使用c#中的目录搜索器进行LDAP用户身份验证 [英] LDAP user Authentication using Directory searcher in c#
问题描述
我们使用c#(VS 2008 / 3.5框架)开发了一个Web应用程序。应用程序将身份验证模式用作Windows,域(Domain1)中存在服务帐户,以ASP.Net用户身份运行应用程序。我们要为不同域(域2)中的用户进行身份验证。使用目录服务(目录搜索器)完成身份验证时,我们可以连接到domain1的LDAP并绑定它,以便对用户进行身份验证。此外,如果用户已从domain1迁移到域2,则可以对用户进行身份验证。但是,如果在域2中直接创建了用户ID,则应用程序无法绑定到Domain2(在LDAP身份验证期间)因此,该用户未被应用程序验证。请建议相同的解决方案。
We have an web application developed using c#(VS 2008/3.5 framework). The application uses the mode of authentication as "Windows" with a service account present in domain (Domain1) to run the application as ASP.Net user. We have authentication to be done for the users present in different domain (Domain 2). When authentication is done using the directory services(Directory searcher), we are able to connect to LDAP of domain1 and bind it, so that user is authenticated. Also, the user is able to be authenticated if the user has been migrated from domain1 to domain 2. However, if there is a user id directly created in domain 2, then application is not able to bind to Domain2 (during the LDAP authentication) and hence, this user is not being authenticated by the application. Please suggest the solution regarding the same.
<authentication mode="Windows" />
<identity impersonate="true" username="domain1\svc_acc" password="***" />
public bool ValidateUidPwdAndGetUserTypeGlobal(string TPXId, string password)
{
string strADPath = "LDAP://a.b.c/dc=a,dc=b,dc=c";
try
{
DirectoryEntry objDirEntry = new DirectoryEntry(strADPath, TPXId, password);
DirectorySearcher search = new DirectorySearcher(objDirEntry);
search.Filter = "(samaccountname=" + TPXId + ")";
SearchResult result = search.FindOne();
if (null == result)
{
return false;
}
else
return true;
}
catch (Exception ex)
{
return false;
}
}
LDAP身份验证期间抛出异常:未知用户名或密码错误。
推荐答案
所以你想要做的就是验证用户对正确的目录是否正确?如果是这样,那么这个片段就可以工作
AD Auth方法
So it seems like all you are looking to do is authenticate a user against active directory correct? If so then this snippet will work
Method For AD Auth
using System.DirectoryServices;
public static bool IsAuthenticated(string ldap, string usr, string pwd)
{
bool authenticated = false;
try
{
DirectoryEntry entry = new DirectoryEntry(ldap, usr, pwd);
object nativeObject = entry.NativeObject;
authenticated = true;
}
catch (DirectoryServicesCOMException cex)
{
Console.WriteLine(cex);
}
catch (Exception ex)
{
Console.WriteLine(ex);
}
return authenticated;
}
然后执行您的方案,如果用户使用第一个LDAP服务器(domain1)并且它没有进行身份验证它会自动尝试第二个LDAP服务器(domain2)进行authnetication。第一个LDAP字符串是您在示例中提供的字符串,然后假设domain2的LDAP字符串不同,则只需将其放在else if部分中。然后,这将向第一个服务器验证用户,失败,然后验证到第二个服务器,如果用户有效,则可能通过。
Then to do your scenario, if the user uses the first LDAP server (domain1) and it does not authenticate it would automatically try the second LDAP server (domain2) for authnetication. The first LDAP string is what you provided in your sample and then assuming the LDAP string for domain2 is different then just place that in the else if portion. This would then authenticate the user to the first server, fail, then auth to the second server and presumably pass if the user is valid.
bool returnAuth = false;
string returnServer = null;
if(IsAuthenticated("LDAP://a.b.c/dc=a,dc=b,dc=c", "domain2\user", "domain1pass"))
{
returnAuth = true;
returnServer = "Domain One Auth";
}
else if(IsAuthenticated("LDAP://a2.b2.c2/dc=a2,dc=b2,dc=c2", "domain2\user", "domain1pass"))
{
returnAuth = true;
returnServer = "Domain Two Auth";
}
这篇关于使用c#中的目录搜索器进行LDAP用户身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
