从 NT 域名推断 LDAP 地址 [英] Inferring LDAP address from NT domain name
问题描述
给定一个 NT 风格的帐户名称 (DOMAINUserName) 是否可以推断出该域的 LDAP 地址是什么,以便可以查找用户信息?
Given a NT style account name (DOMAINUserName) is it possible to infer what the LDAP address for that domain is so that user info can be looked up?
我的场景:我有一个在 IIS 上运行的 asp.net 应用程序,它接受匿名用户和域用户.匿名用户必须登录,但域用户我检查服务器标头以获取 IIS 提供的域用户名.我需要从活动目录中查找一些信息,例如电子邮件地址等.如果我在配置中提供 LDAP 地址,我就可以完成这项工作,但如果可以避免的话,我宁愿不必维护这个额外的配置值.
My scenario: I have an asp.net app running on IIS that accepts both anonymous and domain users. The anonymous users have to sign in but the domain users I check the server headers for the domain user name provided by IIS. I need to look up some info from active directory like email address etc. I have got this working if I supply the LDAP address in config but would prefer not to have to maintain this extra config value if I can avoid it.
推荐答案
如果所有域都属于同一个林,您应该能够执行全局目录搜索(GC://而不是 LDAP://).您只能获得部分属性设置,但您可以获取 DistinguishedName,然后进行标准 LDAP://查找.
If all of the domains are part of the same forest, you should be able to do a global catalog seach (GC:// instead of LDAP://). You only get a partial attribute set back but you can get the distinguishedName and then to a standard LDAP:// lookup.
如果您的不同域位于不同的森林中,那么一种简单的方法是构建您的 NetBIOS 域名的查找表.对于每个林,您使用 (netBIOSname=*) 过滤器对 CN=Partitions,CN=Configuration,DC=YourDomain,DC=com 进行子树搜索,您将获得该林中域的列表.dnsRoot 属性将为您提供域的 DNS 名称,您可以使用它来绑定,或者对其进行 DNS 查找并使用您绑定的第一个地址.或者您可以使用 dnsRoot 创建 System.DirectoryServices.ActiveDirectory.DirectoryContext 以使用 DirectoryServer 的 DirectoryContextType 来获取对域控制器的引用.或者您可以使用 nCName(为您提供域的命名上下文).
If you're in the situation where you have different domains that are in different forests, then one simple way would be to build a look-up table of your NetBIOS domain names. For each forest, you do a subtree search of CN=Partitions,CN=Configuration,DC=YourDomain,DC=com with a filter of (netBIOSname=*) and you'll get back a list of the domains in that forest. The dnsRoot attribute will give you the DNS name of the domain and you can just use that to bind to, or do a DNS lookup of it and use the first address you get to bind to. Or you can use the dnsRoot to create System.DirectoryServices.ActiveDirectory.DirectoryContext to with a DirectoryContextType of DirectoryServer to get you a reference to the domain controller. Or you could use nCName (gives you the namingContext of the domain).
如果您能提供更多详细信息,或者其中有任何不清楚的地方,我可能会提供更多帮助.
I can probably help more, if you can provide more details, or if any of that wasn't clear.
补充:
- 您可以通过提供目录中对象的 distinctName 来执行无服务器绑定"来获取 DirectoryEntry.例如.LDAP://CN=User1,CN=Users,DC=yourdomain,DC=com".这将自动发现适当的域控制器并绑定到它以获取对象.
- 如果您使用 DirectorySearcher 进行搜索,并且您没有提供 SearchRoot 对象,它将自动绑定到当前域的根目录.您可以提供 SearchRoot 来缩小搜索范围,但您不必这样做.
- 如果您绝对需要获取当前域的名称,您可以绑定到一个名为 RootDSE ("LDAP://RootDSE") 的对象并获取 defaultNamingContext 属性的值.这将返回DC=yourdomain,DC=com"位.
坦率地说,除非您确定需要它,否则更通用的代码可能不值得痛苦,因为它取决于您的域和森林的结构.例如.如果您有两个森林,它们之间是否存在信任:在您有两个森林之前您不会知道这一点,并且解决方案将取决于此.敏捷开发中有一条精辟的小格言让我无法理解,但它的思路是不要编写你现在不需要的代码.
Frankly, more general code is probably not worth the pain unless you're sure you're going to need it because it will be dependent on the structure of your domains and forests. E.g. if you have two forests, is there a trust between them: you won't know this until you have two forests and the solution will depend on this. There's a pithy little maxim in agile development which escapes me but it goes along the lines of don't code what you don't need now.
这是一个执行此类搜索的控制台程序:
Here's a console program that will perform such a search:
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.DirectoryServices;
namespace SearchDirectory
{
class Program
{
static void Main(string[] args)
{
string user = @"YOURDOMAINyourid";
using (DirectorySearcher ds = new DirectorySearcher())
{
ds.SearchScope = SearchScope.Subtree;
ds.Filter = String.Format("(&(objectClass=user)(objectCategory=person)(sAMAccountName={0}))",
user.Split('\')[1]);
ds.PageSize = 1000;
using (SearchResultCollection src = ds.FindAll())
{
foreach (SearchResult sr in src)
Console.WriteLine(sr.Properties["distinguishedName"][0].ToString());
}
}
Console.WriteLine("
Press a key to continue...");
Console.ReadKey(true);
}
}
}
我在这方面做了一些改进,但它应该可以帮助您入门.我的建议是让它在控制台程序中运行,然后将该类移动到您的 ASP.NET 项目中.System.DirectoryServices 可能会抛出很多奇怪的错误,并且在 ASP.NET 中使用 S.DS 也很有趣,因此最好在将代码封装到所有 ASP.NET 中之前了解它是否有效.
I've cut some corners on this but it should get you started. My advice is to get it working in a console program and then move the class to your ASP.NET project. There are plenty of odd errors System.DirectoryServices can throw you and using S.DS inside of ASP.NET can be fun too so it's best to know your code works before you wrap it in all of that ASP.NET loveliness.
这篇关于从 NT 域名推断 LDAP 地址的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
