从不属于域的PC中检查Active Directory中的用户名/密码 [英] Check username/password in Active Directory from PC that is NOT part of domain
问题描述
编辑:我根据Andrei Galatyn的评论修改了代码,并暗示我将不依赖令牌在无效时为nil,但对于不属于该域的PC仍然无效。
I modified the code according to Andrei Galatyn's comment and hints that I shall not rely on token being nil when invalid, but it's still not working for PC's that are not part of the domain.
我想验证用户是否输入了在LDAP服务器中有效的用户名/密码组合。
I want to verify if a user entered a username/password combination that is valid in a LDAP server.
当前我使用此代码:
function CheckWinUserAccount(Username, Password, Domain : string) : boolean;
var token: THandle;
begin
result:=False;
if LogonUser( PChar(Username), PChar(Domain), PChar(Password),
LOGON32_LOGON_NETWORK, LOGON32_PROVIDER_DEFAULT, token) then
begin
CloseHandle(token);
result:=True;
end;
end;
如果在属于LDAP域的PC上执行,则完美运行仅使用LDAP PC作为DNS,但不属于域。
It works perfectly if executed on a PC that is part of the LDAP domain, but not on a PC that only uses the LDAP PC as DNS but is not part of the domain.
我的数据:
- 域:graz.local
- 用户名:LDTest
我尝试过输入用户名 LDTest
, graz\LDTest
和 graz.local\ LDTest
。
I tried entering the username as LDTest
, as graz\LDTest
and as graz.local\LDTest
.
我还尝试将域指定为 graz
, graz.local
, ldap://graz.local
I also tried specifying the domain as graz
, graz.local
, ldap://graz.local
无起作用了。知道吗?
Btw:我不确定这是否完全可能(从非域PC访问域服务器),但是使用LDAP Administrator(
Btw: I was not sure if this is possible at all (accessing the domain server from a non-domain-PC), but using the LDAP Administrator (by Softerra) this works.
推荐答案
如Andrei Galatyn所述,调用时使用LOGON32_LOGON_NETWORK代替
LOGON32_LOGON_INTERACTIVE LogonUser。用户名
不应包含域名,域名可以是
NetBIOS域名( graz)或DNS域名( graz.local)。
编辑:仅当客户端已建立与域的连接时,才使用 LogonUser。
Using "LogonUser" only works if the client has already established a connection to the domain.
此处是使用LDAP执行身份验证的代码。
Here is the code which performs the authentication using LDAP.
{$APPTYPE CONSOLE}
uses
SysUtils,
Windows,
JwaWinLDAP,
JwaRpcDce;
var
sUsername, sDomain, sPassword, sDC : String;
LDAP : PLDAP;
SWAI : SEC_WINNT_AUTH_IDENTITY;
begin
if (ParamCount <> 4) then
begin
WriteLn ('WinLdapTest [username] [domain] [password] [domain controller]');
Halt (1);
end; { if }
sUsername := ParamStr (1);
sDomain := ParamStr (2);
sPassword := ParamStr (3);
sDC := ParamStr (4);
LDAP := ldap_openW (PChar (sDC), LDAP_PORT);
if (Assigned (LDAP)) then
try
SWAI.User := PChar (sUserName);
SWAI.UserLength := Length (sUserName);
SWAI.Domain := PChar (sDomain);
SWAI.DomainLength := Length (sDomain);
SWAI.Password := PChar (sPassword);
SWAI.PasswordLength := Length (sPassword);
SWAI.Flags := SEC_WINNT_AUTH_IDENTITY_UNICODE;
if (ldap_bind_sW (LDAP, PChar (sDC), PChar (@SWAI),
LDAP_AUTH_NTLM) = LDAP_SUCCESS) then
WriteLN ('"ldap_bind" success')
else WriteLN ('"ldap_bind" failure');
finally
ldap_unbind (LDAP);
end { try / finally }
else WriteLn ('"ldap_open" failed');
end.
代码使用 JEDI API库,并假定您使用的是Delphi 2009或更高版本(Unicode字符串)。要自动检索DC名称,您可以调用 DsGetDcName 。
The code uses the JEDI API library and assumes that you're using Delphi 2009 or higher (Unicode strings). To automatically retrieve the DC name you could call DsGetDcName.
这篇关于从不属于域的PC中检查Active Directory中的用户名/密码的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!