C# Active Directory:检索用户信息
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/132277/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Active Directory: Retrieve User information
提问by Chris Canal
I've got a web application that is running against Windows Authentication using our Active Directory. I've got a new requirement to pull some personal information through from the Active Directory entry. What would be the easiest way to get access to this information?
我有一个 Web 应用程序,它使用我们的 Active Directory 针对 Windows 身份验证运行。我有一个新要求,从 Active Directory 条目中提取一些个人信息。获取这些信息的最简单方法是什么?
采纳答案by Sander
Accessing the user directly through a DirectoryEntry seems like the most straightforward approach. Here are some AD-related tidbits I learned from my first AD-related project:
通过 DirectoryEntry 直接访问用户似乎是最直接的方法。以下是我从我的第一个 AD 相关项目中学到的一些 AD 相关花絮:
- In a URI, write LDAP in lowercase. Otherwise you'll get a mystery error. I spent more than a day on this depressing issue...
- To clear a single-valued property, set it to an empty string, not null. Null causes an exception.
- To clear a multi-valued property, use the DirectoryEntry.Property.Clear()method.
- The Active Directory schema reference will say which data type a value will be and whether it is multi-value or single-value.
- You do not need to manually RefreshCache() on a Directoryentry but if you ever use it and specify which properties to cache, know that it will not auto-retrieve any other properties in the future.
- A COMException can be thrown at absolutely any time you use the classes in System.DirectoryServices. Keep an eye on those try blocks. Do not assume anything is safe.
- 在 URI 中,以小写形式写入 LDAP。否则你会得到一个神秘的错误。我在这个令人沮丧的问题上花了一天多的时间......
- 要清除单值属性,请将其设置为空字符串,而不是 null。空值导致异常。
- 要清除多值属性,请使用DirectoryEntry.Property.Clear()方法。
- Active Directory 架构参考将说明值将是哪种数据类型以及它是多值还是单值。
- 您不需要在 Directoryentry 上手动 RefreshCache() 但如果您曾经使用它并指定要缓存的属性,请知道它将来不会自动检索任何其他属性。
- 在您使用 System.DirectoryServices 中的类时,绝对可以在任何时候抛出 COMException。留意那些 try 块。不要假设任何事情都是安全的。
You'll probably need to use DirectorySearcher to get your user's directory entry if you don't know its path (which you wouldn't, just by having him logged in). Using it was fairly easy but beware of the quirks in LDAP syntax; namely, having to encode non-ASCII (and other?) characters. The search string you'd use would probably be something like: (&(sAMAccountName=whatever)(class=user)). This is off the top of my head and may be slightly incorrect.
如果您不知道其路径(您不会,只是让他登录),您可能需要使用 DirectorySearcher 来获取用户的目录条目。使用它相当容易,但要注意 LDAP 语法中的怪癖;即,必须对非 ASCII(和其他?)字符进行编码。您使用的搜索字符串可能类似于:(&(sAMAccountName=whatever)(class=user))。这是我的头顶,可能有点不正确。
The Active Directory schema referencewill be useful. Do understand that the schema can be modified and extended (e.g. installing Exchange will add mailbox information to users).
在Active Directory架构参考将是有益的。请了解架构可以修改和扩展(例如,安装 Exchange 会向用户添加邮箱信息)。
AD Exploreris a useful tool which you can use for debugging and low-level AD data management. I've found it useful when I know which property I want to set but cannot find the right dialog box in the AD management tool.
AD Explorer是一个有用的工具,可用于调试和低级 AD 数据管理。当我知道要设置哪个属性但在 AD 管理工具中找不到正确的对话框时,我发现它很有用。
回答by Steve Moyer
I've used a standard LDAP library to retrieve information from an Active Directory server, but you'd have to verify that the data you need is available via the LDAP server's schema. In general, you can get any information stored in InetOrganizationalPerson and most of the information related to the group(s) they belong to.
我已经使用标准 LDAP 库从 Active Directory 服务器检索信息,但您必须验证您需要的数据是否可通过 LDAP 服务器的架构获得。通常,您可以获得存储在 InetOrganizationalPerson 中的任何信息以及与它们所属的组相关的大多数信息。
回答by Matthias Meid
Have a look at the System.DirectoryServices namespace:
看看 System.DirectoryServices 命名空间:
回答by paul
You might find the following snippet useful as a starter.
您可能会发现以下代码片段作为入门很有用。
public static bool IsUserInGroup(string lanid, string group)
{
DirectoryEntry entry = new DirectoryEntry("LDAP://" + LDAPPATH);
if(entry != null)
{
entry.Username=@"LDAPUSER";
entry.Password="LDAPPASSWORD";
DirectorySearcher srch = new DirectorySearcher(entry);
srch.Filter = String.Format("(&(objectClass=person)(sAMAccountName={0}))", lanid);
srch.PropertiesToLoad.Add("memberOf");
SearchResult result = srch.FindOne();
if(result != null)
{
if(result.Properties.Contains("memberOf"))
{
string lookfor = String.Format("cn={0},", group.ToLower());
foreach(string memberOf in result.Properties["memberOf"])
{
if(memberOf.ToLower().StartsWith(lookfor))
return true;
}
}
}
return false;
}
throw new Exception(String.Format("Could not get Directory lanid:{0}, group{1}", lanid, group));
}
回答by Panos
A very good reference: Howto: (Almost) Everything In Active Directory via C#
一个很好的参考:Howto: (Almost) Everything In Active Directory via C#
