在初始执行的DirectorySearcher FindOne（）延迟 [英] DirectorySearcher FindOne() delay on initial execution

问题描述

我看到2-5秒，我执行的DirectorySearcher FindOne（）和第一个网络数据包我看出去LDAP服务器的时间之间的初始延迟。初始执​​行之后，后续执行瞬间完成约45秒。这一时期的快速处决后，下一次执行将被延迟，并重新所有后续执行会瞬间完成。它好像有某种缓存怎么回事，但我一直没能找到任何资源确认或描述什么原因造成的初始延迟。

我们注意到了这一点客户端的Windows 2008服务器上，然后复制在我们自己的Windows 2008和Windows 7盒。

下面就是我简单的.NET 4.0 C＃应用程序的样子。之间的开始和完成的消息出现延迟。

为什么这种延迟发生在初始FindOne（）执行任何想法？ ！任何帮助深表感谢。

 使用系统; 
使用System.Collections.Generic; 
使用System.Text; 
 $ B $使用的System.DirectoryServices B： 
 
命名空间LdapTest 
 {
类节目
 {
静态无效的主要（字串[] args）
 {
串[ ] fetchAttributes; 
 fetchAttributes =新的字符串[] {{字符串[0]};使用（的DirectoryEntry searchRoot =新的DirectoryEntry（
 
LDAP：//的LocalServer / OU =实验室，DC = ourdomain，DC = COM，CN =的binduser，OU =服务，DC = ourdomain，DC = COM，密码，AuthenticationTypes.ReadonlyServer））
 {
使用（搜索的DirectorySearcher =新的DirectorySearcher（searchRoot（sAMAccountName赋=用户名），fetchAttributes，SearchScope.Subtree））
 {
 Console.WriteLine（已启动）; 
 SearchResult中的结果= searcher.FindOne（）; 
 Console.WriteLine（成品）; 
} 
} 
} 
} 
  

解决方案

据该的 LDAP Active Directory路径MSDN文章，你应该如果你的绑定LDAP路径指向一个服务器，以避免不必要的网络流量指定 ServerBind 标记。委员会还建议给服务器的完整DNS名称。此外，指着一台服务器时， ReadonlyServer 标志是没有意义的。所以我的第一个建议是用 ServerBind 来替换 ReadonlyServer 标记（最好是给出完整的DNS名称），或删除字符串的服务器部分（在你的榜样，让LDAP：// OU =实验室，DC = ourdomain，DC = COM或LDAP：//ourdomain.com/ou=lab,dc=ourdomain,dc=com）。

另外要看看是你提供由专有名称的用户名。如果你看一下的DirectoryEntry使用核心API，的 IADsOpenDSObject :: OpenDSObject ，它要求lpReserved标志[中的DirectoryEntry的 AuthenticationTypes 参数]为零[无]或包括ADS_USE_SSL [ SecureSocketsLayer ]的用户名通过一个专有名称时标志。请注意， SecureSocketsLayer 标志要求的Active Directory需要一个证书服务器安装才能使用该标志。你可能想通过以不同的格式的用户名。

最后的这个MDSN页面说，没有任何认证标志，用户名和密码发送明文。您应该添加安全标记。

I'm seeing an initial delay of 2-5 seconds between the time that I execute DirectorySearcher FindOne() and the first network packet I see go out to the LDAP server. After the initial execution, subsequent executions complete instantly for about 45 seconds. After that period of fast executions, the next execution will be delayed and again all subsequent executions will complete instantly. It seems like there's some sort of caching going on but I haven't been able to find any resources confirming that or describing what is causing the initial delay.

We noticed this on a client Windows 2008 server and then reproduced on our own Windows 2008 and Windows 7 boxes.

Here's what my simple .NET 4.0 C# app looks like. The delay occurs between the "Started" and "Finished" messages.

Any idea why this delay occurs on the initial FindOne() execution? Any help is much appreciated!

using System;
using System.Collections.Generic;
using System.Text;

using System.DirectoryServices;

namespace LdapTest
{
class Program
{
    static void Main(string[] args)
    {
        string[] fetchAttributes;
        fetchAttributes = new string[] { "{string[0]}" };

        using (DirectoryEntry searchRoot = new DirectoryEntry("LDAP://localserver/ou=lab,dc=ourdomain,dc=com", "cn=binduser,ou=Services,dc=ourdomain,dc=com", "Password", AuthenticationTypes.ReadonlyServer))
        {
            using (DirectorySearcher searcher = new DirectorySearcher(searchRoot, "(sAMAccountName=UserName)", fetchAttributes, SearchScope.Subtree))
            {
                Console.WriteLine("Started");
                SearchResult result = searcher.FindOne();
                Console.WriteLine("Finished");
            }
        }
    }
}

解决方案

According to the LDAP ADsPath MSDN article, you should specify the ServerBind flag if your binding LDAP path points to a server to avoid unnecessary network traffic. It also recommends giving the full DNS name of the server. In addition, the ReadonlyServer flag is meaningless when pointing to a server. So my first suggestion is to replace the ReadonlyServer flag with ServerBind (and preferably give the full DNS name), or remove the server part of the string (in your example, make it LDAP://ou=lab,dc=ourdomain,dc=com or LDAP://ourdomain.com/ou=lab,dc=ourdomain,dc=com).

The other thing to look at is that you're providing the username by distinguished name. If you look at the core API that DirectoryEntry uses, IADsOpenDSObject::OpenDSObject, it requires that the lpReserved flag [the AuthenticationTypes parameter in DirectoryEntry] is zero [None] or includes the ADS_USE_SSL [SecureSocketsLayer] flag when passing a distinguished name for the username. Note that the SecureSocketsLayer flag requires that Active Directory requires that a certificate server is installed before you can use this flag. You might want to pass the username in a different format.

Finally, this MDSN page says that without any authentication flags, the username and password is sent cleartext. You should add the Secure flag.

这篇关于在初始执行的DirectorySearcher FindOne（）延迟的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！