问题描述
我正在使用 LdapAuthentication 将用户登录到 Active Directory.我想找到用户所属的所有组.我正在使用以下代码:
I am using LdapAuthentication to log a user into Active Directory. I want to find all the groups that the user belongs to. I am using the following code:
string adPath = "LDAP://OU=HR Controlled Users,OU=All Users,DC=myDomain,DC=local";
LdapAuthentication adAuth = new LdapAuthentication(adPath);
try
{
if (true == adAuth.IsAuthenticated("myDomain", txtLoginEmail.Text, txtLoginPassword.Text))
{
string email = txtLoginEmail.Text;
using (PrincipalContext context = new PrincipalContext(ContextType.Domain))
{
UserPrincipal user = UserPrincipal.FindByIdentity(context, IdentityType.Name, email);
foreach (var group in user.GetGroups())
{
Console.WriteLine(group.Name);
}
}
}
}
catch(Exception e) { /* Handle Error */ }
我的问题是,当我调用 UserPrincipal.FindByIdentity() 时,我总是得到一个空值,即使用户身份验证按预期工作.
My problem is that when I call UserPrincipal.FindByIdentity() I always get a null value, even though the user authentication works as intended.
为什么会这样?代码或我的方法有问题吗?这是在 ASP.NET 4.0 WebForms 应用程序中运行的.
Why is this happening? Is there a problem with the code or with my approach? This is running inside an ASP.NET 4.0 WebForms application.
更新:
显然我一直在使用错误的 IdentityType (cn).我在调试中检查,帐户名称是UserA".
Apparently I have been using the wrong IdentityType (cn). I checked in debug and the name of the account is "UserA".
所以我尝试手动使用以下代码:
So I tried using the following code manually:
UserPrincipal user = UserPrincipal.FindByIdentity(context, IdentityType.Name, "UserA");
但我仍然为空.
更新 2(已解决):
这个问题有两个方面.我需要在声明 PrincipalContext
时指定域控制器的名称.
The issue was two fold. I needed to specify the name of my domain controller when declaring the PrincipalContext
.
using (PrincipalContext context = new PrincipalContext(ContextType.Domain, "myDomain"))
{
// code here...
}
然后,在搜索UserPrincipal
时,我使用了错误的IdentityType
;我正在使用 IdentityType.Name
- 这是帐户名称 - 而不是 IdentityType.SamAccountName
- 这是用户名进行搜索.
Then, when searching for the UserPrincipal
I was using the wrong IdentityType
; I was searching with IdentityType.Name
- which is the name of the account - instead of IdentityType.SamAccountName
- which is the username.
UserPrincipal user = UserPrincipal.FindByIdentity(context, IdentityType.SamAccountName, email);
问题已解决.
推荐答案
通过使用 IdentityType.Name
,您告诉它您传递的值是帐户的名称(即是 cn
属性).如果要按用户名(sAMAccountName
属性)进行匹配,则需要传递 IdentityType.SamAccountName
.
By using IdentityType.Name
, you're telling it that the value you're passing is the name of the account (which is the cn
attribute). If you want to match by username (the sAMAccountName
atrribute), you'll need to pass IdentityType.SamAccountName
.
旧答案:但是您似乎将电子邮件地址发送给它.所以这确实永远不会返回任何东西.
Old answer: But you seem to be sending it the email address. So that will indeed always return nothing.
AD 不认为电子邮件地址是唯一标识符,因此您不能将 FindByIdentity
与电子邮件地址一起使用.
AD does not consider an email address to be a unique identifier, so you cannot use FindByIdentity
with an email address.
这是一个关于如何通过电子邮件地址搜索的示例:http://doogalbellend.blogspot.ca/2012/03/finding-userprincipal-for-email-address.html
Here is an example on how to search by email address: http://doogalbellend.blogspot.ca/2012/03/finding-userprincipal-for-email-address.html
这篇关于UserPrincipal.FindByIdentity() 总是返回 null的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持跟版网!