如何从Active Directory获取正确的数据进行身份验证

Question

我有一个客户端服务解决方案，其中包含一个Winforms客户端应用程序和一个WCF服务，托管在IIS中。

在WCF服务中，我可以使用自定义IAuthorizationPolicy轻松提取客户端上登录的当前用户的名称（WindowsIdentity.Name）。这是通过在Evaluate方法中获取来自EvaluationContext的WindowsIdentity来完成的。

的WindowsIdentity.Name会是这个样子：MyCompanyGroup\MyName

为了能够绑定到AD帐户，在我自己的会员制模式，我需要能够让用户选择的AD用户绑定到上的WinForms客户。为了提取AD组和用户的一棵树，我用下面的代码：

public static class ActiveDirectoryHandler 
{ 
    public static List<ActiveDirectoryTreeNode> GetGroups() 
    { 
    DirectoryEntry objADAM = default(DirectoryEntry); 
    // Binding object. 
    DirectoryEntry objGroupEntry = default(DirectoryEntry); 
    // Group Results. 
    DirectorySearcher objSearchADAM = default(DirectorySearcher); 
    // Search object. 
    SearchResultCollection objSearchResults = default(SearchResultCollection); 
    // Results collection. 
    string strPath = null; 
    // Binding path. 
    List<ActiveDirectoryTreeNode> result = new List<ActiveDirectoryTreeNode>(); 

    // Construct the binding string. 
    strPath = "LDAP://stefanserver.stefannet.local"; 
    //Change to your ADserver 

    // Get the AD LDS object. 
    try 
    { 
     objADAM = new DirectoryEntry();//strPath); 
     objADAM.RefreshCache(); 
    } 
    catch (Exception e) 
    { 
     throw e; 
    } 

    // Get search object, specify filter and scope, 
    // perform search. 
    try 
    { 
     objSearchADAM = new DirectorySearcher(objADAM); 
     objSearchADAM.Filter = "(&(objectClass=group))"; 
     objSearchADAM.SearchScope = SearchScope.Subtree; 
     objSearchResults = objSearchADAM.FindAll(); 
    } 
    catch (Exception e) 
    { 
     throw e; 
    } 

    // Enumerate groups 
    try 
    { 
     if (objSearchResults.Count != 0) 
     { 
      //SearchResult objResult = default(SearchResult); 
      foreach (SearchResult objResult in objSearchResults) 
      { 
       objGroupEntry = objResult.GetDirectoryEntry(); 
       result.Add(new ActiveDirectoryTreeNode() { Id = objGroupEntry.Guid, ParentId = objGroupEntry.Parent.Guid, Text = objGroupEntry.Name, Type = ActiveDirectoryType.Group, PickableNode = false }); 

       foreach (object child in objGroupEntry.Properties["member"]) 
        result.Add(new ActiveDirectoryTreeNode() { Id= Guid.NewGuid(), ParentId = objGroupEntry.Guid, Text = child.ToString(), Type = ActiveDirectoryType.User, PickableNode = true }); 
      } 
     } 
     else 
     { 
      throw new Exception("No groups found"); 
     } 
    } 
    catch (Exception e) 
    { 
     throw new Exception(e.Message); 
    } 

    return result; 
    } 
} 

public class ActiveDirectoryTreeNode : ISearchable 
{ 
    private Boolean _pickableNode = false; 
#region Properties 
[GenericTreeColumn(GenericTableDescriptionAttribute.MemberTypeEnum.TextBox, 0, VisibleInListMode = false, Editable = false)] 
public Guid Id { get; set; } 
[GenericTreeColumn(GenericTableDescriptionAttribute.MemberTypeEnum.TextBox, 1, VisibleInListMode = false, Editable = false)] 
public Guid ParentId { get; set; } 
[GenericTreeColumn(GenericTableDescriptionAttribute.MemberTypeEnum.TextBox, 2, Editable = false)] 
public string Text { get; set; } 
public ActiveDirectoryType Type { get; set; } 
#endregion 

#region ISearchable 
public string SearchString 
{ 
    get { return Text.ToLower(); } 
} 

public bool PickableNode 
{ 
    get { return _pickableNode; } 
    set { _pickableNode = value; } 
} 
#endregion 

} 

public enum ActiveDirectoryType 
{ 
    Group, 
    User 
} 

树可能是这个样子：

CN=Users* 
- CN=Domain Guests,CN=Users,DC=MyCompany,DC=local 
- CN=5-1-5-11,CN=ForeignSecurityPrinipals,DC=MyCompany,DC=local 
... 
CN=Domain Admins 
- CN=MyName,CN=Users,DC=MyCompany,DC=local 
... 

（* =集团）

名称是不同的格式，我不明白这可以与服务的名称相比。

那么如何提取适当的Active Directory数据的树？

Answer 1

我不能声称明白你在问什么，但这里有一些信息，我希望你能找到帮助。

您在服务中看到的名称（即“MyName”）对应于AD中名为sAMAccountName的属性。您可以通过Properties集合从DirectoryEntry中获取sAMAccountName。例如，如果你想显示sAMAccountName你组的每个成员，你可以做到以下几点：

var objSearchADAM = new DirectorySearcher(); 
objSearchADAM.Filter = "(&(objectClass=group))"; 
objSearchADAM.SearchScope = SearchScope.Subtree; 
var objSearchResults = objSearchADAM.FindAll(); 

foreach (SearchResult objResult in objSearchResults) 
{ 
    using (var objGroupEntry = objResult.GetDirectoryEntry()) 
    { 
     foreach (string child in objGroupEntry.Properties["member"]) 
     { 
      var path = "LDAP://" + child.Replace("/", "\\/"); 
      using (var memberEntry = new DirectoryEntry(path)) 
      { 
       if (memberEntry.Properties.Contains("sAMAccountName")) 
       { 
        // Get sAMAccountName 
        string sAMAccountName = memberEntry.Properties["sAMAccountName"][0].ToString(); 
        Console.WriteLine(sAMAccountName); 
       } 

       if (memberEntry.Properties.Contains("objectSid")) 
       { 
        // Get objectSid 
        byte[] sidBytes = (byte[]) memberEntry.Properties["objectSid"][0]; 
        var sid = new System.Security.Principal.SecurityIdentifier(sidBytes, 0); 
        Console.WriteLine(sid.ToString()); 
       } 
      } 
     } 
    } 
} 

您也可能会发现UserPrincipal有趣。有了这个类可以非常方便的连接到用户对象在AD与FindByIdentity方法如下所示：

var ctx = new PrincipalContext(ContextType.Domain, null); 
using (var up = UserPrincipal.FindByIdentity(ctx, IdentityType.SamAccountName, "MyName")) 
{ 
    Console.WriteLine(up.DistinguishedName); 
    Console.WriteLine(up.SamAccountName); 

    // Print groups that this user is a member of 
    foreach (var group in up.GetGroups()) 
    { 
     Console.WriteLine(group.SamAccountName); 
    } 
}