C# .Net 中的 LDAP 目录条目 - 不适用于 OU=Users
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/1405011/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
LDAP Directory Entry in .Net - not working with OU=Users
提问by
I have the following code (C#):
我有以下代码(C#):
(Tweaked from: http://www.eggheadcafe.com/conversation.aspx?messageid=31766061&threadid=31766050)
(调整自:http://www.eggheadcafe.com/conversation.aspx?messageid=31766061&threadid=31766050 )
DirectorySearcher dseSearcher = new DirectorySearcher();
string rootDSE = dseSearcher.SearchRoot.Path;
DirectoryEntry rootDE = new DirectoryEntry(rootDSE);
string userDSE = rootDSE.Insert(7, "OU=Users,");
DirectoryEntry userDE = new DirectoryEntry(userDSE);
The rootDSEis created correctly, however, the user userDSEis unusable and throws "There is no such object on the server" exception if I attempt to use it.
在rootDSE创建正确,但是,用户userDSE是无法使用的,并抛出“有在服务器上没有这样的对象”异常,如果我尝试使用它。
The LDAP strings are as follows:
LDAP 字符串如下:
Root: LDAP://DC=company,DC=local
User: LDAP://OU=Users,DC=company,DC=local
根:LDAP://DC=company,DC=local
用户:LDAP://OU=用户,DC=公司,DC=本地
I'm running on Vista as Admin, but need this to work on XP (Admin) as well.
我在 Vista 上以管理员身份运行,但也需要在 XP(管理员)上运行。
I'm new to LDAP and Directory Management, so I'm stumbling around in the dark here. Any thoughts? Also - any articles to link too that could give me some insight into how it all works would be appreciated.
我是 LDAP 和目录管理的新手,所以我在这里摸黑摸索。有什么想法吗?另外 - 任何链接的文章也可以让我深入了解它是如何工作的,我们将不胜感激。
回答by Scott Lance
The first thing I would try as a test is to hardcode your desired path when you create a directory entry like so:
作为测试,我要尝试的第一件事是在创建目录条目时对所需的路径进行硬编码,如下所示:
DirectoryEntry de = new DirectoryEntry("LDAP://OU=Users,DC=company,DC=local");
This will tell you pretty quick if this is an actual path in your Active Directory. I don't know what your AD looks like so I can't tell you if this is a valid path or not. Under your Active Directory Users and Computers MMC plugin, if this path is correct, then you should have your root domain, and a OU folder under the root called Users.
这将很快告诉您这是否是您的 Active Directory 中的实际路径。我不知道你的 AD 是什么样子,所以我不能告诉你这是否是一个有效的路径。在您的 Active Directory 用户和计算机 MMC 插件下,如果此路径正确,那么您应该有您的根域,以及根下名为 Users 的 OU 文件夹。
Paths are generated backwards in AD, so if your Users folder is under another OU off the root than it would be
路径在 AD 中向后生成,因此如果您的用户文件夹位于根目录之外的另一个 OU 下
DirectoryEntry de = new DirectoryEntry("LDAP://OU=Users,OU=<first OU folder>,DC=company,DC=local");
So your AD schema would look like:
所以你的 AD 架构看起来像:
Root
|
--><first OU folder>
|
-->Users
A great article on how to manage Active Directory in .NET:
一篇关于如何在 .NET 中管理 Active Directory 的精彩文章:
HowTo: Do (Almost) Everything in Active Directory via C#
如何:通过 C# 执行(几乎)Active Directory 中的所有操作
You might also want to research the System.DirectoryServices, System.DirectoryServices.ActiveDirectory, and the System.DirectoryServices.AccountManagement namespaces provided in the .Net 3.5 Framework. I believe System.DirectoryServices, and ActiveDirctory namespaces were available staring in .Net 1.1, and AccountManagement was introduced in .Net 3.5.
您可能还想研究 .Net 3.5 框架中提供的 System.DirectoryServices、System.DirectoryServices.ActiveDirectory 和 System.DirectoryServices.AccountManagement 命名空间。我相信 System.DirectoryServices 和 ActiveDirectory 命名空间在 .Net 1.1 中可用,而 AccountManagement 是在 .Net 3.5 中引入的。
Microsoft Documentation - A lot of good links on how to use the namespace
Microsoft 文档 - 关于如何使用命名空间的很多好的链接
Addendum:
附录:
To actually find a user in AD you will want to do the following:
要在 AD 中实际查找用户,您需要执行以下操作:
DirectoryEntry de = new DirectoryEntry();
de.Path = "LDAP://DC=company,DC=local";
de.AuthenticationType = AuthenticationTypes.Secure;
DirectorySearcher deSearch = new DirectorySearcher();
deSearch.SearchRoot = de;
deSearch.Filter = "(&(objectClass=user) (cn=" + username + "))";
SearchResult result = deSearch.FindOne();
if (result != null)
{
DirectoryEntry deUser = new DirectoryEntry(result.Path);
... do what ever you need to the deUser
deUser.Close();
}
回答by geoffc
This may seem silly and stupid, but the default tree setup in Active Directory is not OU=Users,dc=domain,dc=com but rather cn=Users,dc=domain,dc=com (Note the CN= not the OU= for Users.
这可能看起来很愚蠢,但 Active Directory 中的默认树设置不是OU=Users,dc=domain,dc=com 而是cn=Users,dc=domain,dc=com(注意 CN= 不是 OU=对于用户。
It seems stupid since a container object (objectClass of cn) in AD cannot be a recipient of group policy, but for reasons I do not understand, that is the default. (actually I do understand, it is because containment for a CN is more similar to an NT domain than OU)
这似乎很愚蠢,因为 AD 中的容器对象(cn 的 objectClass)不能成为组策略的接收者,但由于我不明白的原因,这是默认设置。(实际上我确实理解,这是因为 CN 的包含比 OU 更类似于 NT 域)
Gets almost everybody I meet, first time they try to LDAP bind/auth to AD.
获得我遇到的几乎所有人,他们第一次尝试将 LDAP 绑定/身份验证到 AD。
回答by Joshua
As geoffc mentioned correctly, in Active Directory the "Users" under the domain is a container object rather than organizational unit object. This results in a totally different LDAP path which is why you get the error message.
正如geoffc 正确提到的,在Active Directory 中,域下的“用户”是容器对象而不是组织单元对象。这会导致完全不同的 LDAP 路径,这就是您收到错误消息的原因。
Try the following code and post if it fixes your issue:
尝试以下代码并发布它是否解决了您的问题:
// Replace the "company" and "com" with actual domain values...
DirectoryEntry de = new DirectoryEntry("LDAP://CN=Users,DC=company,DC=com");
DirectorySearcher deSearch = new DirectorySearcher();
deSearch.SearchRoot = de;
// Set your other search params here
