Asp.net MVC 集成AD域認證
1.首先WebApi 應用下Web.config要配置域認證服務器節點,以下json
<!--LDAP地址 用於項目AD系統帳號密碼驗證-->api
<!--0:關閉域認證;1:開啓域認證-->
<add key="EnableADCheck" value="0"/>
<add key="LDAPAPI" value="域認證服務器的api地址"/> 跨域
2.Api控制器Controller服務器
public class LDAPController : ApiController { /// <summary> /// 用於AD驗證 /// </summary> /// <param name="account"></param> /// <param name="pwd"></param> [AllowAnonymous] [HttpPost] public HttpResponseMessage Check(HttpRequestMessage req) { try { SimpleLog.WriteLog(LogFile.Trace, "" + " start"+ req.Content.ReadAsStringAsync().Result); dynamic data = DynamicJson.Parse(req.Content.ReadAsStringAsync().Result); var decrPwd = ""; var account = data.Account; var pwd = data.Pwd; try {//1.先對密碼進行解密 decrPwd = AESEnCryptUtils.Decrypt(pwd); } catch (Exception ex) { SimpleLog.WriteLog(LogFile.Error, "解密失敗:" + ex.Message); return JsonBuilder.Build("error" + "-解密失敗" + ex.Message); } var result = ADHelper.CheckExist(account, decrPwd).ToString(); SimpleLog.WriteLog(LogFile.Error, "End:" + result); return JsonBuilder.Build(result); } catch (Exception ex) { SimpleLog.WriteLog(LogFile.Error,ex.Message+"-"+ ex.StackTrace); return JsonBuilder.Build(ex.Message); } } }
public class SimpleLog { private static string logPath = string.Empty; /// <summary> /// 保存日誌的文件夾 /// </summary> public static string LogPath { get { if (logPath == string.Empty) { // Web 應用 logPath = AppDomain.CurrentDomain.BaseDirectory + @"log\"; } return logPath; } set { logPath = value; } } private static string logFielPrefix = string.Empty; /// <summary> /// 日誌文件前綴 /// </summary> public static string LogFielPrefix { get { return logFielPrefix; } set { logFielPrefix = value; } } /// <summary> /// 寫日誌 /// </summary> public static void WriteLog(string logFile, string msg) { try { if (!Directory.Exists(LogPath))//若是沒有文件指定的目錄就建立 { Directory.CreateDirectory(LogPath); } System.IO.StreamWriter sw = System.IO.File.AppendText( LogPath + LogFielPrefix + logFile + " " + DateTime.Now.ToString("yyyyMMdd") + ".Log" ); sw.WriteLine(DateTime.Now.ToString("yyyy-MM-dd HH:mm:ss: ") + msg); sw.Close(); } catch { } } /// <summary> /// 寫日誌 /// </summary> public static void WriteLog(LogFile logFile, string msg) { WriteLog(logFile.ToString(), msg); } } /// <summary> /// 日誌類型 /// </summary> public enum LogFile { Trace, Warning, Error, SQL }
public class JsonBuilder { /// <summary> /// 返回該對象的Json數據格式 /// </summary> /// <typeparam name="T"></typeparam> /// <param name="content"></param> /// <returns></returns> public static HttpResponseMessage Build<T>(T content) { if (null == content) return BuildNull(); JsonSerializerSettings jss = new JsonSerializerSettings(); jss.DateTimeZoneHandling = DateTimeZoneHandling.Local; Encoding _encoding = new UTF8Encoding(false); JsonSerializer serializer = JsonSerializer.Create(jss); using (MemoryStream stream = new MemoryStream()) { const int DefaultStreamWriterBufferSize = 0x400; using (TextWriter textWriter = new StreamWriter(stream, _encoding, bufferSize: DefaultStreamWriterBufferSize)) { using (JsonWriter jsonWriter = new JsonTextWriter(textWriter) { CloseOutput = false }) { serializer.Serialize(jsonWriter, content); jsonWriter.Flush(); ArraySegment<byte> segment = new ArraySegment<byte>(stream.GetBuffer(), 0, (int)stream.Length); HttpResponseMessage response = new HttpResponseMessage(HttpStatusCode.OK); try { response.Content = new ByteArrayContent(segment.Array, segment.Offset, segment.Count); MediaTypeHeaderValue contentType = new MediaTypeHeaderValue("application/json"); contentType.CharSet = _encoding.WebName; response.Content.Headers.ContentType = contentType; // response.Headers.Add("Access-Control-Allow-Origin", "*"); //response.Headers.Add("Access-Control-Allow-Credentials", "true"); //response.Headers.Add("Access-Control-Allow-Methods", "GET, POST, DELETE, PUT, HEAD, OPTIONS"); //response.Headers.Add("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept, test1"); return response; } catch { response.Dispose(); throw; } } } } } public static HttpResponseMessage Build<T>(T content, string contentType) { if (null == content) return BuildNull(); JsonSerializerSettings jss = new JsonSerializerSettings(); jss.DateTimeZoneHandling = DateTimeZoneHandling.Local; Encoding _encoding = new UTF8Encoding(false); JsonSerializer serializer = JsonSerializer.Create(jss); using (MemoryStream stream = new MemoryStream()) { const int DefaultStreamWriterBufferSize = 0x400; using (TextWriter textWriter = new StreamWriter(stream, _encoding, bufferSize: DefaultStreamWriterBufferSize)) { using (JsonWriter jsonWriter = new JsonTextWriter(textWriter) { CloseOutput = false }) { serializer.Serialize(jsonWriter, content); jsonWriter.Flush(); ArraySegment<byte> segment = new ArraySegment<byte>(stream.GetBuffer(), 0, (int)stream.Length); HttpResponseMessage response = new HttpResponseMessage(HttpStatusCode.OK); try { response.Content = new ByteArrayContent(segment.Array, segment.Offset, segment.Count); MediaTypeHeaderValue mediaTypeHeaderValue = new MediaTypeHeaderValue(contentType); mediaTypeHeaderValue.CharSet = _encoding.WebName; response.Content.Headers.ContentType = mediaTypeHeaderValue; // response.Headers.Add("Access-Control-Allow-Origin", "*"); //response.Headers.Add("Access-Control-Allow-Credentials", "true"); //response.Headers.Add("Access-Control-Allow-Methods", "GET, POST, DELETE, PUT, HEAD, OPTIONS"); //response.Headers.Add("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept, test1"); return response; } catch { response.Dispose(); throw; } } } } } public static HttpResponseMessage BuildNull() { Encoding _encoding = Encoding.UTF8; HttpResponseMessage response = new HttpResponseMessage(HttpStatusCode.NotFound); response.Content = new StringContent(""); response.Content.Headers.ContentType = new MediaTypeHeaderValue("application/json"); return response; } }
public class ADHelper { /// <summary> /// 查找目錄項 /// </summary> /// <param name="category">分類 users</param> /// <param name="name">用戶名</param> /// <returns>目錄項實體</returns> public static DirectoryEntry FindObject(string name) { DirectoryEntry de = null; DirectorySearcher ds = null; DirectoryEntry userEntry = null; try { de = GetDirectoryObject(); ds = new DirectorySearcher(de); string queryFilter = string.Format("(&(objectCategory=user)(sAMAccountName={0}))", name); ds.Filter = queryFilter; SearchResult sr = ds.FindOne(); if (sr != null) { userEntry = sr.GetDirectoryEntry(); } return userEntry; } catch (Exception ex) { return new DirectoryEntry(); } finally { if (ds != null) { ds.Dispose(); } if (de != null) { de.Dispose(); } } } public static string CheckExist(string Account, string Pwd) { try { DirectoryEntry de = new