1.首先WebApi 应用下Web.config要配置域认证服务器节点,如下
<!--LDAP地址 用于项目AD系统账号密码验证-->
<!--0:关闭域认证;1:开启域认证-->
<add key="EnableADCheck" value="0"/>
<add key="LDAPAPI" value="域认证服务器的api地址"/>
2.Api控制器Controller
public class LDAPController : ApiController
{
/// <summary>
/// 用于AD验证
/// </summary>
/// <param name="account"></param>
/// <param name="pwd"></param>
[AllowAnonymous]
[HttpPost]
public HttpResponseMessage Check(HttpRequestMessage req)
{
try
{
SimpleLog.WriteLog(LogFile.Trace, "" + " start"+ req.Content.ReadAsStringAsync().Result);
dynamic data = DynamicJson.Parse(req.Content.ReadAsStringAsync().Result);
var decrPwd = "";
var account = data.Account;
var pwd = data.Pwd;
try
{//1.先对密码进行解密
decrPwd = AESEnCryptUtils.Decrypt(pwd);
}
catch (Exception ex)
{
SimpleLog.WriteLog(LogFile.Error, "解密失败:" + ex.Message);
return JsonBuilder.Build("error" + "-解密失败" + ex.Message);
}
var result = ADHelper.CheckExist(account, decrPwd).ToString();
SimpleLog.WriteLog(LogFile.Error, "End:" + result);
return JsonBuilder.Build(result);
}
catch (Exception ex)
{
SimpleLog.WriteLog(LogFile.Error,ex.Message+"-"+ ex.StackTrace);
return JsonBuilder.Build(ex.Message);
} } }
public class SimpleLog
{
private static string logPath = string.Empty;
/// <summary>
/// 保存日志的文件夹
/// </summary>
public static string LogPath
{
get
{
if (logPath == string.Empty)
{
// Web 应用
logPath = AppDomain.CurrentDomain.BaseDirectory + @"log\";
}
return logPath;
}
set { logPath = value; }
} private static string logFielPrefix = string.Empty;
/// <summary>
/// 日志文件前缀
/// </summary>
public static string LogFielPrefix
{
get { return logFielPrefix; }
set { logFielPrefix = value; }
} /// <summary>
/// 写日志
/// </summary>
public static void WriteLog(string logFile, string msg)
{
try
{
if (!Directory.Exists(LogPath))//如果没有文件指定的目录就创建
{
Directory.CreateDirectory(LogPath);
}
System.IO.StreamWriter sw = System.IO.File.AppendText(
LogPath + LogFielPrefix + logFile + " " +
DateTime.Now.ToString("yyyyMMdd") + ".Log"
);
sw.WriteLine(DateTime.Now.ToString("yyyy-MM-dd HH:mm:ss: ") + msg);
sw.Close();
}
catch
{ }
} /// <summary>
/// 写日志
/// </summary>
public static void WriteLog(LogFile logFile, string msg)
{
WriteLog(logFile.ToString(), msg);
}
} /// <summary>
/// 日志类型
/// </summary>
public enum LogFile
{
Trace,
Warning,
Error,
SQL
}
public class JsonBuilder
{
/// <summary>
/// 返回该对象的Json数据格式
/// </summary>
/// <typeparam name="T"></typeparam>
/// <param name="content"></param>
/// <returns></returns>
public static HttpResponseMessage Build<T>(T content)
{
if (null == content) return BuildNull(); JsonSerializerSettings jss = new JsonSerializerSettings();
jss.DateTimeZoneHandling = DateTimeZoneHandling.Local; Encoding _encoding = new UTF8Encoding(false); JsonSerializer serializer = JsonSerializer.Create(jss); using (MemoryStream stream = new MemoryStream())
{
const int DefaultStreamWriterBufferSize = 0x400;
using (TextWriter textWriter = new StreamWriter(stream, _encoding,
bufferSize: DefaultStreamWriterBufferSize))
{
using (JsonWriter jsonWriter = new JsonTextWriter(textWriter) { CloseOutput = false })
{
serializer.Serialize(jsonWriter, content);
jsonWriter.Flush(); ArraySegment<byte> segment = new ArraySegment<byte>(stream.GetBuffer(), , (int)stream.Length); HttpResponseMessage response = new HttpResponseMessage(HttpStatusCode.OK); try
{
response.Content = new ByteArrayContent(segment.Array, segment.Offset, segment.Count);
MediaTypeHeaderValue contentType = new MediaTypeHeaderValue("application/json");
