无法在LDAP中访问sn，givenName

Question

我是C＃的新手，我正在使用LDAP来验证用户的登录凭据; 2）获取有关我的应用程序用户的其他信息。我们的LDAP服务器不允许我请求匿名发布的某些数据，因此我必须等到我使用用户的完整凭据绑定才能获取数据。然而，即便如此，我还是无法获得像sn和givenName这样的简单字段。使用JXplorer我可以看到在匿名连接期间隐藏这些值的位置，但是使用完整的用户/ SSL /密码组合，我可以在JXplorer中看到每个值。我似乎无法通过我的代码做同样的事情。

如果我在第一个FindOne（）之后遍历属性，则找到9个属性（其中没有一个是我正在寻找的属性）。如果我在第二个 FindOne（）之后遍历属性，则只有4个属性可用。这两项结果似乎都没有受到PropertiesToAdd.Add（“...”）的影响。

任何建议都将不胜感激。

public string[] Authenticate(string user,  string password)
    {
         string[] results = new string [2];

        //Concatenate serverpath + username + container
        //I.e.  "LDAP://ldap.disney.com:636/CN=donaldDuck,ou=people,dc=la,dc=disney,dc=com"
        DirectoryEntry de = new DirectoryEntry(_ldapserver + "cn=" + user + "," + _topContainer);
        //User's password for initial verification
        de.Password = password;

        //initate anonymous bind
        de.AuthenticationType = System.DirectoryServices.AuthenticationTypes.SecureSocketsLayer;
        DirectorySearcher searcher = new DirectorySearcher(de);
        searcher.SearchScope = System.DirectoryServices.SearchScope.Base;

        //Search for first record
        SearchResult result = searcher.FindOne();

        //Check results
        if (result == null) throw new Exception(ERR_NOT_FOUND);

        de = result.GetDirectoryEntry();

        //Return search results
        //results[0] = (string)de.Properties["mail"].Value;
        // results[1] = (string)de.Properties["givenName"].Value + " " + (string)de.Properties["sn"].Value;
        // Distingushed Name of the found account
        string DN = de.Path.Substring(de.Path.ToUpper().IndexOf("CN="));
        // Close search connection
        de.Close();


        // now bind and verify the user's password,
        de = new DirectoryEntry(_ldapserver + _topContainer);
        de.Username = DN;
        de.Password = password;
        de.AuthenticationType = System.DirectoryServices.AuthenticationTypes.SecureSocketsLayer;

        //Obtain additional information
         searcher = new DirectorySearcher(de);
         searcher.PropertiesToLoad.Add("sn");
         searcher.PropertiesToLoad.Add("givenName");

         SearchResult r = searcher.FindOne();
         de = r.GetDirectoryEntry();

        foreach (string property in de.Properties.PropertyNames)
         {
           Console.WriteLine("\t{0} : {1} ", property, de.Properties[property][0]);
         }

        //End obtain additional information

        //Validate password
        Object obj = de.NativeObject;
        de.Close();

        //if we made it here, we successfully authenticated
        return results;
    }

Answer 1

如果您使用的是.NET 3.5及更高版本，则应查看System.DirectoryServices.AccountManagement（S.DS.AM）命名空间。在这里阅读所有相关内容：

• Managing Directory Security Principals in the .NET Framework 3.5
• MSDN docs on System.DirectoryServices.AccountManagement

基本上，您可以定义域上下文并轻松在AD中查找用户和/或组：

// set up domain context
using (PrincipalContext ctx = new PrincipalContext(ContextType.Domain))
{
   // validate given user credentials
   bool isValid = ctx.ValidateCredentials(user, password);

   // find a user
   UserPrincipal user = UserPrincipal.FindByIdentity(ctx, "SomeUserName");

   if(user != null)
   {
      string surname = user.Surname;
      string givenName = user.GivenName;
   }
}    

新的S.DS.AM让您可以轻松地与AD中的用户和群组一起玩！