问题描述
基本上我想要做的是,我有一个 ASP.Net Web 应用程序,它使用表单身份验证和一些自定义代码将其链接到 ActiveDirectory(非常类似于 这 有效).
Basically what I'm trying to do is, I have an ASP.Net web application that's using Forms Authentication with some custom code to link it to ActiveDirectory (very similar to how this works).
但是,每当我在域控制器中查询用户组时,它只返回他们明确所在的组,而不是子组(id est,有一个用户所属的特定安全组,比如组 A,即我想要的组的成员,比如组 B,用户显式在组 A 中,但仅隐式在组 B 中,因为组 A 是组 B 的成员.
However, whenever I query the domain controller for the users groups it only returns the groups that they're explicitly in and not subgroups (id est, there's a specific Security Group that the user belongs to, say group A, that is a member of the group I want, say group B, the user is explicitly in group A, but only implicitly in group B because group A is a member of group B).
我已阅读 tokenGroups 查询可以帮助我,但目前我没有办法解析该数据.
I've read the tokenGroups querying could help me out here but currently I don't have a way to parse that data.
但是,如果我可以通过 LDAP 查询传递某些组,并且如果该用户是否在该组中,域控制器只给我一个布尔值(真/假),那么最可取的是.
However what would be most preferable is if I could pass certain groups via an LDAP query and have the Domain controller just give me a boolean (true/false) if that user is within that group or not.
有什么建议吗?
推荐答案
是的,通常"的 user.Properties["memberOf"]
只返回直接成员资格.
Yes, the "usual" user.Properties["memberOf"]
only returns direct memberships.
如果您使用的是 .NET 3.5,则可以使用更现代的基于主体"的方法:
If you're using .NET 3.5 however, you can use the more modern "principal-based" methods:
using(PrincipalContext ctx = new PrincipalContext(ContextType.Domain))
{
using(Principal p = Principal.FindByIdentity(ctx, "yourUserName"))
{
var groups = p.GetGroups();
using (groups)
{
foreach (Principal group in groups)
{
Console.WriteLine(group.SamAccountName + "-" + group.DisplayName);
}
}
}
}
此方法(向您的项目添加对System.DirectoryServices.AccountManagement"程序集的引用)应该可以工作,并且还可以提供用户的主要组及其嵌套组成员身份.
This method (add a reference to the "System.DirectoryServices.AccountManagement" assembly to your project) should work and deliver the user's primary group and its nested group memberships as well.
如果您使用的是 .NET 2.0/3.0 并且无法升级,则通过阅读tokenGroups"属性来使用该方法是最好的方法 - 请参阅 Ryan Dunn 的优秀博客中有关如何执行所有这些操作的详细信息发布,枚举 .NET 中的令牌组 (tokenGroups).
If you're on .NET 2.0/3.0 and can't move up, using the approach by reading the "tokenGroups" attribute is the best approach - see the details about how to do all of this in Ryan Dunn's excellent blog post, Enumerating Token Groups (tokenGroups) in .NET.
马克
这篇关于C# ActiveDirectory LDAP 组查询的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持跟版网!