Active Directory 开发
活动目录(Active Directory)是面向Windows Standard Server、Windows Enterprise Server以及 Windows Datacenter Server的目录服务。(Active Directory不能运行在Windows Web Server上,但是可以通过它对运行Windows Web Server的计算机进行管理。)Active Directory存储了有关网络对象的信息,并且让管理员和用户能够轻松地查找和使用这些信息。Active Directory使用了一种结构化的数据存储方式,并以此作为基础对目录信息进行合乎逻辑的分层组织。
Microsoft Active Directory 服务是Windows 平台的核心组件,它为用户管理网络环境各个组成要素的标识和关系提供了一种有力的手段。
活动目录(Active Directory)主要提供以下功能:
LDAP是轻量目录访问协议,英文全称是Lightweight Directory Access Protocol。
LDAP 仅通过使用原始 X.500目录存取协议 (DAP) 的功能子集而减少了所需的系统资源消耗。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 | namespace System.DirectoryServices { [DSDescription( "DirectoryEntryDesc" )] [TypeConverter( typeof (DirectoryEntryConverter))] [SecurityPermission(SecurityAction.Assert, Flags = SecurityPermissionFlag.UnmanagedCode)] [EnvironmentPermission(SecurityAction.Assert, Unrestricted = true )] [DirectoryServicesPermission(SecurityAction.LinkDemand, Unrestricted = true )] public class DirectoryEntry : Component { [DirectoryServicesPermission(SecurityAction.Demand, Unrestricted = true )] public DirectoryEntry(); [DirectoryServicesPermission(SecurityAction.Demand, Unrestricted = true )] public DirectoryEntry( string path); [DirectoryServicesPermission(SecurityAction.Demand, Unrestricted = true )] public DirectoryEntry( string path, string username, string password); [DirectoryServicesPermission(SecurityAction.Demand, Unrestricted = true )] public DirectoryEntry( string path, string username, string password, AuthenticationTypes authenticationType); [DirectoryServicesPermission(SecurityAction.Demand, Unrestricted = true )] public DirectoryEntry( object adsObject); [DefaultValue(AuthenticationTypes.Secure)] [DSDescription( "DSAuthenticationType" )] public AuthenticationTypes AuthenticationType { get ; set ; } [DesignerSerializationVisibility(DesignerSerializationVisibility.Hidden)] [DSDescription( "DSChildren" )] [Browsable( false )] public DirectoryEntries Children { get ; } [DSDescription( "DSGuid" )] [Browsable( false )] [DesignerSerializationVisibility(DesignerSerializationVisibility.Hidden)] public Guid Guid { get ; } [DesignerSerializationVisibility(DesignerSerializationVisibility.Hidden)] [Browsable( false )] [DSDescription( "DSObjectSecurity" )] public ActiveDirectorySecurity ObjectSecurity { get ; set ; } [DSDescription( "DSName" )] [Browsable( false )] [DesignerSerializationVisibility(DesignerSerializationVisibility.Hidden)] public string Name { get ; } [DesignerSerializationVisibility(DesignerSerializationVisibility.Hidden)] [DSDescription( "DSNativeGuid" )] [Browsable( false )] public string NativeGuid { get ; } [DSDescription( "DSNativeObject" )] [DesignerSerializationVisibility(DesignerSerializationVisibility.Hidden)] [Browsable( false )] public object NativeObject { get ; } [DSDescription( "DSParent" )] [DesignerSerializationVisibility(DesignerSerializationVisibility.Hidden)] [Browsable( false )] public DirectoryEntry Parent { get ; } [DefaultValue( null )] [Browsable( false )] [DSDescription( "DSPassword" )] public string Password { set ; } [SettingsBindable( true )] [DefaultValue( "" )] [TypeConverter( "System.Diagnostics.Design.StringValueConverter, System.Design, Version=, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" )] [DSDescription( "DSPath" )] public string Path { get ; set ; } [DSDescription( "DSProperties" )] [DesignerSerializationVisibility(DesignerSerializationVisibility.Hidden)] [Browsable( false )] public PropertyCollection Properties { get ; } [DSDescription( "DSSchemaClassName" )] [Browsable( false )] [DesignerSerializationVisibility(DesignerSerializationVisibility.Hidden)] public string SchemaClassName { get ; } [Browsable( false )] [DSDescription( "DSSchemaEntry" )] [DesignerSerializationVisibility(DesignerSerializationVisibility.Hidden)] public DirectoryEntry SchemaEntry { get ; } [DefaultValue( true )] [DSDescription( "DSUsePropertyCache" )] public bool UsePropertyCache { get ; set ; } [DSDescription( "DSUsername" )] [DefaultValue( null )] [Browsable( false )] [TypeConverter( "System.Diagnostics.Design.StringValueConverter, System.Design, Version=, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" )] public string Username { get ; set ; } [DesignerSerializationVisibility(DesignerSerializationVisibility.Hidden)] [ComVisible( false )] [DSDescription( "DSOptions" )] [Browsable( false )] public DirectoryEntryConfiguration Options { get ; } public void Close(); public void CommitChanges(); public DirectoryEntry CopyTo(DirectoryEntry newParent); public DirectoryEntry CopyTo(DirectoryEntry newParent, string newName); public void DeleteTree(); protected override void Dispose( bool disposing); public static bool Exists( string path); public object Invoke( string methodName, params object [] args); [ComVisible( false )] public object InvokeGet( string propertyName); [ComVisible( false )] public void InvokeSet( string propertyName, params object [] args); public void MoveTo(DirectoryEntry newParent); public void MoveTo(DirectoryEntry newParent, string newName); public void RefreshCache(); public void RefreshCache( string [] propertyNames); public void Rename( string newName); } } |
在Active Directory中搜索
1 2 | DirectorySearcher search = new DirectorySearcher(); search.SearchRoot = de; |
1 | searcher.Filter= "(&(objectClass=user)(|(description=Auth*)(name=m*)))" |
1 | search.SearchScope = SearchScope.Subtree; |
1 2 3 4 | search.PropertiesToLoad.Add( "name" ); search.PropertiesToLoad.Add( "description" ); search.PropertiesToLoad.Add( "giveName" ); search.PropertiesToLoad.Add( "wWWWHomePage" ); |
1 | search.Sort = new SortOption( "givenName" ,SortDirection.Ascending); |
1 | SearchResultCollection results = searcher.FindAll(); |
根据用户帐号取得AD USER Information
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 | /// <summary> /// 根据用户账号取得AD User对象 /// </summary> /// <param name="account"></param> /// <returns></returns> public DirectoryEntry GetUserByAccount( string account) { DirectoryEntry user = null ; using (DirectoryEntry entry = new DirectoryEntry( this .LDAPAddress, this .AdminAccount, this .AdminPassword, AuthenticationTypes.Secure)) { using (DirectorySearcher searcher = new DirectorySearcher(entry)) { searcher.Filter = "(&(objectClass=user)(sAMAccountName=" + account + "))" ; searcher.SearchScope = SearchScope.Subtree; SearchResult searchResult = searcher.FindOne(); if (searchResult != null ) { user = searchResult.GetDirectoryEntry(); } } entry.Close(); } return user; } |
