如何在.NET中对LDAP进行身份验证 [英] How to Authenticate LDAP in .NET
问题描述
我想使用任何目录服务在Windows操作系统上验证我的应用程序的用户名和密码.例如,它可以是Microsoft活动目录,Novell eDirecotry或SunOne.我已经知道如何使用c#为Microsoft Active Direcotry本地执行此代码. (我完全放弃了使用ADSI并创建一个低级com组件)
I would like to authenticate username and passwords for my application on a windows operating system with any directory service. For example it could be microsoft active directory, Novell eDirecotry, or SunOne. I already know how to do this code natively for Microsoft Active Direcotry with c#. ( I totally gave up using ADSI and creating a low level com component)
我试图通过Novel eDirecotory进行身份验证的方式是我已经安装了Mono项目.在mono项目中,它们为您提供Novell.Directory.ldap.dll.该代码看起来与Microsoft Active Directory相同.(
The way im attempting to authenticate with Novel eDirecotory is i have installed the Mono project. Inside the mono project they provide you with Novell.Directory.ldap.dll The code looks somewhat the same as for Microsoft Active Directory.(http://www.novell.com/coolsolutions/feature/11204.html)
对于SunOne,有人告诉我使用与活动目录相同的代码,但是ldap connecton字符串略有不同.( http://technet.microsoft.com/en-us/library/cc720649. aspx )
For SunOne, i have been told to use the same code as active direcotry, but the ldap connecton string is a little different.(http://forums.asp.net/t/354314.aspx) (http://technet.microsoft.com/en-us/library/cc720649.aspx)
要使我的项目复杂化,大多数客户都使用服务帐户:",这意味着我需要先绑定管理用户名和密码,然后才能验证常规用户名和密码.我的问题分为两部分.
To complicate my project, most customers use a "Service account:" which means i need to bind with an administrative username and password before i can authenticate a regular username and password. My questions is in 2 parts.
1)根据我上面的解释,这是我应该针对每个目录服务进行身份验证的正确方向吗?
1) From what I have explained above, is this the correct direction I should be going to authenticate against each individual direcotory service?
2)我觉得我根本不需要执行任何此代码.我也觉得使用服务帐户的规定一点都不重要.如果我只关心在Windows计算机上验证用户名和密码,为什么我什至需要使用ldap?我想说的是,考虑一下.早晨登录计算机时,您不必仅提供服务帐户即可登录.通过使用runas功能,我可以在DOS提示符下轻松验证用户名和密码,并且我将被拒绝或拒绝并可以解析文本文件.我确定还有其他方法可以将用户名和密码传递给我所使用的Windows操作系统,并告诉我用户名和密码是否对所使用的域有效.我对吗?如果是这样,你们有什么建议的方式?
2) I feel that i dont not need to do any of this code at all. I also feel the stipulation of using a service account is not imporant at all. If all I care about is authenticating a username and password on a windows machine why do i even need to use ldap? I mean think about it. When you login to your machine in the morning, you do not have to provide a service account just to login. I can easily authenticate a username and password at a DOS prompt by using the runas feature and i will be denied or not and could parse the text file. Im sure there are other ways i could pass a username and password to the windows operating system that i am on and will tell me if a username and password is valid for the domain that it is on. Am i right? If so what suggested ways do you guys have?
迈克尔·埃文奇克(Michael Evanchik) www.MikeEvanchik.com
Michael Evanchik www.MikeEvanchik.com
推荐答案
所有这些都可以通过System.DirectoryServices.Protocols完成.如果您创建到目录的LdapConnection,则可以使用服务帐户进行绑定,然后进行后续绑定以对凭据进行身份验证.
All this can be done with System.DirectoryServices.Protocols. If you create an LdapConnection to the directory you can use the service account to bind with, and then make a subsequent bind to authenticate the credentials.
服务帐户通常用于限制对服务器身份验证机制的访问.这样,在大街上没有随机的人可以尝试对您的LDAP服务器进行身份验证.
The service account is generally used to limit access to the authentication mechanism of the server. This way no random person on the street can try to auth with your LDAP server.
此外,您是否希望每个用户在登录时都提供其专有名称?使用Active Directory,仅需要sAMAccountName,而其他提供程序(如eDirectory和SunONE)则需要可分辨名称进行身份验证.
Also, do you expect that each user will provide their distinguished name when logging in? With Active Directory, only the sAMAccountName is required, yet other providers like eDirectory and SunONE require the distinguished name for authentication.
要执行这种类型的身份验证,您将需要使用提供的用于对服务器进行身份验证的服务帐户,使用给定的用户名搜索用户,并获取该用户的专有名称.然后,您可以使用该专有名称和提供的密码进行身份验证.
To perform this type of authentication, you would need to use the service account that is provided to authenticate to the server, perform a search for a user with the given username, and grab that users distinguished name. You can then authenticate using that distinguished name and the password that was provided.
这将适用于所有LDAP系统,但Active Directory除外,仅对sAMAccountName满意.
This will work for all LDAP systems, with the exception of Active Directory which will be happy with just the sAMAccountName.
这篇关于如何在.NET中对LDAP进行身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