DirectoryEntry(ADPath, Account, Pwd, AuthenticationTypes.ServerBind); DirectorySearcher deSearch = new DirectorySearcher(de); deSearch.Filter = "(&(&(objectCategory=person)(objectClass=user))(sAMAccountName=" + Account + "))"; deSearch.SearchScope = SearchScope.Subtree; SearchResult result = deSearch.FindOne(); return "sucess"; } catch (Exception ex) { return "error:" + ex.Message; } } /// /// 域名,好比:bokeyuan /// public static string DomainName = ConfigurationManager.AppSettings["DefaultDomain"]; /// /// LDAP綁定路徑,好比:LDAP://wodeblog.com /// public static string ADPath = ConfigurationManager.AppSettings["ADConnString"]; /// /// 登陸賬號,好比:TestUser /// public static string ADUser = ConfigurationManager.AppSettings["DefaultAdminUser"]; /// /// 登陸密碼,好比:123456 /// public static string ADPassword = ConfigurationManager.AppSettings["AdminPassword"]; /// /// 扮演類實例 /// private static IdentityImpersonation impersonate = new IdentityImpersonation(ADUser, ADPassword, DomainName); /// /// 用戶登陸驗證結果 /// public enum LoginResult { /// /// 正常登陸 /// LOGIN_USER_OK = 0, /// /// 用戶不存在 /// LOGIN_USER_DOESNT_EXIST, /// /// 用戶賬號被禁用 /// LOGIN_USER_ACCOUNT_INACTIVE, /// /// 用戶密碼不正確 /// LOGIN_USER_PASSWORD_INCORRECT } /// /// 用戶屬性定義標誌 /// public enum ADS_USER_FLAG_ENUM { /// /// 登陸腳本標誌。若是經過 ADSI LDAP 進行讀或寫操做時,該標誌失效。若是經過 ADSI WINNT,該標誌爲只讀。 /// ADS_UF_SCRIPT = 0X0001, /// /// 用戶賬號禁用標誌 /// ADS_UF_ACCOUNTDISABLE = 0X0002, /// /// 主文件夾標誌 /// ADS_UF_HOMEDIR_REQUIRED = 0X0008, /// /// 過時標誌 /// ADS_UF_LOCKOUT = 0X0010, /// /// 用戶密碼不是必須的 /// ADS_UF_PASSWD_NOTREQD = 0X0020, /// /// 密碼不能更改標誌 /// ADS_UF_PASSWD_CANT_CHANGE = 0X0040, /// /// 使用可逆的加密保存密碼 /// ADS_UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED = 0X0080, /// /// 本地賬號標誌 /// ADS_UF_TEMP_DUPLICATE_ACCOUNT = 0X0100, /// /// 普通用戶的默認賬號類型 /// ADS_UF_NORMAL_ACCOUNT = 0X0200, /// /// 跨域的信任賬號標誌 /// ADS_UF_INTERDOMAIN_TRUST_ACCOUNT = 0X0800, /// /// 工做站信任賬號標誌 /// ADS_UF_WORKSTATION_TRUST_ACCOUNT = 0x1000, /// /// 服務器信任賬號標誌 /// ADS_UF_SERVER_TRUST_ACCOUNT = 0X2000, /// /// 密碼永不過時標誌 /// ADS_UF_DONT_EXPIRE_PASSWD = 0X10000, /// /// MNS 賬號標誌 /// ADS_UF_MNS_LOGON_ACCOUNT = 0X20000, /// /// 交互式登陸必須使用智能卡 /// ADS_UF_SMARTCARD_REQUIRED = 0X40000, /// /// 當設置該標誌時,服務賬號(用戶或計算機賬號)將經過 Kerberos 委託信任 /// ADS_UF_TRUSTED_FOR_DELEGATION = 0X80000, /// /// 當設置該標誌時,即便服務賬號是經過 Kerberos 委託信任的,敏感賬號不能被委託 /// ADS_UF_NOT_DELEGATED = 0X100000, /// /// 此賬號須要 DES 加密類型 /// ADS_UF_USE_DES_KEY_ONLY = 0X200000, /// /// 不要進行 Kerberos 預身份驗證 /// ADS_UF_DONT_REQUIRE_PREAUTH = 0X4000000, /// /// 用戶密碼過時標誌 /// ADS_UF_PASSWORD_EXPIRED = 0X800000, /// /// 用戶賬號可委託標誌 /// ADS_UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION = 0X1000000 } public ADHelper() { // } #region GetDirectoryObject /// /// 得到DirectoryEntry對象實例,以管理員登錄AD /// /// public static DirectoryEntry GetDirectoryObject() { DirectoryEntry entry = new DirectoryEntry("LDAP://域名", "用戶名", "密碼", AuthenticationTypes.ServerBind); return entry; } /// /// 根據指定用戶名和密碼得到相應DirectoryEntry實體 /// public static DirectoryEntry GetDirectoryObject(string userName, string password) { DirectoryEntry entry = new DirectoryEntry(ADPath, userName, password, AuthenticationTypes.None); return entry; } /// /// i.e. /CN=Users,DC=creditsights, DC=cyberelves, DC=Com /// public static DirectoryEntry GetDirectoryObject(string domainReference) { DirectoryEntry entry = new