基于Active Directory的用户验证
2006-10-25 09:56
218 查看
由于需要使用MS的AD用户验证的功能,使AD用户认证成为公司的唯一用户认证的系统,因此,最后一直在找AD用户验证的资料,还好, 找到了如下的资料,非常不错,值得一看!!!
当然,还找到了更好的资源:
通过C#写的一个AD管理的类:http://www.c-sharpcorner.com/Code/2002/Sept/ADClass.asp
1. 基于AD的用户验证
public static bool IsUserValid (string UserName, string Password)
{
using (DirectoryEntry deUser = new DirectoryEntry(ADPath, UserName, Password, AuthenticationTypes.Secure))
{
try
{
// The NativeObject call on the DirectoryEntry object entry is an attempt to bind to the object in the directory.
// Since this call forces authentication, you will get an error if the user does not exist.
// If the user is a valid user in the domain, the call will succeed.
Object native = deUser.NativeObject;
return true;
}
catch
{
return false;
}
}
}
根据UserName/Password验证用户的合法性。需要注意的是:ADSI每次都会尝试Kerberos和NTLM验证,因此系统会记录2次验证记录。在设置Domain Password Policy时,需要考虑到上述的限制。否则,如果Bad Password Count超过限定的Domain Password Policy时,该帐户会Locked out。(注:后面有Article介绍如何判断/如何Lock/Unlock帐户)
2. 验证用户账号Active/Disable
/// <summary>
/// This will perfrom a logical operation on the userAccountControl values
/// to see if the user account is enabled or disabled. The flag for determining if the
/// account is active is a bitwise value (decimal =2)
/// </summary>
/// <param name='userAccountControl'></param>
/// <returns></returns>
public static bool IsAccountActive(int userAccountControl)
{
int userAccountControl_Disabled= Convert.ToInt32(ADAccountOptions.UF_ACCOUNTDISABLE);
int flagExists = userAccountControl & userAccountControl_Disabled;
//if a match is found, then the disabled flag exists within the control flags
if(flagExists >0)
{
return false;
}
else
{
return true;
}
}
3. 示例代码:调用上述IsUserValid()和IsAccountActive()方法
/// <summary>
/// This method will not actually log a user in, but will perform tests to ensure
/// that the user account exists (matched by both the username and password), and also
/// checks if the account is active.
/// </summary>
/// <param name='UserName'></param>
/// <param name='Password'></param>
/// <returns></returns>
public static ADHelper.LoginResult Login(string UserName, string Password)
{
//first, check if the logon exists based on the username and password
//DirectoryEntry de = GetUser(UserName,Password);
if(IsUserValid(UserName,Password))
{
DirectoryEntry de = GetUser(UserName);
if(de !=null)
{
//convert the accountControl value so that a logical operation can be performed
//to check of the Disabled option exists.
int userAccountControl = Convert.ToInt32(de.Properties['userAccountControl'][0]);
de.Close();
//if the disabled item does not exist then the account is active
if(!IsAccountActive(userAccountControl))
{
return LoginResult.LOGIN_USER_ACCOUNT_INACTIVE;
}
else
{
return LoginResult.LOGIN_OK;
}
}
else
{
return LoginResult.LOGIN_USER_DOESNT_EXIST;
}
}
else
{
return LoginResult.LOGIN_USER_DOESNT_EXIST;
}
}
4. 相关enum数据类型:ADAccountOptions和LoginResult
#region Enumerations
public enum ADAccountOptions
{
UF_TEMP_DUPLICATE_ACCOUNT = 0x0100,
UF_NORMAL_ACCOUNT =0x0200,
UF_INTERDOMAIN_TRUST_ACCOUNT =0x0800,
UF_WORKSTATION_TRUST_ACCOUNT = 0x1000,
UF_SERVER_TRUST_ACCOUNT =0x2000,
UF_DONT_EXPIRE_PASSWD=0x10000,
UF_SCRIPT =0x0001,
UF_ACCOUNTDISABLE=0x0002,
UF_HOMEDIR_REQUIRED =0x0008,
UF_LOCKOUT=0x0010,
UF_PASSWD_NOTREQD=0x0020,
UF_PASSWD_CANT_CHANGE=0x0040,
UF_ACCOUNT_LOCKOUT=0X0010,
UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED=0X0080,
}
public enum LoginResult
{
LOGIN_OK=0,
LOGIN_USER_DOESNT_EXIST,
LOGIN_USER_ACCOUNT_INACTIVE
}
#endregion
具体用户界面User Interface,请参考如下Reference 1
http://www.c-sharpcorner.com/Code/2002/Sept/ADClass.asp
当然,还找到了更好的资源:
通过C#写的一个AD管理的类:http://www.c-sharpcorner.com/Code/2002/Sept/ADClass.asp
1. 基于AD的用户验证
public static bool IsUserValid (string UserName, string Password)
{
using (DirectoryEntry deUser = new DirectoryEntry(ADPath, UserName, Password, AuthenticationTypes.Secure))
{
try
{
// The NativeObject call on the DirectoryEntry object entry is an attempt to bind to the object in the directory.
// Since this call forces authentication, you will get an error if the user does not exist.
// If the user is a valid user in the domain, the call will succeed.