1 | <a>LDAP: //,DC=xxxx</a> |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 | //判断用户名字是否存在 [DllImport( "advapi32.dll" , CharSet = CharSet.Auto, SetLastError = true , PreserveSig = true )] private static extern bool LookupAccountName( string lpSystemName, string lpAccountName, System.IntPtr psid, ref int cbsid, StringBuilder domainName, ref int cbdomainLength, ref int use); public bool LookUpAccount( string accountName) { //pointer an size for the SID IntPtr sid = IntPtr.Zero; int sidSize = 0; //StringBuilder and size for the domain name StringBuilder domainName = new StringBuilder(); int nameSize = 0; //account-type variable for lookup int accountType = 0; //get required buffer size LookupAccountName(String.Empty, accountName, sid, ref sidSize, domainName, ref nameSize, ref accountType); //allocate buffers domainName = new StringBuilder(nameSize); sid = Marshal.AllocHGlobal(sidSize); //lookup the SID for the account bool result = LookupAccountName(String.Empty, accountName, sid, ref sidSize, domainName, ref nameSize, ref accountType); if (result) { if (accountName.ToLower().IndexOf(domainName.ToString().ToLower()) < 0) { accountName = domainName + "\\" + accountName; } //throw.Exception; .Show("The account is : " + accountName); } else { //MessageBox.Show("Can't find the account."); } Marshal.FreeHGlobal(sid); return result; } } |
/// <summary>
/// 用户账号是否已处于活动状态(非禁用)
/// </summary>
/// <param name="user"></param>
/// <returns></returns>
private bool IsUserActive(DirectoryEntry user)
int val = (int)user.Properties["userAccountControl"].Value;
int flag = (int)(0x0002);
int flagExists = val & flag;
if (flagExists > 0)
return false;
return true;
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 | /// <summary> /// 用户登录验证 /// </summary> /// <param name="account">AD账号</param> /// <param name="password">密码</param> /// <returns> /// <para>True:验证成功</para> /// <para>False:验证失败,如果this.Error不为空,则为异常信息</para> /// </returns> public ADLoginResult Login( string account, string password) { ADLoginResult result = ADLoginResult.UnSuccess; /* Check Accout Empty */ if ( string .IsNullOrEmpty(account)) { result = ADLoginResult.UnSuccess; return result; } DirectoryEntry entry = null ; DirectoryEntry user = null ; try { /* Check Account Exists */ entry = this .GetUserByAccount(account); if (entry != null ) { using (entry) { /* Check Account Active */ if ( this .IsUserActive(entry)) { /* Check Password */ using (user = new DirectoryEntry( this .LDAPAddress, account, password, AuthenticationTypes.Secure)) { object obj = user.NativeObject; user.Close(); } user = null ; result = ADLoginResult.Success; } else { result = ADLoginResult.Disabled; } entry.Close(); } } else { result = ADLoginResult.UnSuccess; } } catch (Exception ex) { this .Error = ex; } finally { if (user != null ) { user.Close(); user.Dispose(); } if (entry != null ) { entry.Close(); entry.Dispose(); } } return result; } |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 | /// <summary> /// 根据域密码寿命策略计算密码过期时间 /// </summary> /// <param name="dcEntry">活动目录的域节点</param> /// <param name="user">活动目录的用户节点</param> /// <returns></returns> private DateTime? InnerGetPasswordExpirationDate(DirectoryEntry user) { /* */ bool isPasswordNotExpire = (( int )user.Properties[ "userAccountControl" ].Value & ( int )ADS_USER_FLAG_ENUM.ADS_UF_DONT_EXPIRE_PASSWD) != 0; if (isPasswordNotExpire) { return DateTime.MaxValue; /* 帐号被设置为密码永不过期 */ } else { long lastChanged; try { lastChanged = GetLongValue((IADsLargeInteger)user.Properties[ "pwdLastSet" ][0]); } catch (Exception) { return DateTime.MinValue; /* 密码没有被设置过 */ } #region [ 是否启用域密码寿命策略(暂时无法获得) ] #endregion #region [ 域密码寿命策略 ] DirectoryEntry dcEntry = null ; try { dcEntry = new DirectoryEntry( this .LDAPAddress, this .AdminAccount, this .AdminPassword); dcEntry.UsePropertyCache = false ; dcEntry.RefreshCache( new string [] { "maxPwdAge" }); IADsLargeInteger maxAge = (IADsLargeInteger)dcEntry.Properties[ "maxPwdAge" ][0]; if (maxAge.LowPart == 0) { /* * 注意: * 1)当域从未启用过密码寿命策略时,该maxAge.LowPart=0,即域中密码没有设置最大有效期限 * 2)但是当启用过密码寿命策略以后,即使不再启用该策略,但域的属性[maxPwdAge]仍保留着之前的值。 * 3)当在域服务器上修改该策略后,仍要等约10分钟后才能读取到修改后的值。 * 所以对于启用过密码寿命策略的域来讲,不会走以下代码段。 */ return DateTime.MaxValue; } else { long maxAge1 = GetLongValue((IADsLargeInteger)dcEntry.Properties[ "maxPwdAge" ][0]); int serverMaxPwdDays = -( int )(maxAge1 / ONE_HUNDRED_NANOSECOND / SECONDS_IN_DAY); /* 密码寿命 */ DateTime passwordLastChanged = DateTime.FromFileTime(GetLongValue((IADsLargeInteger)user.Properties[ "pwdLastSet" ][0])); /* 员工密码上次修改时间 */ return passwordLastChanged.AddDays(serverMaxPwdDays); } dcEntry.Close(); dcEntry.Dispose(); dcEntry = null ; } catch (Exception ex) { this .Error = ex; return null ; } finally { if (dcEntry != null ) { dcEntry.Close(); dcEntry.Dispose(); } } #endregion } } |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 | /// <summary> /// 修改用户密码 /// </summary> /// <param name="account">AD账号</param> /// <param name="oldPassword">旧密码</param> /// <param name="newPassword">新密码</param> /// <returns> /// <para>ChangePwdResult.Success::修改成功</para> /// <para>其它:修改失败,如果this.Error不为空,则为异常信息</para> /// </returns> public ChangePwdResult ChangePassword( string account, string oldPassword, string newPassword) { ChangePwdResult result = ChangePwdResult.ChangePwdUnSuccess; /* Check Accout Empty */ if ( string .IsNullOrEmpty(account)) { return ChangePwdResult.UserNotExists; } DirectoryEntry user = null ; /* Check Login */ ADLoginResult loginSuccess = this .Login(account, oldPassword); try { switch (loginSuccess) { case ADLoginResult.Success: #region [ Success ] user = this .GetUserByAccount(account); if (user != null ) { using (user) { bool bImpSuccess = false ; if ( this .IsUseImpersonate) { bImpSuccess = this ._impersonation.BeginImpersonate(); this .ImpsersonateSuccess = bImpSuccess; if (!bImpSuccess) { /* * 打开模拟情况下模拟失败,先将结果默认为AdminLoginUnSuccess; * 如果密码修改成功,则会更新结果为Success;如果异常, */ result = ChangePwdResult.AdminLoginUnSuccess; } } int userAccountControl = Convert.ToInt32(user.Properties[ "userAccountControl" ][0]); /* Change Password */ user.Invoke( "SetPassword" , new object [] { newPassword }); user.CommitChanges(); if ( this .IsUseImpersonate && bImpSuccess) { this ._impersonation.StopImpersonate(); } user.Close(); result = ChangePwdResult.Success; } user = null ; } else { result = ChangePwdResult.UserNotExists; } #endregion break ; case ADLoginResult.UnSuccess: result = ChangePwdResult.WrongOldPwd; break ; case ADLoginResult.Disabled: result = ChangePwdResult.Disabled; break ; default : result = ChangePwdResult.ChangePwdUnSuccess; break ; } } catch (Exception ex) { /* 模拟失败情况下,返回模拟失败 */ if (result != ChangePwdResult.AdminLoginUnSuccess) { result = ChangePwdResult.ChangePwdUnSuccess; } this .Error = ex; /* Get Error */ } finally { if (user != null ) { user.Close(); user.Dispose(); } } return result; } |
AD开发主要用于SSO(单点登陆的开发),在office communication 开发中会用到.希望能对大家有帮助.
欢迎各位参与讨论,如果觉得对你有帮助,请点击 推荐下,万分谢谢.
作者:spring yang
【推荐】国内首个AI IDE,深度理解中文开发场景,立即下载体验Trae
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· 如何编写易于单元测试的代码
· 10年+ .NET Coder 心语,封装的思维:从隐藏、稳定开始理解其本质意义
· .NET Core 中如何实现缓存的预热?
· 从 HTTP 原因短语缺失研究 HTTP/2 和 HTTP/3 的设计差异
· AI与.NET技术实操系列:向量存储与相似性搜索在 .NET 中的实现
· 10年+ .NET Coder 心语 ── 封装的思维:从隐藏、稳定开始理解其本质意义
· 地球OL攻略 —— 某应届生求职总结
· 提示词工程——AI应用必不可少的技术
· Open-Sora 2.0 重磅开源!
· 周边上新:园子的第一款马克杯温暖上架