我正在运行一个ASP.NET 4.0应用,该应用使用用户名(即HttpContext.Current.Request.LogonUserIdentity.Name.ToString())来管理对各种组件的访问。
I'm running an ASP.NET 4.0 app which uses the user name (i.e. HttpContext.Current.Request.LogonUserIdentity.Name.ToString()) to manage access to various components.
返回的用户名格式为 abc\jsmith,其中 abc为域名, jsmith为用户的登录名。
The user name being returned is in the form "abc\jsmith" where "abc" is the domain name and "jsmith" is the login name of the user.
此应用程序的安全模块的一部分访问用户所属的Active Directory组(例如, Accounting, AccountsPayable, AdminDepartment)。我可以使用DirectoryEntry.Properties(即System.DirectoryServices.PropertyCollection) sAMAccountName .Value从Active Directory中获取用户名。
Part of the security module for this app accesses the Active Directory groups that the user belongs to (e.g., "Accounting", "AccountsPayable", "AdminDepartment"). I'm able to get the user's name from Active Directory using the DirectoryEntry.Properties (i.e., System.DirectoryServices.PropertyCollection") "sAMAccountName".Value.
到目前为止,一切都很好,但是我希望能够跨多个域扩展应用程序,这意味着我需要能够在Active Directory中找到域名以及用户的登录名。我可以获取域值从PrincipalContext中返回,但返回的是 abcdc,而不是 abc。我可以假设此属性将始终在每个域的末尾返回 dc(如域控制器)(在这种情况下,我可以使用属性的子字符串),还是还有其他地方可以获取用户的当前域名?
So far, everything is fine, but I want to be able to expand the app across multiple domains, which mean I need to be able to find the domain name in Active Directory as well as the user's Login Name. I can get a "Domain" value from PrincipalContext, but it's returning "abcdc", instead of "abc". Can I assume that this property will always return "dc" (as in "Domain Controller") at the end of each domain (in which case I can use a Substring of the property), or is there somewhere else I can get the user's current domain name?
推荐答案我不清楚的一件事关于您在域控制器中给定目录条目检索域名的问题,我假设您有一台服务器可以看到多个受信任的域,并且用户可以登录到您的应用程序
One thing I am unclear on is your question about retrieving the domain name given a directoryentry in a domain controller. I am assuming that you have a server that can see multiple trusted domains, and that a user can log into your application from any one of them such that you don't know against what domain you need to test role membership.
为了通过ADGroup成员资格控制对功能的访问,您是否可以使用?
For controlling access to features via ADGroup membership, could you use the
HttpContext.Current.User.IsInRole("appdomain\groupname")其中User.Identity.Name == userdomain\user。我不熟悉域信任问题,但这是假定您可以将用户从受信任域添加到您控制的域组中,因此您不必担心组域的位置。
where User.Identity.Name=="userdomain\user". I'm not familiar with domain trust issues, but this assumes that you can add users from the trusted domain into the domain group that you control so you don't need to worry about the group domain location.
如果不能,或者在每个不同的域中都有相同的组名,那么您可以这样做吗?
If you can't, or if you have the same group name in each different domain, then you could do something like this?
HttpContext.Current.User.IsInRole(userDomainname + "\groupname")一些点:
**更新2011年6月8日2:15 PM **
** UPDATE 6/8/2011 2:15 PM**
如果我正确理解AD,则用户域是AD返回的用户对象的组成部分。扩展您的 Bob Newaccountant示例...
If I understand AD correctly, the user's domain is an integral part of the user object returned by AD. Expanding on your example of "Bob Newaccountant"...
因此,假设以下两个域之间相互信任:
So given the following 2 Domains with a trust between them:
1. "abcdc" CN=Users CN="Bob NewAccountant" 2. "abc" CN=Users CN="Local User1" OU=Applications OU=MyApplication CN=ReportReaders (Members: abcdc\BNewAccountant, abc\luser1)您应该通过以下查询获取用户的信息:
You should get the users' info given the following query:
//name parameter = domain //container parameter = distinguished name using(var ctx = new PrincipalContext( ContextType.Domain, name: "abc", container: "OU=MyApplication,OU=Applications,DC=abc,DC=com", "abc\serviceaccountname", "Password1")) { var officeGroup = GroupPrincipal.FindByIdentity(ctx, IdentityType.SamAccountName, "ReportReaders"); foreach(Principal prin in officeGroup.GetMembers(recursive: true)) { Console.WriteLine("DistinguishedName: " + prin.DistinguishedName + " UPN: " + prin.UserPrincipalName); } //Should result in // DistinguishedName: CN=luser1,CN=Users,DC=abc,DC=com UPN: luser1@abc // DistinguishedName: CN=BNewAccountant,CN=Users,DC=abcdc,DC=com UPN: BNewAccountant@abcdc }因此,您应该能够通过活动目录的 distinguishedName 或 userPrincipalName 属性来获取用户的域。 (注意:我没有双域设置,因此目前无法测试上面的代码。)距离越来越近了吗?
So you should be able to get the user's domain via distinguishedName or userPrincipalName properties of active directory. (Note: I don't have a dual domain setup handy to me so I am not able to test the above code at this time.) Is that getting closer?
更多推荐
在Active Directory中查找域名
发布评论