ASP.NET - 获取主/相对标识符(RID)的一个DirectoryEntry / SID [英] ASP.NET - Get the Principal / Relative Identifier (RID) for a DirectoryEntry / SID
问题描述
我正在使用自定义的MembershipProvider类的Active Directory在ASP.NET 2.0 Intranet应用程序验证用户身份和他们的SID与应用程序的配置文件相关联。
I am using Active Directory in a custom MembershipProvider class to authenticate users in an ASP.NET 2.0 intranet application and associate their sid with a profile for the application.
在 ActiveDirectoryMembershipProvider 时,为 ProviderUserKey 对象的MembershipUser 如下:
SecurityIdentifier sid = (SecurityIdentifier)Membership.GetUser().ProviderUserKey;
string sidValue = sid.ToString();
/* sidValue = "S-1-5-21-XXXX-XXXX-XXXX-YY" */
据我了解, YY 是命名空间(也被称为一组/域)内的主体。
As I understand it, YY is the principal within the namespace (also referred to as a group/domain).
在使用自定义的MembershipProvider,我可以用一个DirectoryEntry对象的的objectSID 属性来获取SID
When using the custom MembershipProvider, I can get the sid using the objectSid property of a DirectoryEntry object
DirectoryEntry entry = new DirectoryEntry(path, username, password);
SecurityIdentifier sid = new SecurityIdentifier((byte[])entry.Properties["objectSid"].Value, 0);
string sidValue = sid.ToString();
/* sidValue = "S-1-5-21-XXXX-XXXX-XXXX" */
在 sidValue 在这种情况下是相同的,只是它不包含本金 YY 。
The sidValue in this case is identical, except it does not contain the principal YY.
我的问题是双重的。
- 是为了唯一标识一个人所需要的本金?
- 是否有可能获得来自DirectoryEntry对象的委托人(或通过提供任何其他类
的System.DirectoryServices)?
编辑:
已经做了一些进一步阅读( {1} 的{2} ),我现在知道,如果用户从一个组/域移动到另一个的SID可以改变。鉴于此,将使用的GUID 在的DirectoryEntry 属性定义[的objectGUID ] 是一个更好的选择为唯一标识一个用户?
Having done some further reading ({1} {2}), I now know that the sid can change if the user is moved from one group/domain to another. In light of this, would using the GUID defined in the DirectoryEntry Properties["objectGUID"] be a better choice for uniquely identifying a user?
推荐答案
本的objectGUID是用于识别用户的帐户的最佳选择。我想强调这一点,因为的objectGUID是唯一且固定的一个帐户的一个实例。如果您删除并重新创建具有相同的distinguishedName帐户,你会得到一个不同的objectGUID。所以,的objectGUID不识别用户,则其标识帐户
The objectGUID is the best choice for identifying a user account. I highlight this because the objectGUID is unique and fixed for an instance of an account. If you delete and recreate the account with the same distinguishedName you'll get a different objectGUID. So, objectGUID doesn't identify the user, it identifies the account.
所以,如果你想找出帐户,使用的objectGUID。
So, if you want to identify the account, use objectGUID.
有时候,帐户可以被删除并重新创建管理员解决问题。如果您需要识别用户即使出现这种情况,你需要选择的帐户对象上别的东西。这可能要取决于您的帐户定义的策略。也许你有不基于用户的名字sAMAccountNames?也许管理员填充雇员或employeeNumber?也许他们执行的唯一性displayNames?
Sometimes, accounts can be deleted and recreated by admins to solve problems. If you need to identify the user even after this has happened, you need to pick something else on the account object. That will probably have to depend on your account definition policies. Maybe you have sAMAccountNames that are not based on the user's name? Maybe the admins populate employeeid or employeeNumber? Maybe they enforce uniqueness for displayNames?
下面是一个链接, AD属性信息。 这里有一个链接,<一个href="http://msdn.microsoft.com/en-us/library/system.directoryservices.directoryentry%5Fproperties.aspx"相对=nofollow>的DirectoryEntry属性。
Here's a link to AD attribute info. Here's a link to DirectoryEntry Properties.
这篇关于ASP.NET - 获取主/相对标识符(RID)的一个DirectoryEntry / SID的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