contentType.CharSet = _encoding.WebName;
response.Content.Headers.ContentType = contentType;
// response.Headers.Add("Access-Control-Allow-Origin", "*");
//response.Headers.Add("Access-Control-Allow-Credentials", "true");
//response.Headers.Add("Access-Control-Allow-Methods", "GET, POST, DELETE, PUT, HEAD, OPTIONS");
//response.Headers.Add("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept, test1"); return response;
}
catch
{
response.Dispose();
throw;
}
}
} }
} public static HttpResponseMessage Build<T>(T content, string contentType)
{
if (null == content) return BuildNull(); JsonSerializerSettings jss = new JsonSerializerSettings();
jss.DateTimeZoneHandling = DateTimeZoneHandling.Local; Encoding _encoding = new UTF8Encoding(false); JsonSerializer serializer = JsonSerializer.Create(jss); using (MemoryStream stream = new MemoryStream())
{
const int DefaultStreamWriterBufferSize = 0x400;
using (TextWriter textWriter = new StreamWriter(stream, _encoding,
bufferSize: DefaultStreamWriterBufferSize))
{
using (JsonWriter jsonWriter = new JsonTextWriter(textWriter) { CloseOutput = false })
{
serializer.Serialize(jsonWriter, content);
jsonWriter.Flush(); ArraySegment<byte> segment = new ArraySegment<byte>(stream.GetBuffer(), , (int)stream.Length); HttpResponseMessage response = new HttpResponseMessage(HttpStatusCode.OK); try
{
response.Content = new ByteArrayContent(segment.Array, segment.Offset, segment.Count);
MediaTypeHeaderValue mediaTypeHeaderValue = new MediaTypeHeaderValue(contentType);
mediaTypeHeaderValue.CharSet = _encoding.WebName;
response.Content.Headers.ContentType = mediaTypeHeaderValue;
// response.Headers.Add("Access-Control-Allow-Origin", "*");
//response.Headers.Add("Access-Control-Allow-Credentials", "true");
//response.Headers.Add("Access-Control-Allow-Methods", "GET, POST, DELETE, PUT, HEAD, OPTIONS");
//response.Headers.Add("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept, test1"); return response;
}
catch
{
response.Dispose();
throw;
}
}
} }
} public static HttpResponseMessage BuildNull()
{
Encoding _encoding = Encoding.UTF8;
HttpResponseMessage response = new HttpResponseMessage(HttpStatusCode.NotFound);
response.Content = new StringContent("");
response.Content.Headers.ContentType = new MediaTypeHeaderValue("application/json");
return response;
}
}
public class ADHelper
{ /// <summary>
/// 查找目录项
/// </summary>
/// <param name="category">分类 users</param>
/// <param name="name">用户名</param>
/// <returns>目录项实体</returns>
public static DirectoryEntry FindObject(string name)
{
DirectoryEntry de = null;
DirectorySearcher ds = null;
DirectoryEntry userEntry = null;
try
{
de = GetDirectoryObject();
ds = new DirectorySearcher(de);
string queryFilter = string.Format("(&(objectCategory=user)(sAMAccountName={0}))", name);
ds.Filter = queryFilter;
SearchResult sr = ds.FindOne();
if (sr != null)
{
userEntry = sr.GetDirectoryEntry();
}
return userEntry;
}
catch (Exception ex)
{
return new DirectoryEntry();
}
finally
{
if (ds != null)
{
ds.Dispose();
}
if (de != null)
{
de.Dispose();
}
}
} public static string CheckExist(string Account, string Pwd)
{
try
{
DirectoryEntry de = new DirectoryEntry(ADPath, Account, Pwd, AuthenticationTypes.ServerBind);
DirectorySearcher deSearch = new DirectorySearcher(de);
deSearch.Filter = "(&(&(objectCategory=person)(objectClass=user))(sAMAccountName=" + Account + "))";
deSearch.SearchScope = SearchScope.Subtree;
