AD中的用户身份验证 [英] User Authentication in AD
问题描述
美好的一天。
我正在进行用户管理,它要求我从其中一个单位注册AD中的用户。这是为了确保只有那些在AD中并且在应用程序DB中的人才会使用该应用程序(双重身份验证)。
我的问题在于将用户注册到应用程序数据库的过程中,我不知道如何在没有用户密码的情况下检查AD中的用户名。注册的字段是:用户名,密码,等级,单位。我想删除这个密码字段但是如果我删除它,应用程序将注册那些不在AD中的那些。
我的代码如下所示:
Good day all.
I''m working on user management and it requires that I will register user that are in the AD from one of the units. This is to ensure that only those that are in the AD and are in the application DB will be using the application (double authentication).
My problem is that in the course of registering users into the application DB, I don''t know how to check for user''s name in the AD without the user''s password. The fields for registeration are: Username, Password, Rank, Unit. I want to remove this password field but if I remove it the application will be registering those that are not in the AD.
My code is as shown below:
Protected Sub btnButton1_Click(ByVal sender As Object, ByVal e As System.EventArgs) Handles btnButton1.Click
Try
If getOrder() = False Then Return
Dim entry As New DirectoryEntry("LDAP://IP Address")
entry.Username = txtUsername.Text + "@gov.net"
entry.Password = txtPassword.Text
Dim searcher As New DirectorySearcher("(&(objectCategory=Person)(objectClass=User))")
searcher.SearchRoot = entry
searcher.PropertiesToLoad.Add("cn")
Dim result As SearchResult
searcher.Filter = "(mail=net\" & txtUsername.Text & "@gov.net)"
result = searcher.FindOne
Dim sql As String = "INSERT INTO Table (Role,Username,Unit,Rank) VALUES ( ''" & _
ddlRole.Text & "'',''" & txtUsername.Text.Replace("''", "''''") & "'',''" & _ ddlUnit.Text & "'',''" & ddlRank.Text & "'')"
Dim gentool As New functions
If gentool.ExecuteDatabase(sql) = True Then
lblMsg.Text = "Registered successfully"
goClear()
Else
lblMsg.Text = "User already exists"
End If
Catch ex As Exception
lblMsg.Text = "Registration failure: Either username or password" ''ex.Message
End Try
End Sub
推荐答案
是的,这是一个很多层面上的恐怖故事。例如,你正在做的那个小Text.Replace()
的事情是可笑的。它不会阻止来自用户输入的注入攻击,它会导致代码崩溃,具体取决于用户键入的内容。谷歌针对.net参数化查询提供了大量示例和讨论你应该做什么。
如果你想对某人反对AD进行身份验证,你需要他们的密码。就这么简单。
如果你想看某人是否在ActiveDirectory中,那么你只需要对他们的帐户名进行LDAP搜索,没有用户要求输入密码。此代码需要在具有AD读取权限的帐户下运行。即便如此,当然,这也不会告诉您账号是否过期或锁定而没有额外的工作,但是,嘿,这是你的工作,而不是我的工作。
Yeah, this is a horror story on many levels. For instance, that littleText.Replace()
thing you''re doing is laughable. It''s not going to prevent injection attacks from user input and it can, and will, lead to your code crashing depending on what the user typed. Google for ".net parameterized queries" for a ton of examples and discussion on what you should be doing.
If you want to authenticate someone against AD, you need their password. It''s that simple.
If you want to see if someone is IN ActiveDirectory, then you just have to do an LDAP search for their account name, no user password required. This code WILL need to be running under an account that has read permissions to AD though. Even so, this, of course, won''t tell if the account is expired or locked without additional work on your part, but hey, it''s your job, not mine.
这篇关于AD中的用户身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!