我有一个客户端服务解决方案,其中包含一个Winforms客户端应用程序和一个WCF服务,托管在IIS中。如何从Active Directory获取正确的数据进行身份验证
在WCF服务中,我可以使用自定义IAuthorizationPolicy
轻松提取客户端上登录的当前用户的名称(WindowsIdentity.Name
)。这是通过在Evaluate方法中获取来自EvaluationContext
的WindowsIdentity
来完成的。
的WindowsIdentity.Name
会是这个样子:MyCompanyGroup\MyName
为了能够绑定到AD帐户,在我自己的会员制模式,我需要能够让用户选择的AD用户绑定到上的WinForms客户。为了提取AD组和用户的一棵树,我用下面的代码:
public static class ActiveDirectoryHandler
{
public static List<ActiveDirectoryTreeNode> GetGroups()
{
DirectoryEntry objADAM = default(DirectoryEntry);
// Binding object.
DirectoryEntry objGroupEntry = default(DirectoryEntry);
// Group Results.
DirectorySearcher objSearchADAM = default(DirectorySearcher);
// Search object.
SearchResultCollection objSearchResults = default(SearchResultCollection);
// Results collection.
string strPath = null;
// Binding path.
List<ActiveDirectoryTreeNode> result = new List<ActiveDirectoryTreeNode>();
// Construct the binding string.
strPath = "LDAP://stefanserver.stefannet.local";
//Change to your ADserver
// Get the AD LDS object.
try
{
objADAM = new DirectoryEntry();//strPath);
objADAM.RefreshCache();
}
catch (Exception e)
{
throw e;
}
// Get search object, specify filter and scope,
// perform search.
try
{
objSearchADAM = new DirectorySearcher(objADAM);
objSearchADAM.Filter = "(&(objectClass=group))";
objSearchADAM.SearchScope = SearchScope.Subtree;
objSearchResults = objSearchADAM.FindAll();
}
catch (Exception e)
{
throw e;
}
// Enumerate groups
try
{
if (objSearchResults.Count != 0)
{
//SearchResult objResult = default(SearchResult);
foreach (SearchResult objResult in objSearchResults)
{
objGroupEntry = objResult.GetDirectoryEntry();
result.Add(new ActiveDirectoryTreeNode() { Id = objGroupEntry.Guid, ParentId = objGroupEntry.Parent.Guid, Text = objGroupEntry.Name, Type = ActiveDirectoryType.Group, PickableNode = false });
foreach (object child in objGroupEntry.Properties["member"])
result.Add(new ActiveDirectoryTreeNode() { Id= Guid.NewGuid(), ParentId = objGroupEntry.Guid, Text = child.ToString(), Type = ActiveDirectoryType.User, PickableNode = true });
}
}
else
{
throw new Exception("No groups found");
}
}
catch (Exception e)
{
throw new Exception(e.Message);
}
return result;
}
}
public class ActiveDirectoryTreeNode : ISearchable
{
private Boolean _pickableNode = false;
#region Properties
[GenericTreeColumn(GenericTableDescriptionAttribute.MemberTypeEnum.TextBox, 0, VisibleInListMode = false, Editable = false)]
public Guid Id { get; set; }
[GenericTreeColumn(GenericTableDescriptionAttribute.MemberTypeEnum.TextBox, 1, VisibleInListMode = false, Editable = false)]
public Guid ParentId { get; set; }
[GenericTreeColumn(GenericTableDescriptionAttribute.MemberTypeEnum.TextBox, 2, Editable = false)]
public string Text { get; set; }
public ActiveDirectoryType Type { get; set; }
#endregion
#region ISearchable
public string SearchString
{
get { return Text.ToLower(); }
}
public bool PickableNode
{
get { return _pickableNode; }
set { _pickableNode = value; }
}
#endregion
}
public enum ActiveDirectoryType
{
Group,
User
}
树可能是这个样子:
CN=Users*
- CN=Domain Guests,CN=Users,DC=MyCompany,DC=local
- CN=5-1-5-11,CN=ForeignSecurityPrinipals,DC=MyCompany,DC=local
...
CN=Domain Admins
- CN=MyName,CN=Users,DC=MyCompany,DC=local
...
(* =集团)
名称是不同的格式,我不明白这可以与服务的名称相比。
那么如何提取适当的Active Directory数据的树?
谢谢!但是,第一个代码在尝试创建DirectoryEntry对象时给了我一个明确的提示:为adsObject提供的值不会实现IAD? – Banshee 2011-05-19 06:28:48
我改变了child.ToString(),然后我得到了我的drectoryEntry对象,但当我试图获取sAMAccountName时,我得到了类型'System.Runtim.InteropService.ComException'的异常? – Banshee 2011-05-19 07:23:30
对不起,我在我的代码中犯了一个错误。我忘了将“LDAP://”添加到成员路径中。我更新了我的答案,请尝试更新示例代码。 – 2011-05-19 08:24:47