Geek@Paris

基于Active Directory的用户验证

2007-01-30
项目要求需要用C#结合win2003和Oracle数据库,实现Oracle用户通过ActiveDirectory来验证
找到资料如下:
 
通过C#写的一个AD管理的类:http://www.c-sharpcorner.com/Code/2002/Sept/ADClass.asp
 
1. 基于AD的用户验证
public static bool IsUserValid (string UserName, string Password)
{
      using (DirectoryEntry deUser = new DirectoryEntry(ADPath, UserName, Password, AuthenticationTypes.Secure))
      {
            try
            {
            // The NativeObject call on the DirectoryEntry object entry is an attempt to bind to the object in the directory.
            // Since this call forces authentication, you will get an error if the user does not exist.
            // If the user is a valid user in the domain, the call will succeed.
                  Object native = deUser.NativeObject;
 
                  return true;
           }
            catch
            {
                  return false;
           }
      }
}
 
根据UserName/Password验证用户的合法性。需要注意的是:ADSI每次都会尝试Kerberos和NTLM验证,因此系统会记录2次验证记录。在设置Domain Password Policy时,需要考虑到上述的限制。否则,如果Bad Password Count超过限定的Domain Password Policy时,该帐户会Locked out。(注:后面有Article介绍如何判断/如何Lock/Unlock帐户)
 
2. 验证用户账号Active/Disable
/// <summary>
/// This will perfrom a logical operation on the userAccountControl values
/// to see if the user account is enabled or disabled.  The flag for determining if the
/// account is active is a bitwise value (decimal =2)
/// </summary>
/// <param name="userAccountControl"></param>
/// <returns></returns>
public static bool IsAccountActive(int userAccountControl)
{
      int userAccountControl_Disabled= Convert.ToInt32(ADAccountOptions.UF_ACCOUNTDISABLE);
      int flagExists = userAccountControl & userAccountControl_Disabled;
      //if a match is found, then the disabled flag exists within the control flags
      if(flagExists >0)
      {
            return false;
      }
      else
      {
            return true;
      }
}
 
3. 示例代码:调用上述IsUserValid()和IsAccountActive()方法
/// <summary>
/// This method will not actually log a user in, but will perform tests to ensure
/// that the user account exists (matched by both the username and password), and also
/// checks if the account is active.
/// </summary>
/// <param name="UserName"></param>
/// <param name="Password"></param>
/// <returns></returns>
public static ADHelper.LoginResult  Login(string UserName, string Password)
{
      //first, check if the logon exists based on the username and password
      //DirectoryEntry de = GetUser(UserName,Password);
     
      if(IsUserValid(UserName,Password))
      {
            DirectoryEntry de = GetUser(UserName);
            if(de !=null)
            {
                  //convert the accountControl value so that a logical operation can be performed
                  //to check of the Disabled option exists.
                  int userAccountControl = Convert.ToInt32(de.Properties["userAccountControl"][0]);
                  de.Close();
 
                  //if the disabled item does not exist then the account is active
                  if(!IsAccountActive(userAccountControl))
                  {
                        return LoginResult.LOGIN_USER_ACCOUNT_INACTIVE;
                  }
                  else
                  {
                        return LoginResult.LOGIN_OK;
                  }
 
           }
            else
            {
                  return LoginResult.LOGIN_USER_DOESNT_EXIST;
           }
      }
      else
      {
            return LoginResult.LOGIN_USER_DOESNT_EXIST;
      }
}
 
4. 相关enum数据类型:ADAccountOptions和LoginResult
#region Enumerations
public enum ADAccountOptions
{
      UF_TEMP_DUPLICATE_ACCOUNT = 0x0100,
      UF_NORMAL_ACCOUNT =0x0200,
      UF_INTERDOMAIN_TRUST_ACCOUNT =0x0800,
      UF_WORKSTATION_TRUST_ACCOUNT = 0x1000,
      UF_SERVER_TRUST_ACCOUNT =0x2000,
      UF_DONT_EXPIRE_PASSWD=0x10000,
      UF_SCRIPT =0x0001,
      UF_ACCOUNTDISABLE=0x0002,
      UF_HOMEDIR_REQUIRED =0x0008,
      UF_LOCKOUT=0x0010,
      UF_PASSWD_NOTREQD=0x0020,
      UF_PASSWD_CANT_CHANGE=0x0040,
      UF_ACCOUNT_LOCKOUT=0X0010,
      UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED=0X0080,
}    
 
 
public enum LoginResult
{
      LOGIN_OK=0,
      LOGIN_USER_DOESNT_EXIST,
      LOGIN_USER_ACCOUNT_INACTIVE
}
 
#endregion
 
具体用户界面User Interface,请参考如下Reference 1
http://www.c-sharpcorner.com/Code/2002/Sept/ADClass.asp
Author:admin | Categories:IT | Tags:

1 Comment

  1. Shirley says:

    偶的相机确实是SONY的^_^温哥华一点都不冷,因为家里有暖气,所以感觉比在国内日子好过

Leave a Reply

Your email address will not be published. Required fields are marked *


Clickcha - The One-Click Captcha