在 Active Directory 中使用登录名查找用户 [英] Finding a User in Active Directory with the Login Name

问题描述

我可能只是愚蠢，但我正在尝试使用登录名(域用户")从 C# 中查找 Active Directory 中的用户.

I'm possibly just stupid, but I'm trying to find a user in Active Directory from C#, using the Login name ("domainuser").

我的骨架"广告搜索功能通常如下所示:

My "Skeleton" AD Search Functionality looks like this usually:

de = new DirectoryEntry(string.Format("LDAP://{0}", ADSearchBase), null, null, AuthenticationTypes.Secure);
ds = new DirectorySearcher(de);
ds.SearchScope = SearchScope.Subtree;
ds.PropertiesToLoad.Add("directReports");
ds.PageSize = 10;
ds.ServerPageTimeLimit = TimeSpan.FromSeconds(2);
SearchResult sr = ds.FindOne();

现在，如果我拥有用户的完整 DN(ADSearchBase 通常指向 Active Directory 中的我们的用户"OU)，这将起作用，但我根本不知道如何根据域用户"语法.

Now, that works if I have the full DN of the user (ADSearchBase usually points to the "Our Users" OU in Active Directory), but I simply have no idea how to look for a user based on the "domainuser" syntax.

任何指针?

推荐答案

你需要设置一个过滤器 (DirectorySearcher.Filter) 类似于:

You need to set a filter (DirectorySearcher.Filter) something like:

"(&(objectCategory=person)(objectClass=user)(sAMAccountName={0}))"

"(&(objectCategory=person)(objectClass=user)(sAMAccountName={0}))"

请注意，您只为属性 sAMAccountName 指定用户名(不带域).要搜索域用户，首先找到所需域的命名上下文，然后在那里搜索 sAMAccountName.

Note that you only specify the username (without the domain) for the property sAMAccountName. To search for domainuser, first locate the naming context for the required domain, then search there for sAMAccountName.

顺便说一下，在使用 String.Format 构建 LDAP 查询字符串时，您通常应该小心转义任何特殊字符.帐户名称可能不是必需的，但如果您按其他属性进行搜索，例如用户的名字(givenName 属性)或姓氏(sn 属性)名称，则可能是必需的.我有一个实用方法 EscapeFilterLiteral 来执行此操作:您可以像这样构建字符串:

By the way, when building LDAP query strings using String.Format, you should generally be careful to escape any special characters. It probably isn't necessary for an account name, but could be if you're searching by other properties such as the user's first (givenName property) or last (sn property) name. I have a utility method EscapeFilterLiteral to do this: you build your string like this:

String.Format("(&(objectCategory=person)(objectClass=user)(sn={0}))", 
              EscapeFilterLiteral(lastName, false)); 

其中 EscapeFilterLiteral 实现如下:

where EscapeFilterLiteral is implemented as follows:

public static string EscapeFilterLiteral(string literal, bool escapeWildcards)
{
    if (literal == null) throw new ArgumentNullException("literal");

    literal = literal.Replace("\", "\5c");
    literal = literal.Replace("(", "\28");
    literal = literal.Replace(")", "\29");
    literal = literal.Replace("", "\00");
    literal = literal.Replace("/", "\2f");
    if (escapeWildcards) literal = literal.Replace("*", "\2a");
    return literal;
}

此实现允许您将 * 字符视为文字的一部分 (escapeWildcard = true) 或作为通配符 (escapeWildcard = false).

This implementation allows you treat the * character as part of the literal (escapeWildcard = true) or as a wildcard character (escapeWildcard = false).

更新:这与您的问题无关，但您发布的示例并未在其使用的一次性对象上调用 Dispose.像所有一次性对象一样，这些对象(DirectoryEntry、DirectorySearcher、SearchResultCollection)应该总是被处理，通常使用 using 语句.请参阅这篇文章 了解更多信息.

UPDATE: This is nothing to do with your question, but the example you posted does not call Dispose on the disposable objects it uses. Like all disposable objects these objects (DirectoryEntry, DirectorySearcher, SearchResultCollection) should always be disposed, normally with the using statement. See this post for more info.

这篇关于在 Active Directory 中使用登录名查找用户的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！