SearchResult result = deSearch.FindOne();
return "sucess";
}
catch (Exception ex)
{
return "error:" + ex.Message;
}
}
///
/// 域名,比如:bokeyuan
///
public static string DomainName = ConfigurationManager.AppSettings["DefaultDomain"];
///
/// LDAP绑定路径,比如:LDAP://wodeblog.com
///
public static string ADPath = ConfigurationManager.AppSettings["ADConnString"];
///
/// 登录帐号,比如:TestUser
///
public static string ADUser = ConfigurationManager.AppSettings["DefaultAdminUser"];
///
/// 登录密码,比如:123456
///
public static string ADPassword = ConfigurationManager.AppSettings["AdminPassword"]; ///
/// 扮演类实例
///
private static IdentityImpersonation impersonate = new IdentityImpersonation(ADUser, ADPassword, DomainName); ///
/// 用户登录验证结果
///
public enum LoginResult
{
///
/// 正常登录
///
LOGIN_USER_OK = ,
///
/// 用户不存在
///
LOGIN_USER_DOESNT_EXIST,
///
/// 用户帐号被禁用
///
LOGIN_USER_ACCOUNT_INACTIVE,
///
/// 用户密码不正确
///
LOGIN_USER_PASSWORD_INCORRECT
} ///
/// 用户属性定义标志
///
public enum ADS_USER_FLAG_ENUM
{
///
/// 登录脚本标志。如果通过 ADSI LDAP 进行读或写操作时,该标志失效。如果通过 ADSI WINNT,该标志为只读。
///
ADS_UF_SCRIPT = 0X0001,
///
/// 用户帐号禁用标志
///
ADS_UF_ACCOUNTDISABLE = 0X0002,
///
/// 主文件夹标志
///
ADS_UF_HOMEDIR_REQUIRED = 0X0008,
///
/// 过期标志
///
ADS_UF_LOCKOUT = 0X0010,
///
/// 用户密码不是必须的
///
ADS_UF_PASSWD_NOTREQD = 0X0020,
///
/// 密码不能更改标志
///
ADS_UF_PASSWD_CANT_CHANGE = 0X0040,
///
/// 使用可逆的加密保存密码
///
ADS_UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED = 0X0080,
///
/// 本地帐号标志
///
ADS_UF_TEMP_DUPLICATE_ACCOUNT = 0X0100,
///
/// 普通用户的默认帐号类型
///
ADS_UF_NORMAL_ACCOUNT = 0X0200,
///
/// 跨域的信任帐号标志
///
ADS_UF_INTERDOMAIN_TRUST_ACCOUNT = 0X0800,
///
/// 工作站信任帐号标志
///
ADS_UF_WORKSTATION_TRUST_ACCOUNT = 0x1000,
///
/// 服务器信任帐号标志
///
ADS_UF_SERVER_TRUST_ACCOUNT = 0X2000,
///
/// 密码永不过期标志
///
ADS_UF_DONT_EXPIRE_PASSWD = 0X10000,
///
/// MNS 帐号标志
///
ADS_UF_MNS_LOGON_ACCOUNT = 0X20000,
///
/// 交互式登录必须使用智能卡
///
ADS_UF_SMARTCARD_REQUIRED = 0X40000,
///
/// 当设置该标志时,服务帐号(用户或计算机帐号)将通过 Kerberos 委托信任
///
ADS_UF_TRUSTED_FOR_DELEGATION = 0X80000,
///
/// 当设置该标志时,即使服务帐号是通过 Kerberos 委托信任的,敏感帐号不能被委托
///
ADS_UF_NOT_DELEGATED = 0X100000,
///
/// 此帐号需要 DES 加密类型
///
ADS_UF_USE_DES_KEY_ONLY = 0X200000,
///
/// 不要进行 Kerberos 预身份验证
///
ADS_UF_DONT_REQUIRE_PREAUTH = 0X4000000,
///
/// 用户密码过期标志
///
ADS_UF_PASSWORD_EXPIRED = 0X800000,
///
/// 用户帐号可委托标志
///
ADS_UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION = 0X1000000
} public ADHelper()
{
//
} #region GetDirectoryObject ///
/// 获得DirectoryEntry对象实例,以管理员登陆AD
///
///
public static DirectoryEntry GetDirectoryObject()
{ DirectoryEntry entry = new DirectoryEntry("LDAP://域名", "用户名", "密码", AuthenticationTypes.ServerBind);
return entry;
} ///
/// 根据指定用户名和密码获得相应DirectoryEntry实体
///
public static DirectoryEntry GetDirectoryObject(string userName, string password)
{
DirectoryEntry entry = new DirectoryEntry(ADPath, userName, password, AuthenticationTypes.None);
return entry;
} ///
/// i.e. /CN=Users,DC=creditsights, DC=cyberelves, DC=Com
///
public static DirectoryEntry GetDirectoryObject(string domainReference)
{
DirectoryEntry entry = new DirectoryEntry(ADPath + domainReference, ADUser, ADPassword, AuthenticationTypes.Secure);
return entry;
} ///
/// 获得以UserName,Password创建的DirectoryEntry
///
public static DirectoryEntry GetDirectoryObject(string domainReference, string userName, string password)
{
DirectoryEntry entry = new DirectoryEntry(ADPath + domainReference, userName, password, AuthenticationTypes.Secure);
