使用 C# 对用户进行 LDAP 身份验证 [英] Using C# to authenticate user against LDAP

问题描述

我正在使用 DirectorySearcher 在 LDAP 服务器中搜索用户条目.

I'm using DirectorySearcher to search for a user entry in LDAP server.

DirectoryEntry de = new DirectoryEntry();
de.Path = "LDAP://myserver/OU=People,O=mycompany";
de.AuthenticationType = AuthenticationTypes.None;

DirectorySearcher deSearch = new DirectorySearcher();

deSearch.SearchRoot = de;
deSearch.Filter = "(uid=" + model.UserName + ")";

SearchResult result = deSearch.FindOne();

我能够在结果变量中获得预期的输出.
但是，如果我尝试通过在目录条目中提供密码来对同一用户进行身份验证，我总是会收到以下错误.

I'm able to get th intended output in result variable.
However If I try to authenticate the same user by providing password in directory entry, I always get following error.

用户名或密码不正确."

"The user name or password is incorrect."

DirectoryEntry entry = new DirectoryEntry("LDAP://myserver/OU=People,O=mycompany", username, password);
DirectorySearcher search = new DirectorySearcher(
    entry,
    "(uid=" + username + ")",
    new string[] { "uid" }
);

search.SearchScope = System.DirectoryServices.SearchScope.Subtree;
SearchResult found = search.FindOne();   ->>>>>this is where I get wrong credential error.

用户名和密码用于我要验证的用户.

The username and password are for the user I want to authenticate.

谁能告诉我我在这里做错了什么或如何调试.

Can anyone tell me what I'm doing wrong here or how to debug this.

推荐答案

此行内的用户名、密码:

This username, password within this line:

DirectoryEntry("LDAP://myserver/OU=People,O=mycompany", username, password);

应该用于具有目录查找权限的帐户.它可能是服务帐户或测试目的，请尝试使用您自己的帐户.这不应该是您尝试进行身份验证的人的用户/通行证.

should be for an account that has permission for directory lookup. It could be a service account or testing purpose try with your own. This shouldn't be the user/pass of someone who you are trying to authenticate.

如果要进行身份验证，可以使用 PrincipalContext 执行以下步骤:

If you want to authenticate, you can use following steps using PrincipalContext:

using(var context = new PrincipalContext(ContextType.Domain, "mydomain", "mydomainserviceAcct", "serviceAcctPass")) {
 //Username and password for authentication.
 return context.ValidateCredentials(username, password); 
}

"serviceAcct" = 域用户中具有目录查找权限的帐户.serviceAcctPass" = 该服务帐户的密码.正如我所说，为了进行测试，您可以尝试使用自己的用户/密码上下文.

"serviceAcct" = an account within domain users that has permission for directory lookup. "serviceAcctPass" = password for that service account. As I said, for testing you can try with your own user/pass context.

此外，请确保提供的用户名具有域用户名"或用户名@域"格式.

Also, make sure supplied username has either "domainusername" or "username@domain" formatting.

这篇关于使用 C# 对用户进行 LDAP 身份验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！