DirectoryEntry(ADPath + domainReference, ADUser, ADPassword, AuthenticationTypes.Secure); return entry; } /// /// 得到以UserName,Password建立的DirectoryEntry /// public static DirectoryEntry GetDirectoryObject(string domainReference, string userName, string password) { DirectoryEntry entry = new DirectoryEntry(ADPath + domainReference, userName, password, AuthenticationTypes.Secure); return entry; } #endregion #region GetDirectoryEntry /// /// 根據用戶公共名稱取得用戶的 對象 /// /// 用戶公共名稱 /// 若是找到該用戶,則返回用戶的 對象;不然返回 null public static DirectoryEntry GetDirectoryEntry(string commonName) { DirectoryEntry de = GetDirectoryObject(); DirectorySearcher deSearch = new DirectorySearcher(de); deSearch.Filter = "(&(&(objectCategory=person)(objectClass=user))(cn=" + commonName + "))"; deSearch.SearchScope = SearchScope.Subtree; try { SearchResult result = deSearch.FindOne(); de = new DirectoryEntry(result.Path); return de; } catch (Exception ex) { return null; } } /// /// 根據用戶公共名稱和密碼取得用戶的 對象。 /// /// 用戶公共名稱 /// 用戶密碼 /// 若是找到該用戶,則返回用戶的 對象;不然返回 null public static DirectoryEntry GetDirectoryEntry(string sAMAccountName, string password, string commonName) { DirectoryEntry de = GetDirectoryObject(DomainName + "\\" + sAMAccountName, password); DirectorySearcher deSearch = new DirectorySearcher(de); deSearch.Filter = "(&(&(objectCategory=person)(objectClass=user))(cn=" + commonName + "))"; deSearch.SearchScope = SearchScope.Subtree; try { SearchResult result = deSearch.FindOne(); de = new DirectoryEntry(result.Path); return de; } catch (Exception ex) { return null; } } /// /// 根據用戶賬號稱取得用戶的 對象 /// /// 用戶賬號名 /// 若是找到該用戶,則返回用戶的 對象;不然返回 null public static DirectoryEntry GetDirectoryEntryByAccount(string sAMAccountName) { DirectoryEntry de = new DirectoryEntry("LDAP://域認證地址", "用戶名", "密碼", AuthenticationTypes.ServerBind); DirectorySearcher deSearch = new DirectorySearcher(de); deSearch.Filter = "(&(&(objectCategory=person)(objectClass=user))(sAMAccountName=" + sAMAccountName + "))"; deSearch.SearchScope = SearchScope.Subtree; try { SearchResult result = deSearch.FindOne(); de = new DirectoryEntry(result.Path); return de; } catch (Exception ex) { return null; } } /// /// 根據用戶賬號和密碼取得用戶的 對象 /// /// 用戶賬號名 /// 用戶密碼 /// 若是找到該用戶,則返回用戶的 對象;不然返回 null public static DirectoryEntry GetDirectoryEntryByAccount(string sAMAccountName, string password) { //DirectoryEntry de = GetDirectoryEntryByAccount(sAMAccountName); DirectoryEntry de = FindObject(sAMAccountName); if (de != null) { string commonName = de.Properties["cn"][0].ToString(); var entry = GetDirectoryEntry(sAMAccountName, password, commonName); if (entry != null) return entry; else return null; } else { return null; } } /// /// 根據組名取得用戶組的 對象 /// /// 組名 /// public static DirectoryEntry GetDirectoryEntryOfGroup(string groupName) { DirectoryEntry de = GetDirectoryObject(); DirectorySearcher deSearch = new DirectorySearcher(de); deSearch.Filter = "(&(objectClass=group)(cn=" + groupName + "))"; deSearch.SearchScope = SearchScope.Subtree; try { SearchResult result = deSearch.FindOne(); de = new DirectoryEntry(result.Path); return de; } catch { return null; } } #endregion #region Get and Set Property /// /// 得到指定 指定屬性名對應的值 /// /// /// 屬性名稱 /// 屬性值 public static object GetProperty(DirectoryEntry de, string propertyName) { if (de.Properties.Contains(propertyName)) { return