优化广告搜索 - 获取组成员 [英] Optimize AD search - get group members

问题描述

是否可以查询组，这也是集团从公元只有那些成员？

现在我使用下面的code：

  VAR组= GroupPrincipal.FindByIdentity（CTX，identityType，domainGroup）;
如果（NULL！=组）
{
    VAR亚= group.GetMembers（）式（G =＆GT; g为GroupPrincipal）。选择（G =＆GT; g.Name）;
................
}
 

现在的问题是，我的集团拥有的用户数量较大（超过50 000），作为结果的查询工作非常长。此外，大数据量传输。

我怎么能在一个单一的请求查询唯一直接子组（而不是用户）？

修改

我结束了 DirectorySearcher从。这是我完成code：

 使用（VAR搜索=新DirectorySearcher从（的String.Format（（及（objectCategory属性=组）（objectClass的=组）（的memberOf = {0}）），组。 distinguishedName来），新的[] {CN}））
{
    sea​​rcher.PageSize = 10000;
    VAR的结果= SafeFindAll（搜索）;

    的foreach（信息搜索结果导致的结果）
    {
        的for（int i = 0; I＆LT; result.Properties [CN]计数;我++）
        {
            subGroups.Add（（串）result.Properties [CN] [I]）;
        }
    }
}
 

解决方案

我会建议使用的下级 DirectoryServices.Protocols 命名空间，而不是DirectoryServices.AccountManagement 这样的事情。

我已经（与许多其他一起）与 AccountManagement 库存在的问题是缺乏定制和配置。话虽这么说，这是我通过Active Directory如何搜索，利用 System.DirectoryServices.Protocols.SearchScope 和

  //定义连接
VAR ldapidentifier =新LdapDirectoryIdentifier（服务器，端口）;
VAR ldapconn =新LdapConnection（ldapidentifier，证书）;

//设置一些会话选项（重要，如果服务器有一个自签名的证书或传输通过SSL端口636）
ldapconn.SessionOptions.VerifyServerCertificate + =委托{返回true; };
ldapconn.SessionOptions.SecureSocketLayer = TRUE;

//设置认证类型，我是从一个配置文件中这样做，你可能会想简单或Negotatie取决于配置目录的方式。
ldapconn.AuthType = config.LdapAuth.LdapAuthType;
 

这是其中的DirectoryServices 真正开始大放异彩。你可以很容易地定义一个过滤器由一个特定的组或子组进行搜索。你可以做这样的事情：

 字符串ldapFilter =（及（objectCategory属性=人）（对象类=用户）（的memberOf = CN =所有欧洲，OU =全局，DC =公司，DC = COM） ;

//创建与域，滤波器，和SearchScope的搜索请求。你很可能希望子树在这里，但你可能使用基地以及。
VAR getUserRequest =新的SearchRequest（域，ldapFilter，SearchScope.Subtree）

//这是在得到自己想要的请求的速度是至关重要的。
//设置DomainScope将燮preSS任何refferal创建搜索过程中
VAR SearchControl =新SearchOptionsControl（SearchOption.DomainScope）;
getUserRequest.Controls.Add（SearchControl）;

//现在，发送请求，并得到您的条目的后面阵列
VAR响应=（SearchResponse）ldapconn.SendRequest（getUserRequest）;

SearchResultEntryCollection用户= Response.Entries;
 

这可能不是的完全的你所需要的，但你可以看到，你将拥有更多的灵活性来改变和修改搜索条件。我用这个code搜索海量域结构，而且它几乎是瞬间，即使有大量的用户和组。

Is it possible to query only those members of group, which is also group from AD?

Now I am using following code:

var group = GroupPrincipal.FindByIdentity(ctx, identityType, domainGroup);
if (null != group)
{
    var subGroups = group.GetMembers().Where(g => g is GroupPrincipal).Select(g => g.Name);
................
}

The problem is that my group has a big amount of users (more than 50 000), as a result the query works extremely long. Also, big amount of data is transferred.

How can I query only direct sub groups (not users) in a single request?

EDIT

I ended up with DirectorySearcher. Here is my completed code:

using (var searcher = new DirectorySearcher(string.Format("(&(objectCategory=group)(objectClass=group)(memberof={0}))", group.DistinguishedName), new[] { "cn" }))
{
    searcher.PageSize = 10000;
    var results = SafeFindAll(searcher);

    foreach (SearchResult result in results)
    {
        for (int i = 0; i < result.Properties["cn"].Count; i++)
        {
            subGroups.Add((string)result.Properties["cn"][i]);
        }
    }
}

解决方案

I would suggest using the the lower level DirectoryServices.Protocols namespace instead of DirectoryServices.AccountManagement for something like this.

The problem I've had (along with many others) with the AccountManagement libraries is the lack of customization and configuration. That being said, this is how I search through Active Directory, making use of System.DirectoryServices.Protocols.SearchScope as well.

//Define the connection
var ldapidentifier = new LdapDirectoryIdentifier(ServerName, port);
var ldapconn = new LdapConnection(ldapidentifier, credentials);

//Set some session options (important if the server has a self signed cert or is transferring over SSL on Port 636)
ldapconn.SessionOptions.VerifyServerCertificate += delegate { return true; };
ldapconn.SessionOptions.SecureSocketLayer = true;

//Set the auth type, I'm doing this from a config file, you'll probably want either Simple or Negotatie depending on the way your directory is configured.
ldapconn.AuthType = config.LdapAuth.LdapAuthType;

This is where DirectoryServices really starts to shine. You can easily define a filter to search by a particular group or subgroup. You could do something like this :

string ldapFilter = "(&(objectCategory=person)(objectclass=user)(memberOf=CN=All Europe,OU=Global,dc=company,dc=com)";  

//Create the search request with the domain, filter, and SearchScope. You'll most likely want Subtree here, but you could possibly use Base as well. 
var getUserRequest = new SearchRequest(Domain, ldapFilter, SearchScope.Subtree)                                        

//This is crucial in getting the request speed you want. 
//Setting the DomainScope will suppress any refferal creation during the search
var SearchControl = new SearchOptionsControl(SearchOption.DomainScope);
getUserRequest.Controls.Add(SearchControl);

//Now, send the request, and get your array of Entry's back
var Response = (SearchResponse)ldapconn.SendRequest(getUserRequest);

SearchResultEntryCollection Users = Response.Entries;

This may not be exactly what you need, but as you can see, you'll have a lot more flexibility to change and modify the search criteria. I use this code to search massive domain structures, and it's almost instantaneous, even with large amounts of users and groups.

这篇关于优化广告搜索 - 获取组成员的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！