来自dmz的LDAP访问失败::无法检索有关域的信息(1355)

时间:2011-10-27 20:42:18

标签: active-directory ldap

尝试从dmz中的iis服务器访问ldap服务器并收到错误消息:无法检索有关域的信息(1355)。有关于附加dns信息或使用的文章基础对象,但这些解决方案不适合我,所以请不要谷歌搜索和发布相同的反刍坏建议。

我重写了整个图层以使用主要对象。这至少给我一个很好的错误信息。

using System;
using System.Collections;
using System.Collections.Generic;
using System.DirectoryServices;
using System.DirectoryServices.AccountManagement;
using System.Linq;
using System.Web;
using TheDomain.Common.Extensions;

namespace MobileApplications
{
    public class Ldap35: IDisposable
    {
        private string _ldapserver;
        private string _adminUser;
        private string _adminPassword;
        private PrincipalContext _connection;
        private UserPrincipal _userData;
        private IList<string> _groups;

    public delegate void MessagingHandler(string message);
    public event MessagingHandler Messaged;

    public Ldap35(string server, string adminuser, string adminpassword)
    {
        _ldapserver = server;
        _adminPassword = adminpassword;
        _adminUser = adminuser;
    }
    /// <summary>
    /// this will basically instantiate a UserPrincipal
    /// </summary>
    /// <param name="username">just the user</param>
    /// <param name="pass">just the password</param>
    /// <param name="domain">the correct domain, not sure if this is thedoamin.com or the_domain</param>
    /// <returns></returns>
    public bool Authenticate(string username, string pass, string domain)
    {
        if ( _connection == null)
            EstablishDirectoryConnection();

            ValidateConnection();
            if (!domain.IsEmpty() && !username.Contains("\\") && !username.Contains("/"))
                username = domain + "\\" + username;

            _userData = UserPrincipal.FindByIdentity(_connection, username);

            if (_userData == null)
                throw new ApplicationException("Unable to locate user.");

            if (! _connection.ValidateCredentials(username, pass))
                throw new ApplicationException("Invalid credentials.  Unable to log in.");

            //_userData = new UserPrincipal( _connection, username, pass, true );

            return true;
    }

    public bool Authenticate(string username, string pass)
    {
        return Authenticate(username, pass, "");
    }

    public bool IsMemeberOfGroup(string group)
    {
       ValidateConnection(); ValidateUser();
        return _userData.IsMemberOf(new GroupPrincipal(_connection));
    }

    public bool IsMemeberOfGroup(string group, bool caseSensitive)
    {
        if (caseSensitive)
            return IsMemeberOfGroup(group);

        GetGroups();

        return _groups.Any(g => g.ToLower().Trim() == group.ToLower().Trim());

    }

//        public IList<string> GetGroups()
//        {
//            if ( _groups == null )
//                _groups = new List<string>();
//
//            ValidateConnection(); ValidateUser();
//          
//                var results = _userData.GetGroups();
//
//                foreach (var principal in results)
//                {
//                    _groups.Add(principal.Name);
//                }
//         
//            return _groups;
//        }

    public IList<string> GetGroups()
    {
        if (_groups == null)
            _groups = new List<string>();

        ValidateConnection(); ValidateUser();
        Print("Getting groups");
        DirectoryEntry de = (DirectoryEntry)_userData.GetUnderlyingObject();
        object obGroups = de.Invoke("Groups");
        foreach (object ob in (IEnumerable)obGroups)
        {
            // Create object for each group.

            var obGpEntry = new DirectoryEntry(ob);
            Print(obGpEntry.Name);
            _groups.Add(obGpEntry.Name);
        }
        return _groups;
    }

    /// <summary>
    /// PrincipalContext class to establish a connection to the target directory and specify credentials for performing operations against the directory. This approach is similar to how you would go about establishing context with the DirectoryContext class in the ActiveDirectory namespace.
    /// </summary>
    /// <param name="adminuser">a user with permissions on the domain controller</param>
    /// <param name="adminpassword">the password to go with the above</param>
    /// <returns></returns>
    private void EstablishDirectoryConnection()
    {
        _connection = new PrincipalContext(ContextType.Domain, _ldapserver, "DC=thedomain,DC=com", ContextOptions.SimpleBind, _adminUser, _adminPassword);
    }

    private void Print(string message)
    {
        if (Messaged != null)
            Messaged(message);
    }

    private void ValidateConnection()
    {
        if ( _connection == null)
             throw new ApplicationException("No connection to server, please check credentials and configuration.");
    }

    private void ValidateUser()
    {
        if (_userData == null)
            throw new ApplicationException("User is not authenticated.  Please verify username and password.");
    }

    public void Dispose()
    {
        _userData.Dispose();
        _connection.Dispose();
    }
}
}

1 个答案:

答案 0 :(得分:7)

这篇文章Active Directory - Adding a user to a group from a non domain-joined computer throws PrincipalException指出了我正确的方向。虽然它确实没有意义。我使用PrincipalObjects转移到比上面发布的更现代的方法,如下所示:

var _connection = new PrincipalContext(ContextType.Domain, 
                                       _ldapserver, 
                                       "DC=domain,DC=com", 
                                       ContextOptions.SimpleBind, 
                                       _adminUser, 
                                       _adminPassword);
var _userData = UserPrincipal.FindByIdentity(_connection, username);

这允许我将正确的权限传递给域控制器,但随后在UserPrinicpal对象上获取groups方法会抛出1155错误。

我通过使用旧方法解决了这个问题,如下所示。一切都很好。

DirectoryEntry de = (DirectoryEntry)_userData.GetUnderlyingObject();
object obGroups = de.Invoke("Groups");
相关问题
最新问题