Object native = deUser.NativeObject;
return true;
}
catch
{
return false;
}
}
}
根据UserName/Password验证用户的合法性。需要注意的是:ADSI每次都会尝试Kerberos和NTLM验证,因此系统会记录2次验证记录。在设置Domain Password Policy时,需要考虑到上述的限制。否则,如果Bad Password Count超过限定的Domain Password Policy时,该帐户会Locked out。(注:后面有Article介绍如何判断/如何Lock/Unlock帐户)
2. 验证用户账号Active/Disable
/// <summary>
/// This will perfrom a logical operation on the userAccountControl values
/// to see if the user account is enabled or disabled. The flag for determining if the
/// account is active is a bitwise value (decimal =2)
/// </summary>
/// <param name='userAccountControl'></param>
/// <returns></returns>
public static bool IsAccountActive(int userAccountControl)
{
int userAccountControl_Disabled= Convert.ToInt32(ADAccountOptions.UF_ACCOUNTDISABLE);
int flagExists = userAccountControl & userAccountControl_Disabled;
//if a match is found, then the disabled flag exists within the control flags
if(flagExists >0)
{
return false;
}
else
{
return true;
}
}
3. 示例代码:调用上述IsUserValid()和IsAccountActive()方法
/// <summary>
/// This method will not actually log a user in, but will perform tests to ensure
/// that the user account exists (matched by both the username and password), and also
/// checks if the account is active.
/// </summary>
/// <param name='UserName'></param>
/// <param name='Password'></param>
/// <returns></returns>
public static ADHelper.LoginResult Login(string UserName, string Password)
{
//first, check if the logon exists based on the username and password
//DirectoryEntry de = GetUser(UserName,Password);
if(IsUserValid(UserName,Password))
{
DirectoryEntry de = GetUser(UserName);
if(de !=null)
{
//convert the accountControl value so that a logical operation can be performed
//to check of the Disabled option exists.
int userAccountControl = Convert.ToInt32(de.Properties['userAccountControl'][0]);
de.Close();
//if the disabled item does not exist then the account is active
if(!IsAccountActive(userAccountControl))
{
return LoginResult.LOGIN_USER_ACCOUNT_INACTIVE;
}
else
{
return LoginResult.LOGIN_OK;
}
}
else
{
return LoginResult.LOGIN_USER_DOESNT_EXIST;
}
}
else
{
return LoginResult.LOGIN_USER_DOESNT_EXIST;
}
}
4. 相关enum数据类型:ADAccountOptions和LoginResult
#region Enumerations
public enum ADAccountOptions
{
UF_TEMP_DUPLICATE_ACCOUNT = 0x0100,
UF_NORMAL_ACCOUNT =0x0200,
UF_INTERDOMAIN_TRUST_ACCOUNT =0x0800,
UF_WORKSTATION_TRUST_ACCOUNT = 0x1000,
UF_SERVER_TRUST_ACCOUNT =0x2000,
UF_DONT_EXPIRE_PASSWD=0x10000,
UF_SCRIPT =0x0001,
UF_ACCOUNTDISABLE=0x0002,
UF_HOMEDIR_REQUIRED =0x0008,
UF_LOCKOUT=0x0010,
UF_PASSWD_NOTREQD=0x0020,
UF_PASSWD_CANT_CHANGE=0x0040,
UF_ACCOUNT_LOCKOUT=0X0010,
UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED=0X0080,
}
public enum LoginResult
{
LOGIN_OK=0,
LOGIN_USER_DOESNT_EXIST,
LOGIN_USER_ACCOUNT_INACTIVE
}
#endregion
具体用户界面User Interface,请参考如下Reference 1
http://www.c-sharpcorner.com/Code/2002/Sept/ADClass.asp
相关文章推荐
- 实现基于MYSQL验证的vsftpd虚拟用户
- RHEL6.3实现基于加密的用户认证验证访问
- 基于外部OS验证的数据库用户
- RHEL5基于虚拟用户验证的VSFTP服务器
- 用户登录图片验证的实现---基于servlet
- 实现基于mysql验证的vsftpd虚拟用户 (centos6)
- 基于javascript的asp数据库操作类,含分页、字符串截取、用户登陆验证[原创]
- Squid Proxy基于MySQL用户和密码的验证
- [11月28日的脚本] SharePoint Server 2010启用基于表单的身份验证(FBA)后更新用户显示名
- 对基于qmail的smtp用户验证的总结和完整安装设置方法
- 基于gin框架和jwt-go中间件实现小程序用户登陆和token验证
- 实验-----实现基于文件验证的vsftpd虚拟用户
- 搭建FTP-----实现基于mysql验证的虚拟用户
- SpringMVC+Apache Shiro+JPA(hibernate)案例教学(二)基于SpringMVC+Shiro的用户登录权限验证
- 用户注册验证_基于jquery validate
- SpringMVC+Apache Shiro+JPA(hibernate)案例教学(四)基于Shiro验证用户权限,且给用户授权
- ubuntu下vsftpd的配置(虚拟用户基于文件验证)
- 借助sasl构建基于AD用户验证的SVN服务器
- RHEL5基于虚拟用户验证的VSFTP服务器