Active Directory服务：PrincipalContext - 什么是＆QUOT的DN;集装箱＆QUOT;目的？ [英] Active Directory Services: PrincipalContext -- What is the DN of a "container" object?

问题描述

我目前正试图通过使用PrincipalContext类Active Directory服务进行身份验证。我想有使用密封和SSL上下文我的应用程序验证到域。为了做到这一点，我必须使用 PrincipalContext（链接到MSDN页面）：

I'm currently trying to authenticate via Active Directory Services using the PrincipalContext class. I would like to have my application authenticate to the Domain using Sealed and SSL contexts. In order to do this, I have to use the following constructor of PrincipalContext (link to MSDN page):

public PrincipalContext(
    ContextType contextType,
    string name,
    string container,
    ContextOptions options
)

具体而言，我使用的构造像这样：

Specifically, I'm using the constructor as so:

PrincipalContext domainContext = new PrincipalContext(
    ContextType.Domain, 
    domain, 
    container, 
    ContextOptions.Sealing | ContextOptions.SecureSocketLayer);

MSDN说，有关集装箱：

MSDN says about "container":

在商店的容器使用   上下文的根。所有查询   在这根被执行，并且所有   刀片进行到这个   容器。对于域名和   ApplicationDirectory上下文类型，   这个参数是尊贵   容器对象的名称（DN）。

The container on the store to use as the root of the context. All queries are performed under this root, and all inserts are performed into this container. For Domain and ApplicationDirectory context types, this parameter is the distinguished name (DN) of a container object.

什么是一个容器对象的DN？我如何找出我的容器对象是？我可以查询Active Directory（或LDAP）服务器呢？

What is the DN of a container object? How do I find out what my container object is? Can I query the Active Directory (or LDAP) server for this?

推荐答案

嗯，我设法弄清楚这个问题：

Well, I managed to figure out the issue:

PrincipalContext domainContext = new PrincipalContext(ContextType.Domain,domain);

domainContext.ValidateCredentials(userName, password, 
    ContextOptions.Negotiate | ContextOptions.SecureSocketLayer);

通过指定（而不是在构造）在ValidateCredentials方法的ContextOptions，这让我避免不必指定的DN的容器对象。

By specifying the ContextOptions in the ValidateCredentials method (instead of in the constructor), this allowed me to avoid having to specify a DN for a container object.

更新：

虽然我应该澄清的是，经过进一步的实验，我发现从这个PrincipalContext对象导出任何疑问发生未加密。

Although I should clarify that after further experimentation, I found that any queries derived from this PrincipalContext object takes place UN-encrypted.

显然，当ContextOptions在ValidateCredentials设置，这些选项仅用于ValidateCredentials的那个特定呼叫。但这里的地方变得陌生......

Apparently, when the ContextOptions are set in ValidateCredentials, those options are only used for that specific call of ValidateCredentials. But here's where it gets strange...

所以，我想有我的查询加密以及AD服务器发生。举例查询：

So, I wanted to have my queries to the AD server take place encrypted as well. Example query:

UserPrincipal p = UserPrincipal.FindByIdentity(
    domainContext, IdentityType.SamAccountName, userName);
var groups = p.GetGroups();
foreach (GroupPrincipal g in groups) { /* do something */ }

以上code获取用户所属的所有组的列表，但它发生在明文（未加密）。所以经过一番摆弄，我发现DN永远需要设置。

The above code gets a list of all the Groups that the user belongs to, but it happens in the clear (unencrypted). So after much fiddling, I discovered that the DN never needs to be set.

PrincipalContext domainContext = new PrincipalContext(ContextType.Domain,domain,
    null,ContextOptions.Negotiate | ContextOptions.SecureSocketLayer);

我发现我可以设置容器对象（DN）为空。而这个工作正常。将其设置为空字符串（）将导致异常一些未知类型的，所以不要以为你可以给它一个空字符串。

I found that I could set the container object (DN) to null. And this works fine. Setting it to an empty string ("") results in an exception of some unknown type, so don't think you can give it an empty string.

而这里的怪异的一部分。你可能认为设置在PrincipalContext的SecureSocketLayer选择将意味着你不必明确设置它，当您使用的verifyCredentials。但我发现，如果我没有设置它在的verifyCredentials部分，认证会失败，但查询（如在本例中的组）还是发生加密。

And here's the weird part. You'd think that setting the SecureSocketLayer option in the PrincipalContext would mean that you don't have to explicitly set it when you use VerifyCredentials. But I found that if I didn't set it in the VerifyCredentials part, the authentication would fail, but the queries (like in the example to the Groups) still takes place encrypted.

也许我只是不完全了解AD身份验证和查询呢，但是，似乎是古怪的行为在我身上。

Maybe I just don't fully understand AD authentication and queries yet, but that seems like odd behavior to me.

这篇关于Active Directory服务：PrincipalContext - 什么是＆QUOT的DN;集装箱＆QUOT;目的？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！