为 System.DirectoryServices.DirectoryEntry 设置回调以处理自签名 SSL 证书? [英] Set callback for System.DirectoryServices.DirectoryEntry to handle self-signed SSL certificate?
问题描述
我有一个应用程序使用典型的 System.DirectoryServices.DirectoryEntry 代码从目录服务复制数据.我现在需要使用带有自签名证书的 SSL 从 Novell eDirectory 进行复制.我怀疑现有代码可以使用可以验证的有效证书,或者如果将自签名证书添加到本地机器密钥库.但是,为了确保使用自签名证书能够正常工作,我能找到的唯一解决方案是使用 System.DirectoryServices.Protocols 命名空间和 LdapConnection 类,我可以借此连接一个 VerifyServerCertificate 回调.我找不到任何方法将相同的概念应用于 DirectoryEntry 实例,或者与 LdapConnection 实例连接并以某种方式将其转换"为 DirectoryEntry 实例.也许这是不可能的,我只是想确认一下.欢迎提出任何其他想法.
I have an application replicating data from a directory service using typical System.DirectoryServices.DirectoryEntry code. I now have a requirement to replicate from Novell eDirectory using SSL with a self-signed certificate. I suspect that the existing code would work with a valid certificate that could be verified, or perhaps if the self-signed cert is added to the local machine keystore. In order to make it work for sure with a self-signed cert however, the only solution I can find is to use the System.DirectoryServices.Protocols namespace and the LdapConnection class, whereby I can wire up a VerifyServerCertificate callback. I can't find any way of applying the same concept to a DirectoryEntry instance, or of connecting with an LdapConnection instance and somehow "converting" that to a DirectoryEntry instance. Maybe it isn't possible, I'd just like to confirm that really. Any other thoughts welcome.
我找到的唯一相关链接是:http://www.codeproject.com/Articles/19097/eDirectory-Authentication-using-LdapConnection-and
The only pertinent link I've found is at: http://www.codeproject.com/Articles/19097/eDirectory-Authentication-using-LdapConnection-and
推荐答案
这是一个非凡的问题.
几天以来,我一直在与同样的问题作斗争,我终于得到了一些明确的证据,说明为什么 DirectoryEntry 对象在这种情况下不起作用.
I've been battling this same issue for a few days now, and I've finally got some definitive proof on why the DirectoryEntry object will not work in this scenario.
这个特定的 LDAP 服务器(在 LDAPS 636 上运行)也颁发它自己的自签名证书.使用 LdapConnection(并通过 Wireshark 监控流量),我注意到使用 DirectoryEntry 时不会发生握手:
This particular Ldap server (running on LDAPS 636) also issues it's own self signed certificate. Using LdapConnection (and monitoring the traffic via Wireshark), I noticed a handshake taking place that does not occur when using DirectoryEntry :
第一个序列来自安全的 ldap 服务器,第二个序列来自我的机器.提示第二个序列的代码是:
The first sequence is the from the secured ldap server, the second sequence is from my machine. The code that prompts the second sequence is :
ldapConnection.SessionOptions.VerifyServerCertificate += delegate { return true; };
还有其他方法可以伪造"回调,但这是我一直在使用的方法.
There are others way to "fake out" the callback, but this what I've been using.
不幸的是,DirectoryEntry 没有验证自签名证书的选项或方法,因此永远不会接受证书(第二个序列),并且连接无法初始化.
Unfortunately, DirectoryEntry does not have an option or method to verify a self signed cert, thus the acceptance of the certificate never happens (second sequence), and the connection fails to initialize.
完成此操作的唯一可行方法是使用 LdapConnection,并结合 SearchRequest 和 SearchResponse.这就是我到目前为止所得到的:
The only feasible way to accomplish this is by using LdapConnection, in conjunction with a SearchRequest and SearchResponse. This is what I've got so far :
LdapConnection ldapConnection = new LdapConnection("xxx.xxx.xxx:636");
var networkCredential = new NetworkCredential("Hey", "There", "Guy");
ldapConnection.SessionOptions.SecureSocketLayer = true;
ldapConnection.SessionOptions.VerifyServerCertificate += delegate { return true; };
ldapConnection.AuthType = AuthType.Negotiate;
ldapConnection.Bind(networkCredential);
SearchRequest request = new SearchRequest("DC=xxx,DC=xxx,DC=xxx", "(sAMAccountName=3074861)", SearchScope.Subtree);
SearchResponse response = (SearchResponse)ldapConnection.SendRequest(request);
if(response.Entries.Count == 1)
{SearchResultEntry entry = response.Entries[0];
string DN = entry.DistinguishedName;}
从那里您可以从 SearchResponse 中收集 AD 属性,并进行相应的处理.不过,这完全令人失望,因为 SearchRequest 似乎比使用 DirectoryEntry 慢得多.
From there you can gather AD Properties from the SearchResponse, and process accordingly. This is a total bummer though, because the SearchRequest seems to be much slower then using the DirectoryEntry.
希望这有帮助!
这篇关于为 System.DirectoryServices.DirectoryEntry 设置回调以处理自签名 SSL 证书?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
