这是my previous question的后续行动。
验证传递给
PrincipalContext的凭据的正确方法是什么?
在我的应用程序中,我使用PrincipalContext(ContextType, String, String, String)实例化PrincipalContext。我有许多集成测试在凭据不正确时失败(或者提供的凭据不适用于管理员)所以我希望能够捕获它。
如果凭据无效PrincipalContext.ConnectedServer会抛出System.DirectoryServices.DirectoryServicesCOMException,但在第一次使用PrincipalContext之前不会发现这种情况。
try
{
PrincipalContext ctx = new PrincipalContext(ContextType.Domain, "my_domain.local", "wrong_username", "wrong_password");
}
catch (exception e)
{
// This block is not hit
}
// `System.DirectoryServices.DirectoryServicesCOMException` raised here
using (UserPrincipal user = UserPrincipal.FindByIdentity(ctx, IdentityType.SamAccountName, samAccountName)) {}
异常详细信息:
System.DirectoryServices.DirectoryServicesCOMException
HResult=0x8007052E
Message=The user name or password is incorrect.
Source=System.DirectoryServices
StackTrace:
at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
at System.DirectoryServices.DirectoryEntry.Bind()
at System.DirectoryServices.DirectoryEntry.get_AdsObject()
at System.DirectoryServices.PropertyValueCollection.PopulateList()
at System.DirectoryServices.PropertyValueCollection..ctor(DirectoryEntry entry, String propertyName)
at System.DirectoryServices.PropertyCollection.get_Item(String propertyName)
at System.DirectoryServices.AccountManagement.PrincipalContext.DoLDAPDirectoryInitNoContainer()
at System.DirectoryServices.AccountManagement.PrincipalContext.DoDomainInit()
at System.DirectoryServices.AccountManagement.PrincipalContext.Initialize()
at System.DirectoryServices.AccountManagement.PrincipalContext.get_QueryCtx()
at System.DirectoryServices.AccountManagement.Principal.FindByIdentityWithTypeHelper(PrincipalContext context, Type principalType, Nullable`1 identityType, String identityValue, DateTime refDate)
at System.DirectoryServices.AccountManagement.Principal.FindByIdentityWithType(PrincipalContext context, Type principalType, IdentityType identityType, String identityValue)
at System.DirectoryServices.AccountManagement.UserPrincipal.FindByIdentity(PrincipalContext context, IdentityType identityType, String identityValue)
我最初的想法是检查创建时的凭据,但是如果我们重复使用不同凭据的PrincipalContext,我们会得到System.DirectoryServices.Protocols.LdapException。
PrincipalContext ctx = new PrincipalContext(ContextType.Domain, "my_domain.local", "correct_username", "correct_password");
if (ctx.ValidateCredentials("correct_username", "correct_password"))
{
// `System.DirectoryServices.Protocols.LdapException` raised here
using (UserPrincipal user = UserPrincipal.FindByIdentity(ctx, IdentityType.SamAccountName, different_user)) {}
}
异常详细信息:
System.DirectoryServices.Protocols.LdapException
HResult=0x80131500
Message=The LDAP server is unavailable.
Source=System.DirectoryServices.Protocols
StackTrace:
at System.DirectoryServices.Protocols.ErrorChecking.CheckAndSetLdapError(Int32 error)
at System.DirectoryServices.Protocols.LdapSessionOptions.FastConcurrentBind()
at System.DirectoryServices.AccountManagement.CredentialValidator.BindLdap(NetworkCredential creds, ContextOptions contextOptions)
at System.DirectoryServices.AccountManagement.CredentialValidator.Validate(String userName, String password)
at System.DirectoryServices.AccountManagement.PrincipalContext.ValidateCredentials(String userName, String password)
是否有可接受的测试方法?我应该尝试将PrincipalContext.ConnectedServer分配给局部变量并捕获异常吗?
答案 0 :(得分:1)
您可以将上下文的实际使用情况移至try块:
try
{
PrincipalContext ctx = new PrincipalContext(ContextType.Domain, "my_domain.local", "wrong_username", "wrong_password");
using (UserPrincipal user = UserPrincipal.FindByIdentity(ctx, IdentityType.SamAccountName, samAccountName)) {}
}
catch (exception e)
{
}
如果您计划将该上下文用于其他操作,那么这是我可以看到如何测试凭据的唯一方法。
但如果您的仅目标是验证凭据,那么您可以直接使用DirectoryEntry(从NuGet安装System.DirectoryServices)。您将从堆栈跟踪中看到PrincipalContext无论如何都使用DirectoryEntry。我发现直接使用DirectoryEntry要快得多,尽管有时可能会更复杂。
以下是仅使用DirectoryEntry验证凭据的方式:
var entry = new DirectoryEntry("LDAP://domain.local", "username", "password");
//creating the object doesn't actually make a connection, so we have to do something to test it
try {
//retrieve only the 'cn' attribute from the object
entry.RefreshCache(new[] {"cn"});
} catch (Exception e) {
}
另一种方法是直接使用LdapConnection(从NuGet安装System.DirectoryServices.Protocols)。这可能是验证凭据所必需的最少量实际网络流量。但您可能需要弄清楚身份验证方法。默认情况下它使用Negotiate,但如果不起作用,则必须使用不同的构造函数并手动选择身份验证方法。
var id = new LdapDirectoryIdentifier("domain.local");
var conn = new LdapConnection(id, new NetworkCredential("username", "password"));
try {
conn.Bind();
} catch (Exception e) {
}