如何在System.DirectoryServices中的调用之间保留连接凭据? [英] How can I retain connection credentials across calls in System.DirectoryServices?
问题描述
我正在尝试连接到其他林中的Active Directory域(W2K8R2 DC).为此,我将凭据传递到以下DirectoryEntry构造函数中:
I am trying to connect to an Active Directory domain (W2K8R2 DC) in a different forest. To that end, I pass the credentials into the following DirectoryEntry constructor:
DirectoryEntry(string path, string username, string password, AuthenticationTypes authenticationType)
这一切都很好.我想要要做的是以某种方式保留连接,并在我对AD的所有调用中重新使用它,从而无需重复传递凭据.这有可能吗?
This is all good and well. What I would like to do though is retain the connection somehow and reuse it through all my calls to the AD so that I do not need to pass the credentials repeatedly. Is this possible somehow?
谢谢!
推荐答案
If you want the control at the connection level, I recommend you to use System.DirectoryServices.Protocol. You can reuse your LDAP connection to make different LDAP queries. However, the programming paradigm is very different from DirectoryEntry
如果需要使用 DirectoryEntry ,则必须将用户名和密码存储在某个位置,然后将其传递给所有 DirectoryEntry 对象.我要做的是编写一个方法 GetDirectoryEntry(string dn),并让此方法使用正确的用户名和密码为我创建 DirectoryEntry .这看起来并不优雅,但没有做错任何事情.如果您希望密码以纯文本格式存储在内存中,请使用 SecureString 存储密码.
If you need to use DirectoryEntry, you have to store the username and password somewhere and then pass them to all the DirectoryEntry objects. What I would do is to write a method GetDirectoryEntry(string dn) and have this method create the DirectoryEntry for me with the correct username and password. This doesn't look elegant but it doesn't do anything wrong. If you care password being stored in memory in plain text, use SecureString to store the password.
这没错,因为 DirectoryEntry 正在维护自己的LDAP连接池.如果您有多个具有相同用户名和密码的 DirectoryEntry ,它将足够聪明以共享LDAP连接.它基本上与保持单个LDAP连接并执行不同的LDAP查询相同.不会为每个 DirectoryEntry 对象
This is nothing wrong because DirectoryEntry is maintaining its own LDAP connection pool. If you have multiple DirectoryEntry with the same username and password, it will be smart enough to share the LDAP connection. It's basically the same as holding a single LDAP connection and doing different LDAP queries. It's not going to re-authenticate to LDAP server for each of the DirectoryEntry objects
如果您不希望依赖 DirectoryEntry 的黑盒功能,则以下建议的解决方法可能会让您感觉更好.
If you don't like to rely on the black box feature from DirectoryEntry, the following suggested workaround may make you feel better.
static DirectoryEntry GetObject(DirectoryEntry root, string dn)
{
using (DirectorySearcher searcher = new DirectorySearcher(root))
{
searcher.Filter = "(distinguishedName=" + dn + ")";
searcher.SearchScope = SearchScope.Subtree;
SearchResult result = searcher.FindOne();
if (result == null) return null;
return result.GetDirectoryEntry();
}
}
您只需要使用用户名和密码绑定到根对象.然后,您可以将根对象保留为静态变量或任何您喜欢的变量.然后,通过将 SearchRoot 设置为根对象的LDAP查询来获得另一个 DirectoryEntry 对象.返回的 DirectoryEntry 仍将使用root用户名和密码.同样,这并没有比将用户名和密码简单地传递给 DirectoryEntry 更好.实际上,从性能角度来看,情况更糟,因为我们需要再执行一次LDAP查询才能获取 DirectoryEntry
You just need to bind to a root object with username and password. Then, you can keep the root object as a static variable or whatever you like. Then, you get another DirectoryEntry object by doing a LDAP query with the SearchRoot set to your root object. The returned DirectoryEntry will still use the username and password from root. Again, this is not doing anything better than simply passing in username and password to DirectoryEntry. Indeed, performance-wise, it's worse because we need to do one more LDAP query to get the DirectoryEntry
这篇关于如何在System.DirectoryServices中的调用之间保留连接凭据?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
