogonUser。用户名
不应包含域名，域名可以是
NetBIOS域名（ graz）或DNS域名（ graz.local）。

编辑：仅当客户端已建立与域的连接时，才使用 LogonUser。

Using "LogonUser" only works if the client has already established a connection to the domain.

此处是使用LDAP执行身份验证的代码。

Here is the code which performs the authentication using LDAP.

{$APPTYPE CONSOLE}

uses
  SysUtils,
  Windows,
  JwaWinLDAP,
  JwaRpcDce;

var
    sUsername, sDomain, sPassword, sDC : String;
    LDAP : PLDAP;
    SWAI : SEC_WINNT_AUTH_IDENTITY;

begin
    if (ParamCount <> 4) then
    begin
        WriteLn ('WinLdapTest [username] [domain] [password] [domain controller]');
        Halt (1);
    end; { if }

    sUsername := ParamStr (1);
    sDomain := ParamStr (2);
    sPassword := ParamStr (3);
    sDC := ParamStr (4);

    LDAP := ldap_openW (PChar (sDC), LDAP_PORT);

    if (Assigned (LDAP)) then
        try
            SWAI.User := PChar (sUserName);
            SWAI.UserLength := Length (sUserName);
            SWAI.Domain := PChar (sDomain);
            SWAI.DomainLength := Length (sDomain);
            SWAI.Password := PChar (sPassword);
            SWAI.PasswordLength := Length (sPassword);
            SWAI.Flags := SEC_WINNT_AUTH_IDENTITY_UNICODE;

            if (ldap_bind_sW (LDAP, PChar (sDC), PChar (@SWAI),
                              LDAP_AUTH_NTLM) = LDAP_SUCCESS) then
                WriteLN ('"ldap_bind" success')
            else WriteLN ('"ldap_bind" failure');

        finally
            ldap_unbind (LDAP);
        end { try / finally }
    else WriteLn ('"ldap_open" failed');
end.

代码使用 JEDI API库，并假定您使用的是Delphi 2009或更高版本（Unicode字符串）。要自动检索DC名称，您可以调用 DsGetDcName 。

The code uses the JEDI API library and assumes that you're using Delphi 2009 or higher (Unicode strings). To automatically retrieve the DC name you could call DsGetDcName.

这篇关于从不属于域的PC中检查Active Directory中的用户名/密码的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！