de.Properties[propertyName][0]; } else { return ""; } } /// /// 得到指定搜索結果 中指定屬性名對應的值 /// /// /// 屬性名稱 /// 屬性值 public static object GetProperty(SearchResult searchResult, string propertyName) { if (searchResult.Properties.Contains(propertyName)) { return searchResult.Properties[propertyName][0]; } else { return ""; } } /// /// 設置指定 的屬性值 /// /// /// 屬性名稱 /// 屬性值 public void SetProperty(DirectoryEntry entry, string propertyName, string propertyValue) { if (entry.Properties.Contains(propertyName)) { if (string.IsNullOrEmpty(propertyValue)) { object o = entry.Properties[propertyName].Value; entry.Properties[propertyName].Remove(o); } else { entry.Properties[propertyName][0] = propertyValue; } } else { if (string.IsNullOrEmpty(propertyValue)) { return; } entry.Properties[propertyName].Add(propertyValue); } } #endregion #region Management /// /// 建立新的用戶 /// /// DN 位置。例如:OU=共享平臺 或 CN=Users /// 公共名稱 /// 賬號 /// 密碼 /// public static DirectoryEntry CreateNewUser(string ldapDN, string commonName, string sAMAccountName, string password) { DirectoryEntry entry = GetDirectoryObject(); DirectoryEntry subEntry = entry.Children.Find(ldapDN); DirectoryEntry deUser = subEntry.Children.Add("CN=" + commonName, "user"); deUser.Properties["sAMAccountName"].Value = sAMAccountName; deUser.CommitChanges(); ADHelper.SetPassword(commonName, password); ADHelper.EnableUser(commonName); deUser.Close(); return deUser; } /// /// 建立新的用戶。默認建立在 Users 單元下。 /// /// 公共名稱 /// 賬號 /// 密碼 /// public static DirectoryEntry CreateNewUser(string commonName, string sAMAccountName, string password) { return CreateNewUser("CN=Users", commonName, sAMAccountName, password); } /// /// 判斷指定公共名稱的用戶是否存在 /// /// 用戶公共名稱 /// 若是存在,返回 true;不然返回 false public static bool IsUserExists(string commonName) { DirectoryEntry de = GetDirectoryObject(); DirectorySearcher deSearch = new DirectorySearcher(de); deSearch.Filter = "(&(&(objectCategory=person)(objectClass=user))(cn=" + commonName + "))"; // LDAP 查詢串 SearchResultCollection results = deSearch.FindAll(); if (results.Count == 0) return false; else return true; } /// /// 判斷用戶賬號是否激活 /// /// 用戶賬號屬性控制器 /// 若是用戶賬號已經激活,返回 true;不然返回 false public static bool IsAccountActive(int userAccountControl) { int userAccountControl_Disabled = Convert.ToInt32(ADS_USER_FLAG_ENUM.ADS_UF_ACCOUNTDISABLE); int flagExists = userAccountControl & userAccountControl_Disabled; if (flagExists > 0) return false; else return true; } /// /// 判斷用戶與密碼是否足夠以知足身份驗證進而登陸 /// /// 用戶公共名稱 /// 密碼 /// 如能可正常登陸,則返回 true;不然返回 false public static LoginResult Login(string commonName, string password) { DirectoryEntry de = GetDirectoryEntry(commonName); if (de != null) { // 必須在判斷用戶密碼正確前,對賬號激活屬性進行判斷;不然將出現異常。 string sAMAccountName = de.Properties["sAMAccountName"].ToString(); de.Close(); if (GetDirectoryEntry(sAMAccountName, password, commonName) != null) return LoginResult.LOGIN_USER_OK; else return LoginResult.LOGIN_USER_PASSWORD_INCORRECT; } else { return LoginResult.LOGIN_USER_DOESNT_EXIST; } } /// /// 判斷用戶賬號與密碼是否足夠以知足身份驗證進而登陸 /// /// 用戶賬號(不包含域名) /// 密碼 /// 如能可正常登陸,則返回 true;不然返回 false public static LoginResult LoginByAccount(string sAMAccountName, string password) { ADHelper.DomainName = sAMAccountName.Split('\\')[0]; if (sAMAccountName.IndexOf('\\') > -1) { sAMAccountName = sAMAccountName.Split('\\')[1].Trim('\\'); } DirectoryEntry de = GetDirectoryEntryByAccount(sAMAccountName); //判斷該用戶是否存在 if (de != null) { // 必須在判斷用戶密碼正確前,對賬號激活屬性進行判斷;不然將出現異常。 