Active Directory 服务:PrincipalContext——“容器"的 DN 是什么?目的? [英] Active Directory Services: PrincipalContext -- What is the DN of a "container" object?

问题描述

我目前正在尝试使用 PrincipalContext 类通过 Active Directory 服务进行身份验证.我想让我的应用程序使用密封和 SSL 上下文对域进行身份验证.为了做到这一点，我必须使用 以下 PrincipalContext 的构造函数(链接到 MSDN页):

I'm currently trying to authenticate via Active Directory Services using the PrincipalContext class. I would like to have my application authenticate to the Domain using Sealed and SSL contexts. In order to do this, I have to use the following constructor of PrincipalContext (link to MSDN page):

public PrincipalContext(
    ContextType contextType,
    string name,
    string container,
    ContextOptions options
)

具体来说，我正在使用构造函数:

Specifically, I'm using the constructor as so:

PrincipalContext domainContext = new PrincipalContext(
    ContextType.Domain, 
    domain, 
    container, 
    ContextOptions.Sealing | ContextOptions.SecureSocketLayer);

MSDN 关于容器"的说明:

MSDN says about "container":

商店上用作的容器上下文的根.所有查询在这个根下执行，并且所有插入执行到这个容器.对于域和ApplicationDirectory 上下文类型，这个参数是区别容器对象的名称 (DN).

The container on the store to use as the root of the context. All queries are performed under this root, and all inserts are performed into this container. For Domain and ApplicationDirectory context types, this parameter is the distinguished name (DN) of a container object.

容器对象的DN是什么?如何找出我的容器对象是什么?我可以为此查询 Active Directory(或 LDAP)服务器吗?

What is the DN of a container object? How do I find out what my container object is? Can I query the Active Directory (or LDAP) server for this?

推荐答案

好吧，我设法找出问题所在:

Well, I managed to figure out the issue:

PrincipalContext domainContext = new PrincipalContext(ContextType.Domain,domain);

domainContext.ValidateCredentials(userName, password, 
    ContextOptions.Negotiate | ContextOptions.SecureSocketLayer);

通过在 ValidateCredentials 方法中(而不是在构造函数中)指定 ContextOptions，这使我不必为容器对象指定 DN.

By specifying the ContextOptions in the ValidateCredentials method (instead of in the constructor), this allowed me to avoid having to specify a DN for a container object.

更新:

虽然我应该澄清一下，经过进一步的实验，我发现从这个 PrincipalContext 对象派生的任何查询都是未加密的.

Although I should clarify that after further experimentation, I found that any queries derived from this PrincipalContext object takes place UN-encrypted.

显然，当 ContextOptions 在 ValidateCredentials 中设置时，这些选项仅用于 ValidateCredentials 的特定调用.但这就是奇怪的地方......

Apparently, when the ContextOptions are set in ValidateCredentials, those options are only used for that specific call of ValidateCredentials. But here's where it gets strange...

因此，我希望对 AD 服务器的查询也进行加密.示例查询:

So, I wanted to have my queries to the AD server take place encrypted as well. Example query:

UserPrincipal p = UserPrincipal.FindByIdentity(
    domainContext, IdentityType.SamAccountName, userName);
var groups = p.GetGroups();
foreach (GroupPrincipal g in groups) { /* do something */ }

上面的代码获取用户所属的所有组的列表，但它以明文(未加密)方式发生.因此，经过一番折腾，我发现根本不需要设置 DN.

The above code gets a list of all the Groups that the user belongs to, but it happens in the clear (unencrypted). So after much fiddling, I discovered that the DN never needs to be set.

PrincipalContext domainContext = new PrincipalContext(ContextType.Domain,domain,
    null,ContextOptions.Negotiate | ContextOptions.SecureSocketLayer);

我发现我可以将容器对象 (DN) 设置为 null.这工作正常.将其设置为空字符串 ("") 会导致某种未知类型的异常，因此不要认为您可以给它一个空字符串.

I found that I could set the container object (DN) to null. And this works fine. Setting it to an empty string ("") results in an exception of some unknown type, so don't think you can give it an empty string.

这是奇怪的部分.您可能认为在 PrincipalContext 中设置 SecureSocketLayer 选项意味着在使用 VerifyCredentials 时不必显式设置它.但是我发现如果我没有在 VerifyCredentials 部分设置它，身份验证将失败，但查询(如对 Groups 的示例中的示例)仍然是加密的.

And here's the weird part. You'd think that setting the SecureSocketLayer option in the PrincipalContext would mean that you don't have to explicitly set it when you use VerifyCredentials. But I found that if I didn't set it in the VerifyCredentials part, the authentication would fail, but the queries (like in the example to the Groups) still takes place encrypted.

也许我还没有完全理解 AD 身份验证和查询，但这对我来说似乎很奇怪.

Maybe I just don't fully understand AD authentication and queries yet, but that seems like odd behavior to me.

这篇关于Active Directory 服务:PrincipalContext——“容器"的 DN 是什么?目的?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！