C# ActiveDirectory LDAP 组查询 [英] C# ActiveDirectory LDAP Group Querying

问题描述

基本上我想要做的是，我有一个 ASP.Net Web 应用程序，它使用表单身份验证和一些自定义代码将其链接到 ActiveDirectory(非常类似于 这 有效).

Basically what I'm trying to do is, I have an ASP.Net web application that's using Forms Authentication with some custom code to link it to ActiveDirectory (very similar to how this works).

但是，每当我在域控制器中查询用户组时，它只返回他们明确所在的组，而不是子组(id est，有一个用户所属的特定安全组，比如组 A，即我想要的组的成员，比如组 B，用户显式在组 A 中，但仅隐式在组 B 中，因为组 A 是组 B 的成员.

However, whenever I query the domain controller for the users groups it only returns the groups that they're explicitly in and not subgroups (id est, there's a specific Security Group that the user belongs to, say group A, that is a member of the group I want, say group B, the user is explicitly in group A, but only implicitly in group B because group A is a member of group B).

我已阅读 tokenGroups 查询可以帮助我，但目前我没有办法解析该数据.

I've read the tokenGroups querying could help me out here but currently I don't have a way to parse that data.

但是，如果我可以通过 LDAP 查询传递某些组，并且如果该用户是否在该组中，域控制器只给我一个布尔值(真/假)，那么最可取的是.

However what would be most preferable is if I could pass certain groups via an LDAP query and have the Domain controller just give me a boolean (true/false) if that user is within that group or not.

有什么建议吗?

推荐答案

是的，通常"的 user.Properties["memberOf"] 只返回直接成员资格.

Yes, the "usual" user.Properties["memberOf"] only returns direct memberships.

如果您使用的是 .NET 3.5，则可以使用更现代的基于主体"的方法:

If you're using .NET 3.5 however, you can use the more modern "principal-based" methods:

using(PrincipalContext ctx = new PrincipalContext(ContextType.Domain))
{
    using(Principal p = Principal.FindByIdentity(ctx, "yourUserName"))
    {
        var groups = p.GetGroups();

        using (groups)
        {
            foreach (Principal group in groups)
            {
                Console.WriteLine(group.SamAccountName + "-" + group.DisplayName);
            }
        }
    }
}

此方法(向您的项目添加对System.DirectoryServices.AccountManagement"程序集的引用)应该可以工作，并且还可以提供用户的主要组及其嵌套组成员身份.

This method (add a reference to the "System.DirectoryServices.AccountManagement" assembly to your project) should work and deliver the user's primary group and its nested group memberships as well.

如果您使用的是 .NET 2.0/3.0 并且无法升级，则通过阅读tokenGroups"属性来使用该方法是最好的方法 - 请参阅 Ryan Dunn 的优秀博客中有关如何执行所有这些操作的详细信息发布，枚举 .NET 中的令牌组 (tokenGroups).

If you're on .NET 2.0/3.0 and can't move up, using the approach by reading the "tokenGroups" attribute is the best approach - see the details about how to do all of this in Ryan Dunn's excellent blog post, Enumerating Token Groups (tokenGroups) in .NET.

马克

这篇关于C# ActiveDirectory LDAP 组查询的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！