递归查询 LDAP 组成员资格 [英] Recursively querying LDAP group membership

问题描述

我正在编写一个基于 MVC (.NET 4.0) 的网站，该网站需要来自我的公司 LDAP 服务器的登录凭据.我的代码需要的是只允许属于某个组的用户.例如，我可能正在寻找属于企业 IT"组的用户.我的凭据可能是系统管理员"组的一部分，该组是企业 IT"的子组.我正在使用表单身份验证.

I'm writing an MVC-based (.NET 4.0) website that requires login credentials from my corporate LDAP server. What my code requires is to allow only the users that are part of a certain group. As an example, I could be looking for users that are part of the "Corporate IT" group. My credentials could be part of the "System Admins" group which is a subgroup of "Corporate IT". I'm using Forms Authentication.

当用户登录时，我将如何递归检查用户属于哪个组?

How would I recursively check what group a user is under when they log in?

推荐答案

对于通过搜索此类查询来到这里的其他人，这是我在我的应用程序中的做法:

For anybody else coming here from a search for this type of query, here is how I did it in my application:

关键是 1.2.840.113556.1.4.1941 扩展搜索过滤器.由于此特定过滤器仅适用于 DN，因此我首先获取要检查的用户的 DN，然后查询组以查看此特定用户是否是链中任何组的成员.

The key is 1.2.840.113556.1.4.1941 extended search filter. Since this particular filter works with DNs only, I first get hold of DN of the user I want to check and then query groups to see if this particular user is a member of any of groups in chain.

internal const string UserNameSearchFilter = "(&(objectCategory=user)(objectClass=user)(|(userPrincipalName={0})(samAccountName={0})))";
internal const string MembershipFilter = "(&(objectCategory=group)(objectClass=group)(cn=MyGroup)(member:1.2.840.113556.1.4.1941:={0}))";

using (var de = new DirectoryEntry(AppSettings.LDAPRootContainer, AppSettings.AdminUser, AppSettings.AdminPassword, AuthenticationTypes.FastBind))
using (var ds = new DirectorySearcher(de) { Filter = string.Format(UserNameSearchFilter, username) })
{

    ds.PropertiesToLoad.AddRange(new[] { "distinguishedName" });

    var user = ds.FindOne();

    if (user != null)
        using (var gds = new DirectorySearcher(de) { PropertyNamesOnly = true, Filter = string.Format(MembershipFilter, user.Properties["distinguishedName"][0] as string) })
        {
             gds.PropertiesToLoad.AddRange(new[] { "objectGuid" });
             return gds.FindOne() != null;
        }
}

这篇关于递归查询 LDAP 组成员资格的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！