带有LDAP身份验证的OWIN [英] OWIN with LDAP Authentication
问题描述
这是我的情况.我有一个使用Owin作为身份验证机制的MVC 5应用程序.默认模板在登录"操作中调用SignInManager.PasswordSignInAsync,我想将其覆盖以使用LDAP来验证用户,而不是查看数据库.
Here is my scenario. I have an MVC 5 application that uses Owin as an authentication mechanism. The default template calls the SignInManager.PasswordSignInAsync in the Login action which I would like to overwrite to use LDAP to validate the user instead of looking into the database.
我可以通过以下方式进行验证:
I am able to do the validation via:
PrincipalContext dc = new PrincipalContext(ContextType.Domain, "domain.com", "DC=domain,DC=com", "user_name", "password");
bool authenticated = dc.ValidateCredentials(userName, password);
然后我可以使用以下方式检索UserPrincipal:
Then I can retrieve the UserPrincipal using:
UserPrincipal user = UserPrincipal.FindByIdentity(dc, IdentityType.SamAccountName, userName);
但是,我被困在这里,并且不确定如何继续登录用户.目标是在登录用户后,我将有权访问User.Identity,包括用户所处的所有角色.从本质上讲,该应用程序的行为应像使用Windows身份验证一样,但凭据由用户在以下位置提供登录页面.
However, I am stuck here and I am not sure how to continue with signing in the user. The goal is that after I sign in the user, I would have access to User.Identity including all the roles the user is in. Essentially, the app should behave as if it uses Windows Authentication, but the credentials are provided by the user on the Login page.
您可能会问为什么不直接使用Windows身份验证.可以从网络外部访问该应用程序,但要求使用AD身份验证和授权.因此,我的困境.
You would probably ask why not user Windows Authentication directly. The app will be accessed from the outside of the network, but the requirements are to use AD authentication and authorization. Hence my predicament.
任何建议都将受到高度赞赏.
Any suggestions are highly appreciated.
谢谢.
推荐答案
经过数小时的研究和反复试验,我最终要做的是:
After many hours of research and trial and error, here is what I ended up doing:
-
AccountController.cs -创建应用程序用户并登录
AccountController.cs - Create the application user and sign in
ApplicationUser usr = new ApplicationUser() { UserName = model.Email };
bool auth = await UserManager.CheckPasswordAsync(usr, model.Password);
if (auth)
{
List claims = new List();
foreach (var group in Request.LogonUserIdentity.Groups)
{
string role = new SecurityIdentifier(group.Value).Translate(typeof(NTAccount)).Value;
string clean = role.Substring(role.IndexOf("\\") + 1, role.Length - (role.IndexOf("\\") + 1));
claims.Add(new Claim(ClaimTypes.Role, clean));
}
claims.Add(new Claim(ClaimTypes.NameIdentifier, model.Email));
claims.Add(new Claim(ClaimTypes.Name, model.Email));
ClaimsIdentity ci = new ClaimsIdentity(claims, DefaultAuthenticationTypes.ApplicationCookie);
AuthenticationManager.SignIn(new AuthenticationProperties()
{
AllowRefresh = true,
IsPersistent = false,
ExpiresUtc = DateTime.UtcNow.AddDays(7),
}, ci);
return RedirectToLocal(returnUrl);
}
else
{
ModelState.AddModelError("", "Invalid login credentials.");
return View(model);
}
IdentityConfig.cs(CheckPasswordAsync)-根据LDAP进行身份验证
IdentityConfig.cs (CheckPasswordAsync) - Authenticate against LDAP
public override async Task CheckPasswordAsync(ApplicationUser user, string password)
{
PrincipalContext dc = new PrincipalContext(ContextType.Domain, "domain", "DC=domain,DC=com", [user_name], [password]);
bool authenticated = dc.ValidateCredentials(user.UserName, password);
return authenticated;
}
Global.asax -如果您在登录表单中使用防伪令牌
Global.asax - if you are using the Anti Forgery Token in your login form
AntiForgeryConfig.UniqueClaimTypeIdentifier = ClaimTypes.NameIdentifier;这时,您将登录并可以访问User.Identity对象.您也可以使用[Authorize(Roles ="some_role"]
At this point, you will are logged in and can access the User.Identity object. You can also mark controllers and actions with [Authorize(Roles = "some_role"]
事实证明,它比我想象的要容易,只是关于该主题的内容写得很少(至少我找不到任何东西).
It turned out that it was easier than I thought, it is just that not much is really written on the topic (at least I could not find anything).
此外,此代码还假定您正在从有权访问网络上的域控制器的服务器上运行应用程序.如果您使用的是DMZ服务器,则需要与网络管理员讨论此策略,以获取其他选择.
Also, this code presumes that you are running the app from a server which has access to the Domain Controller on your network. If you are on a DMZ server, you need to discuss this strategy with your network admin for other options.
我希望这可以节省您一些时间.我也很想听听社区对此的看法.也许有更好的方法来处理这种情况.如果是这样,请在这里分享.
I hope this saves you some time. I am also eager to hear what the community thinks of this. Maybe there is a better way of handling this situation. If so, please share it here.
谢谢.
Daniel D.
这篇关于带有LDAP身份验证的OWIN的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
