如何在 .NET 中验证 LDAP [英] How to Authenticate LDAP in .NET
问题描述
我想在具有任何目录服务的 Windows 操作系统上验证我的应用程序的用户名和密码.例如,它可以是 microsoft Active Directory、Novell eDirecotry 或 SunOne.我已经知道如何使用 c# 为 Microsoft Active Direcotry 本地执行此代码.(我完全放弃了使用 ADSI 并创建了一个低级 com 组件)
I would like to authenticate username and passwords for my application on a windows operating system with any directory service. For example it could be microsoft active directory, Novell eDirecotry, or SunOne. I already know how to do this code natively for Microsoft Active Direcotry with c#. ( I totally gave up using ADSI and creating a low level com component)
我尝试使用 Novel eDirecotory 进行身份验证的方式是我安装了 Mono 项目.在 mono 项目中,他们为您提供 Novell.Directory.ldap.dll 代码看起来与 Microsoft Active Directory 的代码有些相同.(http://www.novell.com/coolsolutions/feature/11204.html)
The way im attempting to authenticate with Novel eDirecotory is i have installed the Mono project. Inside the mono project they provide you with Novell.Directory.ldap.dll The code looks somewhat the same as for Microsoft Active Directory.(http://www.novell.com/coolsolutions/feature/11204.html)
对于 SunOne,我被告知使用与活动目录相同的代码,但 ldap 连接字符串有点不同.(http://forums.asp.net/t/354314.aspx)(http://technet.microsoft.com/en-us/library/cc720649.aspx)
For SunOne, i have been told to use the same code as active direcotry, but the ldap connecton string is a little different.(http://forums.asp.net/t/354314.aspx) (http://technet.microsoft.com/en-us/library/cc720649.aspx)
为了使我的项目复杂化,大多数客户使用服务帐户:",这意味着我需要先绑定管理用户名和密码,然后才能验证常规用户名和密码.我的问题分为两部分.
To complicate my project, most customers use a "Service account:" which means i need to bind with an administrative username and password before i can authenticate a regular username and password. My questions is in 2 parts.
1) 根据我上面的解释,这是我应该针对每个单独的目录服务进行身份验证的正确方向吗?
1) From what I have explained above, is this the correct direction I should be going to authenticate against each individual direcotory service?
2) 我觉得我根本不需要编写任何代码.我也觉得使用服务帐户的规定根本不重要.如果我关心的只是在 Windows 机器上验证用户名和密码,为什么我什至需要使用 ldap?我想说的是,考虑一下.当您早上登录机器时,您无需提供服务帐户即可登录.我可以使用 runas 功能在 DOS 提示符下轻松验证用户名和密码,我将被拒绝或不被拒绝,并且可以解析文本文件.我确定还有其他方法可以将用户名和密码传递给我所在的 Windows 操作系统,并会告诉我用户名和密码是否对它所在的域有效.我对吗?如果是这样,你们有什么建议的方法?
2) I feel that i dont not need to do any of this code at all. I also feel the stipulation of using a service account is not imporant at all. If all I care about is authenticating a username and password on a windows machine why do i even need to use ldap? I mean think about it. When you login to your machine in the morning, you do not have to provide a service account just to login. I can easily authenticate a username and password at a DOS prompt by using the runas feature and i will be denied or not and could parse the text file. Im sure there are other ways i could pass a username and password to the windows operating system that i am on and will tell me if a username and password is valid for the domain that it is on. Am i right? If so what suggested ways do you guys have?
迈克尔·埃文奇克www.MikeEvanchik.com
Michael Evanchik www.MikeEvanchik.com
推荐答案
这一切都可以通过 System.DirectoryServices.Protocols 来完成.如果您创建到目录的 LdapConnection,您可以使用服务帐户进行绑定,然后进行后续绑定以验证凭据.
All this can be done with System.DirectoryServices.Protocols. If you create an LdapConnection to the directory you can use the service account to bind with, and then make a subsequent bind to authenticate the credentials.
服务帐号一般用于限制访问服务器的认证机制.这样,街上的任何人都无法尝试使用您的 LDAP 服务器进行身份验证.
The service account is generally used to limit access to the authentication mechanism of the server. This way no random person on the street can try to auth with your LDAP server.
另外,您是否希望每个用户在登录时都提供他们的专有名称?使用 Active Directory,只需要 sAMAccountName,而 eDirectory 和 SunONE 等其他提供程序需要可分辨名称进行身份验证.
Also, do you expect that each user will provide their distinguished name when logging in? With Active Directory, only the sAMAccountName is required, yet other providers like eDirectory and SunONE require the distinguished name for authentication.
要执行这种类型的身份验证,您需要使用提供的服务帐户来对服务器进行身份验证,使用给定的用户名搜索用户,并获取该用户的专有名称.然后,您可以使用该专有名称和提供的密码进行身份验证.
To perform this type of authentication, you would need to use the service account that is provided to authenticate to the server, perform a search for a user with the given username, and grab that users distinguished name. You can then authenticate using that distinguished name and the password that was provided.
这适用于所有 LDAP 系统,但 Active Directory 除外,它只对 sAMAccountName 感到满意.
This will work for all LDAP systems, with the exception of Active Directory which will be happy with just the sAMAccountName.
这篇关于如何在 .NET 中验证 LDAP的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
