将Windows SID存储在数据库中用于查找 [英] Storing a Windows SID in a Database for Lookup
问题描述
Membership.GetUser()将让我访问登录的用户的 Membership.ProviderUserKey 。我可以使用它来与用户记录相关联。我们的自定义SQL提供程序将只返回User.Id,但AD是一个不同的故事。在这种情况下, ProviderUserKey 是一个 IdentityReference 。
这些查找将会非常频繁地发生,您可以想像(尽管缓存可以帮助减少数据库级别的查找)。
我无法决定哪个路由更好:将SID存储为varbinary或varchar列。此列不会是主键,也不会有聚簇索引。知道我可以很好地索引字符串,并且读取字符串格式的SID肯定比二进制更好。任何人愿意分享他们如何解决这种情况?
更新
我不知道我如何错过这个SO问题,当我发布之前我正在搜索,但似乎很清楚, ActiveDirectoryMembershipProvider 和 ActiveDirectoryMembershipUser 对于当前存在的任务来说并不是很切合实际的。
这个问题的答案链接了以下文章,其中列出了以下内容:
SID的相对标识符部分相对于域是唯一的,
所以如果域更改,相对的
标识符也会更改
因此,当用户对象从一个
域移动到另一个时,新的SID必须为
生成用户帐户和
存储在Object-SID属性中。
然而,每个组和用户都有一个Object-GUID,它永远不会改变,甚至如果帐户被移动因此,我将在我的User类中使用Object-GUID,而不是Object-SID。否则,如果某人的用户记录被移动,则其用户记录将被放弃,从而破坏其主体与其创建的数据之间的关系。
不幸的是, ActiveDirectoryMembershipUser 不让我得到Object-GUID。所以,我将不得不在 ActiveDirectoryMembershipUser 执行工作后将SID转换为GUID,或者创建我自己的 MembershipProvider ActiveDirectoryMembershipProvider 。
Microsoft将SID作为varbinary(85)存储在 sys.server_principals
这也是一个唯一的列,所以它必须有一个索引...
I have an ASP.NET MVC application where I need to allow to customers configure MembershipProviders based on their environment, but still be able to map that MembershipUser to a concrete User model in our database.
Membership.GetUser() will give me access to the logged-in user's Membership.ProviderUserKey. I can use this to relate to a User record. Our custom SQL provider will just return the User.Id, but AD is a different story. In that case, ProviderUserKey is an IdentityReference.
These lookups will happen very frequently, as you can imagine (although caching can assist in reducing the lookups at the database level).
I can't decide which route is better to go: Storing the SID as a varbinary or varchar column. This column would not be a primary key and would not have a clustered index. Knowing that I can index strings pretty well, and reading a SID in string format is certainly nicer than binary. Anyone willing to share how they solved such a situation?
Update
I don't know how I missed this SO question when I was searching before I posted, but it seems pretty clear that ActiveDirectoryMembershipProvider and ActiveDirectoryMembershipUser are not quite cut out for the task at hand, as they exist today.
An answer in that SO question linked the following article, where the following was stated:
The relative identifier portion of a SID is unique relative to the domain, so if the domain changes, the relative identifier also changes.
Thus when a User object moves from one domain to another, a new SID must be generated for the user account and stored in the Object-SID property.
However, each group and user has an Object-GUID, which will never change, even if the account is moved. Therefore, it would behoove me to use Object-GUID in my User class, and not Object-SID. Otherwise, someone's User record will be abandoned if they are moved and therefore breaking the relationship between their principal and the data they created.
Unfortunately, ActiveDirectoryMembershipUser doesn't let me get at Object-GUID. So, I'll either have to translate the SID to a GUID after ActiveDirectoryMembershipUser does its work, or create my own MembershipProvider that does everything I need on the spot. Unfortunately, this means I might have to duplicate effort already done for me by ActiveDirectoryMembershipProvider.
Microsoft stores SIDs as varbinary(85) in sys.server_principals
This is also a unique column, so it must have an index...
这篇关于将Windows SID存储在数据库中用于查找的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