de.Close(); if (GetDirectoryEntryByAccount(sAMAccountName, password) != null) return LoginResult.LOGIN_USER_OK; else return LoginResult.LOGIN_USER_PASSWORD_INCORRECT; } else { return LoginResult.LOGIN_USER_DOESNT_EXIST; } } /// /// 設置用戶密碼,管理員能夠經過它來修改指定用戶的密碼。 /// /// 用戶公共名稱 /// 用戶新密碼 public static void SetPassword(string commonName, string newPassword) { DirectoryEntry de = GetDirectoryEntry(commonName); // 模擬超級管理員,以達到有權限修改用戶密碼 impersonate.BeginImpersonate(); de.Invoke("SetPassword", new object[] { newPassword }); impersonate.StopImpersonate(); de.Close(); } /// /// 修改用戶密碼 /// /// 用戶公共名稱 /// 舊密碼 /// 新密碼 public static void ChangeUserPassword(string commonName, string oldPassword, string newPassword) { // to-do: 須要解決密碼策略問題 DirectoryEntry oUser = GetDirectoryEntry(commonName); oUser.Invoke("ChangePassword", new Object[] { oldPassword, newPassword }); oUser.Close(); } /// /// 啓用指定公共名稱的用戶 /// /// 用戶公共名稱 public static void EnableUser(string commonName) { EnableUser(GetDirectoryEntry(commonName)); } /// /// 啓用指定 的用戶 /// /// public static void EnableUser(DirectoryEntry de) { impersonate.BeginImpersonate(); de.Properties["userAccountControl"][0] = ADHelper.ADS_USER_FLAG_ENUM.ADS_UF_NORMAL_ACCOUNT | ADHelper.ADS_USER_FLAG_ENUM.ADS_UF_DONT_EXPIRE_PASSWD; de.CommitChanges(); impersonate.StopImpersonate(); de.Close(); } /// /// 禁用指定公共名稱的用戶 /// /// 用戶公共名稱 public static void DisableUser(string commonName) { DisableUser(GetDirectoryEntry(commonName)); } /// /// 禁用指定 的用戶 /// /// public static void DisableUser(DirectoryEntry de) { impersonate.BeginImpersonate(); de.Properties["userAccountControl"][0] = ADHelper.ADS_USER_FLAG_ENUM.ADS_UF_NORMAL_ACCOUNT | ADHelper.ADS_USER_FLAG_ENUM.ADS_UF_DONT_EXPIRE_PASSWD | ADHelper.ADS_USER_FLAG_ENUM.ADS_UF_ACCOUNTDISABLE; de.CommitChanges(); impersonate.StopImpersonate(); de.Close(); } /// /// 將指定的用戶添加到指定的組中。默認爲 Users 下的組和用戶。 /// /// 用戶公共名稱 /// 組名 public static void AddUserToGroup(string userCommonName, string groupName) { DirectoryEntry oGroup = GetDirectoryEntryOfGroup(groupName); DirectoryEntry oUser = GetDirectoryEntry(userCommonName); impersonate.BeginImpersonate(); oGroup.Properties["member"].Add(oUser.Properties["distinguishedName"].Value); oGroup.CommitChanges(); impersonate.StopImpersonate(); oGroup.Close(); oUser.Close(); } /// /// 將用戶從指定組中移除。默認爲 Users 下的組和用戶。 /// /// 用戶公共名稱 /// 組名 public static void RemoveUserFromGroup(string userCommonName, string groupName) { DirectoryEntry oGroup = GetDirectoryEntryOfGroup(groupName); DirectoryEntry oUser = GetDirectoryEntry(userCommonName); impersonate.BeginImpersonate(); oGroup.Properties["member"].Remove(oUser.Properties["distinguishedName"].Value); oGroup.CommitChanges(); impersonate.StopImpersonate(); oGroup.Close(); oUser.Close(); } #endregion Management #region Client private static DirectoryEntry InitEntry(string condition) { DirectoryEntry entry = null; DirectorySearcher searcher = new DirectorySearcher(condition); if (ADHelper.ADUser != "") { searcher.SearchRoot.Username = ADHelper.ADUser; searcher.SearchRoot.Password = ADHelper.ADPassword; } SearchResult result = searcher.FindOne(); if (result == null) { return null; } if (ADHelper.ADUser != "") { entry = new DirectoryEntry(result.Path, ADHelper.ADUser, ADHelper.ADPassword); } else { entry = new DirectoryEntry(result.Path); } entry.RefreshCache(); return entry; } public static string ExtractUserName(string userName) { int index = userName.IndexOf(@"\"); string str = userName; if (index != -1) { str = userName.Substring(index + 1, (userName.Length - index) - 1); } else { index = userName.IndexOf("@"); if (index != -1) { str = userName.Substring(index + 1, (userName.Length - index) - 1); } } return str; } public static string[] GetMembersOfGroup(string groupName) { DirectoryEntry entry = InitEntry("(&(objectClass=group)(cn=" + groupName + "))"); DirectoryEntry entry2 = new DirectoryEntry(); string[] strArray = new string[entry.Properties["member"].Count]; for (int i = 0; i < strArray.Length; i++) { entry2 = new DirectoryEntry("LDAP://" + entry.Properties["member"][i]); strArray[i] = entry2.Properties["sAMAccountName"].Value.ToString(); } return strArray; } public static string GetDisplayName(string userName) { DirectoryEntry entry = InitEntry("(&(&(objectCategory=person)(objectClass=user))(sAMAccountName=" + ExtractUserName(userName) + "))"); if (entry == null) { throw new Exception("Could not found the badge number: " + userName); } string str = ""; if (entry.Properties.Contains("displayName")) { str = str + entry.Properties["displayName"].Value.ToString(); } return str; } public static string GetUserMail(string userName) { DirectoryEntry entry = InitEntry("(&(&(objectCategory=person)(objectClass=user))(sAMAccountName=" + ExtractUserName(userName) + "))"); if (entry == null) { throw new Exception("Could not found the badge number: " + userName); } object obj = ADHelper.GetProperty(entry, "mail"); return (obj == null) ? "" : obj.ToString(); } public static string GetUserEnglishName(string userName) { DirectoryEntry entry = InitEntry("(&(&(objectCategory=person)(objectClass=user))(sAMAccountName=" + ExtractUserName(userName) + "))"); if (entry == null) { throw new Exception("Could not found the badge number: " + userName); } string str = ""; if (entry.Properties.Contains("givenName")) { str = str + entry.Properties["givenName"].Value.ToString(); } if (entry.Properties.Contains("sn")) { str = str + " " + entry.Properties["sn"].Value.ToString(); } return str; } public static string[] GetGroupsOfUser(string userName) { DirectoryEntry entry = InitEntry("(&(&(objectCategory=person)(objectClass=user))(sAMAccountName=" + ExtractUserName(userName) + "))"); if (entry == null) { return null; } DirectoryEntry entry2 = new DirectoryEntry(); string[] strArray = new string[entry.Properties["memberOf"].Count]; for (int i = 0; i < strArray.Length; i++) { entry2 = new DirectoryEntry("LDAP://" + entry.Properties["memberOf"][i]); strArray[i] = entry2.Properties["name"].Value.ToString(); } return strArray; } public static string GetUserAccountByEmail(string email) { DirectoryEntry entry = InitEntry("(&(&(objectCategory=person)(objectClass=user))(mail=" + ExtractUserName(email) + "))"); if (entry == null) { throw new Exception("Could not find the email:" + email); } return entry.Properties["sAMAccountName"].Value.ToString(); } public static string GetUserAccountByEmailORAccount(string emailOrAccount) { if (IsAccount(emailOrAccount)) { return emailOrAccount; } return GetUserAccountByEmail(emailOrAccount); } public static string GetUserNameByEmail(string