return entry;
} #endregion #region GetDirectoryEntry ///
/// 根据用户公共名称取得用户的 对象
///
/// 用户公共名称
/// 如果找到该用户,则返回用户的 对象;否则返回 null
public static DirectoryEntry GetDirectoryEntry(string commonName)
{
DirectoryEntry de = GetDirectoryObject();
DirectorySearcher deSearch = new DirectorySearcher(de);
deSearch.Filter = "(&(&(objectCategory=person)(objectClass=user))(cn=" + commonName + "))";
deSearch.SearchScope = SearchScope.Subtree; try
{
SearchResult result = deSearch.FindOne();
de = new DirectoryEntry(result.Path);
return de;
}
catch (Exception ex)
{
return null;
}
} ///
/// 根据用户公共名称和密码取得用户的 对象。
///
/// 用户公共名称
/// 用户密码
/// 如果找到该用户,则返回用户的 对象;否则返回 null
public static DirectoryEntry GetDirectoryEntry(string sAMAccountName, string password, string commonName)
{ DirectoryEntry de = GetDirectoryObject(DomainName + "\\" + sAMAccountName, password);
DirectorySearcher deSearch = new DirectorySearcher(de);
deSearch.Filter = "(&(&(objectCategory=person)(objectClass=user))(cn=" + commonName + "))";
deSearch.SearchScope = SearchScope.Subtree; try
{
SearchResult result = deSearch.FindOne();
de = new DirectoryEntry(result.Path);
return de;
}
catch (Exception ex)
{
return null;
}
} ///
/// 根据用户帐号称取得用户的 对象
///
/// 用户帐号名
/// 如果找到该用户,则返回用户的 对象;否则返回 null
public static DirectoryEntry GetDirectoryEntryByAccount(string sAMAccountName)
{ DirectoryEntry de = new DirectoryEntry("LDAP://域认证地址", "用户名", "密码", AuthenticationTypes.ServerBind);
DirectorySearcher deSearch = new DirectorySearcher(de);
deSearch.Filter = "(&(&(objectCategory=person)(objectClass=user))(sAMAccountName=" + sAMAccountName + "))";
deSearch.SearchScope = SearchScope.Subtree;
try
{
SearchResult result = deSearch.FindOne();
de = new DirectoryEntry(result.Path);
return de;
}
catch (Exception ex)
{
return null;
}
} ///
/// 根据用户帐号和密码取得用户的 对象
///
/// 用户帐号名
/// 用户密码
/// 如果找到该用户,则返回用户的 对象;否则返回 null
public static DirectoryEntry GetDirectoryEntryByAccount(string sAMAccountName, string password)
{
//DirectoryEntry de = GetDirectoryEntryByAccount(sAMAccountName);
DirectoryEntry de = FindObject(sAMAccountName);
if (de != null)
{
string commonName = de.Properties["cn"][].ToString(); var entry = GetDirectoryEntry(sAMAccountName, password, commonName); if (entry != null)
return entry;
else
return null;
}
else
{
return null;
}
} ///
/// 根据组名取得用户组的 对象
///
/// 组名
///
public static DirectoryEntry GetDirectoryEntryOfGroup(string groupName)
{
DirectoryEntry de = GetDirectoryObject();
DirectorySearcher deSearch = new DirectorySearcher(de);
deSearch.Filter = "(&(objectClass=group)(cn=" + groupName + "))";
deSearch.SearchScope = SearchScope.Subtree; try
{
SearchResult result = deSearch.FindOne();
de = new DirectoryEntry(result.Path);
return de;
}
catch
{
return null;
}
} #endregion #region Get and Set Property ///
/// 获得指定 指定属性名对应的值
///
///
/// 属性名称
/// 属性值
public static object GetProperty(DirectoryEntry de, string propertyName)
{
if (de.Properties.Contains(propertyName))
{
return de.Properties[propertyName][];
}
else
{
return "";
}
} ///
/// 获得指定搜索结果 中指定属性名对应的值
///
///
/// 属性名称
/// 属性值
public static object GetProperty(SearchResult searchResult, string propertyName)
{
if (searchResult.Properties.Contains(propertyName))
{
return searchResult.Properties[propertyName][];
}
else
{
return "";
}
} ///
/// 设置指定 的属性值
///
///
/// 属性名称
/// 属性值
public void SetProperty(DirectoryEntry entry, string propertyName, string propertyValue)
{
if (entry.Properties.Contains(propertyName))
