我有是针对Windows身份验证运行使用我们的Active Directory中的Web应用程序。我有一个新的要求,通过从Active Directory条目拉一些个人信息。什么是获得访问这些信息最简单的方法?
I've got a web application that is running against Windows Authentication using our Active Directory. I've got a new requirement to pull some personal information through from the Active Directory entry. What would be the easiest way to get access to this information?
推荐答案直接通过一个DirectoryEntry访问用户似乎是最直接的方法。下面是一些AD相关的花絮,我从我的第一个AD相关项目的经验教训:
Accessing the user directly through a DirectoryEntry seems like the most straightforward approach. Here are some AD-related tidbits I learned from my first AD-related project:
- 在一个URI,写LDAP小写。否则,你会得到一个神秘的错误。我花了一天多就这一去pressing问题...
- 要清除单个值属性,将其设置为空字符串,而不是空。空导致异常。
- 要清除一个多值属性,使用的 DirectoryEntry.Property.Clear()的方法。
- 在Active Directory架构参考会说这数据类型的值将是,是否是多值或单值。
- 您不必手动RefreshCache()在一个DirectoryEntry,但如果你曾经使用它,并指定哪些属性缓存,知道它会不会在将来自动检索任何其他属性。
- 系统收到COMException可以在完全使用类System.DirectoryServices中任何时候抛出。保持对这些try块的眼球。不要认为什么是安全的。
- In a URI, write LDAP in lowercase. Otherwise you'll get a mystery error. I spent more than a day on this depressing issue...
- To clear a single-valued property, set it to an empty string, not null. Null causes an exception.
- To clear a multi-valued property, use the DirectoryEntry.Property.Clear() method.
- The Active Directory schema reference will say which data type a value will be and whether it is multi-value or single-value.
- You do not need to manually RefreshCache() on a Directoryentry but if you ever use it and specify which properties to cache, know that it will not auto-retrieve any other properties in the future.
- A COMException can be thrown at absolutely any time you use the classes in System.DirectoryServices. Keep an eye on those try blocks. Do not assume anything is safe.
您可能会需要使用DirectorySearcher从让你的用户的目录条目,如果你不知道它的路径(你不会,只是让他记录在其中)。使用它,是相当容易的,但要注意在LDAP语法的怪癖;即,不必EN code非ASCII(和其他?)字符。你会使用搜索字符串可能会是这样的:(及(sAMAccountName赋=什么)(类=用户))的。这是把我的头顶部,可能会稍微不正确。
You'll probably need to use DirectorySearcher to get your user's directory entry if you don't know its path (which you wouldn't, just by having him logged in). Using it was fairly easy but beware of the quirks in LDAP syntax; namely, having to encode non-ASCII (and other?) characters. The search string you'd use would probably be something like: (&(sAMAccountName=whatever)(class=user)). This is off the top of my head and may be slightly incorrect.
借助 Active Directory架构参考将是有益的。明白,该架构可以修改和扩展(如安装Exchange将增加邮箱信息给用户)。
The Active Directory schema reference will be useful. Do understand that the schema can be modified and extended (e.g. installing Exchange will add mailbox information to users).
AD资源管理器是它可用于调试和低级别的AD的有用工具数据管理。我发现它有用的,当我知道我要来设置,但无法找到在广告管理工具右侧的对话框中哪个属性。
AD Explorer is a useful tool which you can use for debugging and low-level AD data management. I've found it useful when I know which property I want to set but cannot find the right dialog box in the AD management tool.
更多推荐
活动目录:检索用户信息
发布评论