通过 ldap 进行 kerberos 身份验证 [英] kerberos authentication over ldap
问题描述
我正在开发控制台应用程序,它使用 ldap DirectoryServices.Protocols 从活动目录中获取用户数据.目前,我能够使用基于 SSL、TLS 和简单连接(既不是 SSL 也不是 TLS)的基本身份验证来获取数据.但现在我想通过 SSL、TLS 和简单连接使用 kerberos 身份验证来获取数据.我目前正在使用以下代码.
I am working on console application which fetch the users data from active directory using ldap DirectoryServices.Protocols. Currently i am able to fetch the data using the basic authentication over SSL, TLS and simple connection (neither SSL nor TLS). but now i wanted to fetch the data using the kerberos authentication over SSL, TLS and simple connection. I am currently using the below code for this.
LdapDirectoryIdentifier ldap_id = new LdapDirectoryIdentifier(
host,
Int32.Parse(port),
true,
false);
LdapConnection con = new LdapConnection(ldap_id);
con.AuthType = AuthType.Kerberos;
con.SessionOptions.Sealing = true;
con.SessionOptions.Signing = true;
con.SessionOptions.ProtocolVersion = 3;
con.Bind();
这给了我错误,因为ldap 服务器不可用".有人可以建议上面的代码有什么问题吗?另外请让我知道是否需要在服务器和客户端上进行任何设置以进行 kerberos 身份验证.在传递基本身份验证时,是否需要传递下面给出的网络凭据?
This gives me error as "ldap server is unavailable". Can someone please suggest what is wrong with the above code? Also please let me know if any setting I need to do on the server and client for kerberos authentication. Do I need to pass the network credentials as give below as I am passing it for basic authentication?
LdapDirectoryIdentifier ldapIdentifier = new LdapDirectoryIdentifier(
host,
Int32.Parse(port),
true,
false);
NetworkCredential credential = new NetworkCredential(username, password);
LdapConnection con = new LdapConnection(ldapIdentifier, credential, AuthType.Kerberos);
con.SessionOptions.Sealing = true;
con.SessionOptions.Signing = true;
con.SessionOptions.ProtocolVersion = 3;
con.Bind();
推荐答案
以下代码适用于 Basic、基于 SSL 的 Kerberos 身份验证、TLS 和基于 LDAP 的简单(既不是 SSL 也不是 TLS 连接).
Below is the code that works for Basic, Kerberos Authentication over SSL, TLS and simple (neither SSL nor TLS connection) over LDAP.
注意:传递给 NetworkCredential 的 connectionAccountName 应该是用户主体名称.您可以通过检查 Active Directory 用户的属性编辑器部分中的属性 userPrincipleName 值来检查用户的主体名称,ssl 的端口为 636,其他端口为 389.
Note : The connectionAccountName passed to the NetworkCredential should be the user principle name. you can check user's principle name by checking the Attribute userPrincipleName value in the AttributeEditor section of user of Active Directory and Port for ssl is 636 and for other it will be 389.
var networkCredential = new NetworkCredential(connectionAccountName, connectionAccountPassword);
LdapDirectoryIdentifier ldapDirectoryIdentifier = null;
switch (connectionType)
{
case LDAPConnectionType.SSL:
ldapDirectoryIdentifier = new LdapDirectoryIdentifier(ldapServerName, Convert.ToInt16(LDAPPorts.SSL));
ldapConnection = new LdapConnection(ldapDirectoryIdentifier, networkCredential, authType);
ldapConnection.SessionOptions.ProtocolVersion = 3;
ldapConnection.SessionOptions.VerifyServerCertificate = new VerifyServerCertificateCallback(ServerCallback);
ldapConnection.SessionOptions.SecureSocketLayer = true;
break;
case LDAPConnectionType.TLS:
ldapDirectoryIdentifier = new LdapDirectoryIdentifier(ldapServerName, Convert.ToInt16(LDAPPorts.Default));
ldapConnection = new LdapConnection(ldapDirectoryIdentifier, networkCredential, authType);
ldapConnection.SessionOptions.VerifyServerCertificate = new VerifyServerCertificateCallback(ServerCallback);
ldapConnection.SessionOptions.StartTransportLayerSecurity(null);
break;
default:
ldapDirectoryIdentifier = new LdapDirectoryIdentifier(ldapServerName, Convert.ToInt16(LDAPPorts.Default));
ldapConnection = new LdapConnection(ldapDirectoryIdentifier, networkCredential, authType);
break;
}
ldapConnection.Bind();
谢谢
乌梅什·塔亚德
这篇关于通过 ldap 进行 kerberos 身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
