LdapConnection与PrincipalContext
我有以下两种使用LDAP和LDAPS验证用户的实现,我想知道哪个更好/更正确。 为了记录,这两个都可以在SSL和非SSL连接上使用。
我也很好奇,因为在Non-SSL PrincipalContext
版本上观看Wireshark时,我仍然可以看到端口636上的流量。在四种组合( Non-SSL LdapConnection
, SSL LdapConnection
, Non-SSL PrincipalContext
, SSL PrincipalContext
)中,只有一个在端口389和636上具有流量,而不仅仅是一个或另一个。 什么可能导致这个?
LDAP连接方法:
bool userAuthenticated = false;
var domainName = DomainName;
if (useSSL)
{
domainName = domainName + ":636";
}
try
{
using (var ldap = new LdapConnection(domainName))
{
var networkCredential = new NetworkCredential(username, password, domainName);
ldap.SessionOptions.VerifyServerCertificate = new VerifyServerCertificateCallback((con, cer) => true);
ldap.SessionOptions.SecureSocketLayer = useSSL;
ldap.SessionOptions.ProtocolVersion = 3;
ldap.AuthType = AuthType.Negotiate;
ldap.Bind(networkCredential);
}
// If the bind succeeds, we have a valid user/pass.
userAuthenticated = true;
}
catch (LdapException ldapEx)
{
// Error Code 0x31 signifies invalid credentials, anything else will be caught outside.
if (!ldapEx.ErrorCode.Equals(0x31))
{
throw;
}
}
return userAuthenticated;
PrincipalContext方法:
bool userAuthenticated = false;
var domainName = DomainName;
if (useSSL)
{
domainName = domainName + ":636";
ContextOptions options = ContextOptions.SimpleBind | ContextOptions.SecureSocketLayer;
using (PrincipalContext pc = new PrincipalContext(ContextType.Domain, domainName, null, options))
{
userAuthenticated = pc.ValidateCredentials(username, password, options);
}
}
else
{
using (PrincipalContext pc = new PrincipalContext(ContextType.Domain, domainName))
{
userAuthenticated = pc.ValidateCredentials(username, password);
}
}
return userAuthenticated;
@ DTI-Matt,在上面的示例中,您使用总是返回true
VerifyServerCertificate
回调。 这基本上违背了通过SSL连接到LDAP的目的,因为没有执行真正的证书检查。
虽然您可以使用X509Chain
和/或X509Certificate2
类实现真正的证书检查,但似乎PrincipalContext
为您处理检查。
总而言之, LdapConnection
和PrincipalContext
提供了非常类似的功能,通过普通或SSL连接连接到LDAP服务器。 你必须为LdapConnection
更多的手写代码才能正常工作。 另一方面, PrincipalContext
使用较少的代码来手动编写相同的功能。
注意,通过非SSL PrincipalContext
连接到端口636(您的默认LDAP通过SSL端口)可能是由这个类尝试尽可能安全地连接的事实解释的。
这就是我们通过SSL / Non-SSL进行工作的结果。
public bool UserValid(string username, string password, bool useSSL)
{
bool userAuthenticated = false;
var domainName = DomainName;
if (useSSL)
{
domainName = domainName + ":636";
}
try
{
using (var ldap = new LdapConnection(domainName))
{
var networkCredential = new NetworkCredential(username, password, DomainName); // Uses DomainName without the ":636" at all times, SSL or not.
ldap.SessionOptions.VerifyServerCertificate += VerifyServerCertificate;
ldap.SessionOptions.SecureSocketLayer = useSSL;
ldap.AuthType = AuthType.Negotiate;
ldap.Bind(networkCredential);
}
// If the bind succeeds, we have a valid user/pass.
userAuthenticated = true;
}
catch (LdapException ldapEx)
{
// Error Code 0x31 signifies invalid credentials, so return userAuthenticated as false.
if (!ldapEx.ErrorCode.Equals(0x31))
{
throw;
}
}
return userAuthenticated;
}
private bool VerifyServerCertificate(LdapConnection connection, X509Certificate certificate)
{
X509Certificate2 cert = new X509Certificate2(certificate);
if (!cert.Verify())
{
// Could not validate potentially self-signed SSL certificate. Prompting user to install certificate themselves.
X509Certificate2UI.DisplayCertificate(cert);
// Try verifying again as the user may have allowed the certificate, and return the result.
if (!cert.Verify())
{
throw new SecurityException("Could not verify server certificate. Make sure this certificate comes from a trusted Certificate Authority.");
}
}
return true;
}
链接地址: http://www.djcxy.com/p/75141.html
上一篇: LdapConnection vs. PrincipalContext
下一篇: How to deal with "omitted for conflict with.." message in pom.xml?