LDAP:检查用户是否是组的成员
本文关键字:成员 是否是 用户 检查 LDAP | 更新日期: 2023-09-27 18:10:17
我在Stackoverflow和web上找到了几个样本,但没有任何工作。我想检查用户是否是特定组(或子组)的成员。当我尝试使用Active directory中不存在的用户名时,我得到一个异常(正常,请参阅代码)
我在当前代码下面使用:
using System;
using System.DirectoryServices;
using System.Collections.Generic;
static class Program
{
public static string GetUserContainerName(string userName)
{
DirectoryEntry entry = new DirectoryEntry("LDAP://xxxxxxx:389/DC=be,DC=kb,DC=int");
DirectorySearcher mySearcher = new DirectorySearcher(entry);
mySearcher.Filter = string.Format("(&(sAMAccountName={0}))", userName);
mySearcher.SearchScope = SearchScope.Subtree; //Search from base down to ALL children.
SearchResultCollection result = mySearcher.FindAll();
if (result.Count == 0)
throw new ApplicationException(string.Format("User '{0}' Not Found in Active Directory.", userName));
return result[0].GetDirectoryEntry().Name.Replace("CN=", string.Empty);
}
public static bool IsUserMemberOfGroup(string username, string groupname)
{
DirectoryEntry entry = new DirectoryEntry("LDAP://xxxxxxx.be.kb.int:389/DC=be,DC=kb,DC=int");
DirectorySearcher mySearcher = new DirectorySearcher(entry);
mySearcher.Filter = string.Format(String.Format("(member:1.2.840.113556.1.4.1941:=(cn={0},cn=users,DC=be,DC=kb,DC=int))", username), GetUserContainerName(username));
mySearcher.SearchScope = SearchScope.Subtree; //Search from base down to ALL children.
SearchResultCollection result = mySearcher.FindAll();
for (int i = 0; i < result.Count - 1; i++)
{
if (result[i].Path.ToUpper().Contains(string.Format("CN={0}", groupname.ToUpper())))
return true; //Success - group found
}
return false;
}
static void Main(string[] args)
{
var res = IsUserMemberOfGroup("MyUSer", "MY_GROUP_TO_CHECK");
Console.WriteLine(res.ToString());
}
}
为什么不使用框架中已经存在的东西呢?
看看这个:http://msdn.microsoft.com/en-us/library/fs485fwh(VS.85).aspx
WindowsIdentity identity = WindowsIdentity.GetCurrent();
WindowsPrincipal principal = new WindowsPrincipal(identity);
principal.IsInRole("role name");
[查看搜索过滤器语法中的LDAP_MATCHING_RULE_IN_CHAIN,我还提供了代码示例。]
——编辑——
这里有一个概念证明:user1不是组MonGrpSec2的直接成员,而是属于属于MonGrpSec2的组MonGrpSec。代码显示了MonGrpSec2组。您可以找到用户所属的所有组(递归地)。
static void Main(string[] args)
{
/* Connection to Active Directory
*/
string sFromWhere = "LDAP://WM2008R2ENT:389/dc=dom,dc=fr";
DirectoryEntry deBase = new DirectoryEntry(sFromWhere, "dom''jpb", "passwd");
/* To find all the groups that "user1" is a member of :
* Set the base to the groups container DN; for example root DN (dc=dom,dc=fr)
* Set the scope to subtree
* Use the following filter :
* (member:1.2.840.113556.1.4.1941:=cn=user1,cn=users,DC=x)
*/
DirectorySearcher dsLookFor = new DirectorySearcher(deBase);
dsLookFor.Filter = "(member:1.2.840.113556.1.4.1941:=CN=user1 Users,OU=MonOu,DC=dom,DC=fr)";
dsLookFor.SearchScope = SearchScope.Subtree;
dsLookFor.PropertiesToLoad.Add("cn");
SearchResultCollection srcGroups = dsLookFor.FindAll();
/* Just to know if user is present in a special group
*/
foreach (SearchResult srcGroup in srcGroups)
{
if (srcGroup.Path.Contains("CN=MonGrpSec2"))
Console.WriteLine("{0}", srcGroup.Path);
}
Console.ReadLine();
}