验证用户在全局编录 [英] Authenticate user in Global Catalog
问题描述
我要验证用户的Windows凭据,给用户ID,域名和密码。我们的Active Directory中包含多个域,其中一些我们可以使用下面的代码清单:
I need to authenticate user's Windows credentials, given a userId, domain and password. Our Active Directory contains multiple domains, some which we can list using the following code:
var domains = System.DirectoryServices.ActiveDirectory.Forest.GetCurrentForest().Domains;
不过,我们也有属于林外域的用户。然而,它们从全局编录(GC)对我进行访问。下面的代码可以让我得到一个用户标识目录项。
However, we also have users that belong to domains outside the forest. They are however accessible to me from the Global Catalog (GC). Below code allows me to get a directory entry for a userid.
System.DirectoryServices.DirectoryEntry globalCatalogDE = new System.DirectoryServices.DirectoryEntry("GC://DC=nsroot,DC=net");
var ds = new System.DirectoryServices.DirectorySearcher(globalCatalogDE);
ds.Filter = "(&(objectClass=user)(sAMAccountName=" + userId + "))";
System.DirectoryServices.DirectoryEntry userDE = ds.FindAll()[0].GetDirectoryEntry();
如何验证属于某个域,我不能直接访问,但提供给我一个用户在GC?
How do I authenticate a user that belongs to a domain I can not directly access but is available to me in the GC?
推荐答案
您无法通过查看全局编录验证用户,它是唯一的搜索(任意属性标有 isMemberOfPartialAttributeSet 模式中的每个域被复制到GC)。
You can't authenticate a user by looking in the Global Catalog, it's for searching only (any attribute marked with the isMemberOfPartialAttributeSet in the schema for each domain is replicated to the GC).
密码不会复制到它;否则,你就必须在每个域控制器上的整个阿甘所有用户这将是从安全性和复制的角度来看非常不好的密码。你需要建立到用户的凭据都存储在域的连接(即您需要访问LDAP端口389或636)。
Passwords are not replicated to it; otherwise you would have the passwords of all users in the entire forrest on each domain controller which would be very bad from a security and replication standpoint. You need to establish a connection to the domain where the user's credentials are stored (ie you need access to LDAP ports 389 or 636).
这篇关于验证用户在全局编录的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
