Recursively querying LDAP group membership(递归查询 LDAP 组成员资格)
问题描述
我正在编写一个基于 MVC (.NET 4.0) 的网站,该网站需要来自我的公司 LDAP 服务器的登录凭据.我的代码需要的是只允许属于某个组的用户.例如,我可能正在寻找属于企业 IT"组的用户.我的凭据可能是系统管理员"组的一部分,该组是企业 IT"的子组.我正在使用表单身份验证.
I'm writing an MVC-based (.NET 4.0) website that requires login credentials from my corporate LDAP server. What my code requires is to allow only the users that are part of a certain group. As an example, I could be looking for users that are part of the "Corporate IT" group. My credentials could be part of the "System Admins" group which is a subgroup of "Corporate IT". I'm using Forms Authentication.
当用户登录时,我将如何递归检查用户属于哪个组?
How would I recursively check what group a user is under when they log in?
推荐答案
对于通过搜索此类查询来到这里的其他人,这是我在我的应用程序中的做法:
For anybody else coming here from a search for this type of query, here is how I did it in my application:
关键是 1.2.840.113556.1.4.1941 扩展搜索过滤器.由于此特定过滤器仅适用于 DN,因此我首先获取要检查的用户的 DN,然后查询组以查看此特定用户是否是链中任何组的成员.
The key is 1.2.840.113556.1.4.1941 extended search filter. Since this particular filter works with DNs only, I first get hold of DN of the user I want to check and then query groups to see if this particular user is a member of any of groups in chain.
internal const string UserNameSearchFilter = "(&(objectCategory=user)(objectClass=user)(|(userPrincipalName={0})(samAccountName={0})))";
internal const string MembershipFilter = "(&(objectCategory=group)(objectClass=group)(cn=MyGroup)(member:1.2.840.113556.1.4.1941:={0}))";
using (var de = new DirectoryEntry(AppSettings.LDAPRootContainer, AppSettings.AdminUser, AppSettings.AdminPassword, AuthenticationTypes.FastBind))
using (var ds = new DirectorySearcher(de) { Filter = string.Format(UserNameSearchFilter, username) })
{
ds.PropertiesToLoad.AddRange(new[] { "distinguishedName" });
var user = ds.FindOne();
if (user != null)
using (var gds = new DirectorySearcher(de) { PropertyNamesOnly = true, Filter = string.Format(MembershipFilter, user.Properties["distinguishedName"][0] as string) })
{
gds.PropertiesToLoad.AddRange(new[] { "objectGuid" });
return gds.FindOne() != null;
}
}
这篇关于递归查询 LDAP 组成员资格的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持编程学习网!
本文标题为:递归查询 LDAP 组成员资格
基础教程推荐
- MS Visual Studio .NET 的替代品 2022-01-01
- 如何在 IDE 中获取 Xamarin Studio C# 输出? 2022-01-01
- SSE 浮点算术是否可重现? 2022-01-01
- rabbitmq 的 REST API 2022-01-01
- 将 Office 安装到 Windows 容器 (servercore:ltsc2019) 失败,错误代码为 17002 2022-01-01
- c# Math.Sqrt 实现 2022-01-01
- 为什么Flurl.Http DownloadFileAsync/Http客户端GetAsync需要 2022-09-30
- 如何激活MC67中的红灯 2022-01-01
- 将 XML 转换为通用列表 2022-01-01
- 有没有办法忽略 2GB 文件上传的 maxRequestLength 限制? 2022-01-01