LdapConnection与PrincipalContext

我有以下两种使用LDAP和LDAPS验证用户的实现,我想知道哪个更好/更正确。 为了记录,这两个都可以在SSL和非SSL连接上使用。

我也很好奇,因为在Non-SSL PrincipalContext版本上观看Wireshark时,我仍然可以看到端口636上的流量。在四种组合( Non-SSL LdapConnectionSSL LdapConnectionNon-SSL PrincipalContextSSL PrincipalContext )中,只有一个在端口389和636上具有流量,而不仅仅是一个或另一个。 什么可能导致这个?

LDAP连接方法:

bool userAuthenticated = false;
var domainName = DomainName;

if (useSSL)
{
  domainName = domainName + ":636";
}

try
{
  using (var ldap = new LdapConnection(domainName))
  {
    var networkCredential = new NetworkCredential(username, password, domainName);
    ldap.SessionOptions.VerifyServerCertificate = new VerifyServerCertificateCallback((con, cer) => true);
    ldap.SessionOptions.SecureSocketLayer = useSSL;
    ldap.SessionOptions.ProtocolVersion = 3;
    ldap.AuthType = AuthType.Negotiate;
    ldap.Bind(networkCredential);
  }

  // If the bind succeeds, we have a valid user/pass.
  userAuthenticated = true;
}
catch (LdapException ldapEx)
{
  // Error Code 0x31 signifies invalid credentials, anything else will be caught outside.
  if (!ldapEx.ErrorCode.Equals(0x31))
  {
    throw;
  }
}

return userAuthenticated;

PrincipalContext方法:

bool userAuthenticated = false;
var domainName = DomainName;

if (useSSL)
{
  domainName = domainName + ":636";
  ContextOptions options = ContextOptions.SimpleBind | ContextOptions.SecureSocketLayer;

  using (PrincipalContext pc = new PrincipalContext(ContextType.Domain, domainName, null, options))
  {
    userAuthenticated = pc.ValidateCredentials(username, password, options);
  }
}
else
{
  using (PrincipalContext pc = new PrincipalContext(ContextType.Domain, domainName))
  {
    userAuthenticated = pc.ValidateCredentials(username, password);
  }
}

return userAuthenticated;

@ DTI-Matt,在上面的示例中,您使用总是返回true VerifyServerCertificate回调。 这基本上违背了通过SSL连接到LDAP的目的,因为没有执行真正的证书检查。

虽然您可以使用X509Chain和/或X509Certificate2类实现真正的证书检查,但似乎PrincipalContext为您处理检查。

总而言之, LdapConnectionPrincipalContext提供了非常类似的功能,通过普通或SSL连接连接到LDAP服务器。 你必须为LdapConnection更多的手写代码才能正常工作。 另一方面, PrincipalContext使用较少的代码来手动编写相同的功能。

注意,通过非SSL PrincipalContext连接到端口636(您的默认LDAP通过SSL端口)可能是由这个类尝试尽可能安全地连接的事实解释的。


这就是我们通过SSL / Non-SSL进行工作的结果。

public bool UserValid(string username, string password, bool useSSL)
{
    bool userAuthenticated = false;
    var domainName = DomainName;

    if (useSSL)
    {
        domainName = domainName + ":636";
    }

    try
    {
        using (var ldap = new LdapConnection(domainName))
        {
            var networkCredential = new NetworkCredential(username, password, DomainName); // Uses DomainName without the ":636" at all times, SSL or not.
            ldap.SessionOptions.VerifyServerCertificate += VerifyServerCertificate;
            ldap.SessionOptions.SecureSocketLayer = useSSL;
            ldap.AuthType = AuthType.Negotiate;
            ldap.Bind(networkCredential);
        }

        // If the bind succeeds, we have a valid user/pass.
        userAuthenticated = true;
    }
    catch (LdapException ldapEx)
    {
        // Error Code 0x31 signifies invalid credentials, so return userAuthenticated as false.
        if (!ldapEx.ErrorCode.Equals(0x31))
        {
            throw;
        }
    }

    return userAuthenticated;
}

private bool VerifyServerCertificate(LdapConnection connection, X509Certificate certificate)
{
    X509Certificate2 cert = new X509Certificate2(certificate);

    if (!cert.Verify())
    {
        // Could not validate potentially self-signed SSL certificate. Prompting user to install certificate themselves.
        X509Certificate2UI.DisplayCertificate(cert);

        // Try verifying again as the user may have allowed the certificate, and return the result.
        if (!cert.Verify())
        {
            throw new SecurityException("Could not verify server certificate. Make sure this certificate comes from a trusted Certificate Authority.");
        }
    }

    return true;
}
链接地址: http://www.djcxy.com/p/75141.html

上一篇: LdapConnection vs. PrincipalContext

下一篇: How to deal with "omitted for conflict with.." message in pom.xml?