email) { DirectoryEntry entry = InitEntry("(&(&(objectCategory=person)(objectClass=user))(mail=" + ExtractUserName(email) + "))"); if (entry == null) { throw new Exception("Could not found the email: " + email); } return DomainName + "\\" + entry.Properties["sAMAccountName"].Value.ToString(); } public static bool IsAccount(string rawAccount) { if (InitEntry("(&(&(objectCategory=person)(objectClass=user))(sAMAccountName=" + ExtractUserName(rawAccount) + "))") == null) { return false; } return true; } #endregion Client } /// /// 用戶模擬角色類。實如今程序段內進行用戶角色模擬。 /// public class IdentityImpersonation { [DllImport("advapi32.dll", SetLastError = true)] public static extern bool LogonUser(String lpszUsername, String lpszDomain, String lpszPassword, int dwLogonType, int dwLogonProvider, ref IntPtr phToken); [DllImport("advapi32.dll", CharSet = CharSet.Auto, SetLastError = true)] public extern static bool DuplicateToken(IntPtr ExistingTokenHandle, int SECURITY_IMPERSONATION_LEVEL, ref IntPtr DuplicateTokenHandle); [DllImport("kernel32.dll", CharSet = CharSet.Auto)] public extern static bool CloseHandle(IntPtr handle); // 要模擬的用戶的用戶名、密碼、域(機器名) private String _sImperUsername; private String _sImperPassword; private String _sImperDomain; // 記錄模擬上下文 private WindowsImpersonationContext _imperContext; private IntPtr _adminToken; private IntPtr _dupeToken; // 是否已中止模擬 private Boolean _bClosed; private WindowsIdentity fakeId; public WindowsIdentity Identity { get { return this.fakeId; } } /// /// 構造函數 /// /// 所要模擬的用戶的用戶名 /// 所要模擬的用戶的密碼 /// 所要模擬的用戶所在的域 public IdentityImpersonation(String impersonationUsername, String impersonationPassword, String impersonationDomain) { _sImperUsername = impersonationUsername; _sImperPassword = impersonationPassword; _sImperDomain = impersonationDomain; _adminToken = IntPtr.Zero; _dupeToken = IntPtr.Zero; _bClosed = true; } /// /// 析構函數 /// ~IdentityImpersonation() { if (!_bClosed) { StopImpersonate(); } } /// /// 開始身份角色模擬。 /// /// public Boolean BeginImpersonate() { Boolean bLogined = LogonUser(_sImperUsername, _sImperDomain, _sImperPassword, 2, 0, ref _adminToken); if (!bLogined) { return false; } Boolean bDuped = DuplicateToken(_adminToken, 2, ref _dupeToken); if (!bDuped) { return false; } fakeId = new WindowsIdentity(_dupeToken); _imperContext = fakeId.Impersonate(); _bClosed = false; return true; } /// /// 開始身份角色模擬。 /// /// public Boolean BeginImpersonate(string type) { Boolean bLogined = LogonUser(_sImperUsername, _sImperDomain, _sImperPassword, 2, 0, ref _adminToken); if (!bLogined) { return false; } fakeId = new WindowsIdentity(_adminToken, type, WindowsAccountType.Normal, true); _imperContext = fakeId.Impersonate(); _bClosed = false; return true; } /// /// 中止身分角色模擬。 /// public void StopImpersonate() { _imperContext.Undo(); CloseHandle(_dupeToken); CloseHandle(_adminToken); _bClosed = true; } }
相關文章
- 1. Asp.net MVC 集成AD域認證
- 2. Samba與AD集成認證
- 3. Jenkins配置AD域認證
- 4. jumpserver配置ldap集成windows AD認證
- 5. SpringBoot集成 Windows2012 AD 認證服務
- 6. ABP實戰--集成Ladp/AD認證
- 7. Gitlab 集成使用 AD 認證
- 8. JAVA中如何集成AD域用戶認證
- 9. AD域驗證
- 10. linux 使用pam_ldap經過ad域認證
- 更多相關文章...
- • ASP.NET MVC - 安全 - ASP.NET 教程
- • ASP.NET MVC 教程 - ASP.NET 教程
- • PHP Ajax 跨域問題最佳解決方案
- • ☆技術問答集錦(13)Java Instrument原理
相關標籤/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
最新文章
歡迎關注本站公眾號,獲取更多信息