{
if (string.IsNullOrEmpty(propertyValue))
{
object o = entry.Properties[propertyName].Value;
entry.Properties[propertyName].Remove(o);
}
else
{
entry.Properties[propertyName][] = propertyValue;
}
}
else
{
if (string.IsNullOrEmpty(propertyValue))
{
return;
}
entry.Properties[propertyName].Add(propertyValue);
} } #endregion #region Management ///
/// 创建新的用户
///
/// DN 位置。例如:OU=共享平台 或 CN=Users
/// 公共名称
/// 帐号
/// 密码
///
public static DirectoryEntry CreateNewUser(string ldapDN, string commonName, string sAMAccountName, string password)
{
DirectoryEntry entry = GetDirectoryObject();
DirectoryEntry subEntry = entry.Children.Find(ldapDN);
DirectoryEntry deUser = subEntry.Children.Add("CN=" + commonName, "user");
deUser.Properties["sAMAccountName"].Value = sAMAccountName;
deUser.CommitChanges();
ADHelper.SetPassword(commonName, password);
ADHelper.EnableUser(commonName);
deUser.Close();
return deUser;
} ///
/// 创建新的用户。默认创建在 Users 单元下。
///
/// 公共名称
/// 帐号
/// 密码
///
public static DirectoryEntry CreateNewUser(string commonName, string sAMAccountName, string password)
{
return CreateNewUser("CN=Users", commonName, sAMAccountName, password);
} ///
/// 判断指定公共名称的用户是否存在
///
/// 用户公共名称
/// 如果存在,返回 true;否则返回 false
public static bool IsUserExists(string commonName)
{
DirectoryEntry de = GetDirectoryObject();
DirectorySearcher deSearch = new DirectorySearcher(de);
deSearch.Filter = "(&(&(objectCategory=person)(objectClass=user))(cn=" + commonName + "))"; // LDAP 查询串
SearchResultCollection results = deSearch.FindAll(); if (results.Count == )
return false;
else
return true;
} ///
/// 判断用户帐号是否激活
///
/// 用户帐号属性控制器
/// 如果用户帐号已经激活,返回 true;否则返回 false
public static bool IsAccountActive(int userAccountControl)
{
int userAccountControl_Disabled = Convert.ToInt32(ADS_USER_FLAG_ENUM.ADS_UF_ACCOUNTDISABLE);
int flagExists = userAccountControl & userAccountControl_Disabled; if (flagExists > )
return false;
else
return true;
} ///
/// 判断用户与密码是否足够以满足身份验证进而登录
///
/// 用户公共名称
/// 密码
/// 如能可正常登录,则返回 true;否则返回 false
public static LoginResult Login(string commonName, string password)
{
DirectoryEntry de = GetDirectoryEntry(commonName); if (de != null)
{
// 必须在判断用户密码正确前,对帐号激活属性进行判断;否则将出现异常。
string sAMAccountName = de.Properties["sAMAccountName"].ToString();
de.Close();
if (GetDirectoryEntry(sAMAccountName, password, commonName) != null)
return LoginResult.LOGIN_USER_OK;
else
return LoginResult.LOGIN_USER_PASSWORD_INCORRECT;
}
else
{
return LoginResult.LOGIN_USER_DOESNT_EXIST;
}
} ///
/// 判断用户帐号与密码是否足够以满足身份验证进而登录
///
/// 用户帐号(不包含域名)
/// 密码
/// 如能可正常登录,则返回 true;否则返回 false
public static LoginResult LoginByAccount(string sAMAccountName, string password)
{
ADHelper.DomainName = sAMAccountName.Split('\\')[]; if (sAMAccountName.IndexOf('\\') > -)
{
sAMAccountName = sAMAccountName.Split('\\')[].Trim('\\');
}
DirectoryEntry de = GetDirectoryEntryByAccount(sAMAccountName); //判断该用户是否存在
if (de != null)
{
// 必须在判断用户密码正确前,对帐号激活属性进行判断;否则将出现异常。
de.Close();
if (GetDirectoryEntryByAccount(sAMAccountName, password) != null)
return LoginResult.LOGIN_USER_OK;
else
return LoginResult.LOGIN_USER_PASSWORD_INCORRECT;
}
else
{
return LoginResult.LOGIN_USER_DOESNT_EXIST;
}
} ///
/// 设置用户密码,管理员可以通过它来修改指定用户的密码。
///
/// 用户公共名称
/// 用户新密码
public static void SetPassword(string commonName, string newPassword)
{
DirectoryEntry de = GetDirectoryEntry(commonName); // 模拟超级管理员,以达到有权限修改用户密码
impersonate.BeginImpersonate();
de.Invoke("SetPassword", new object[] { newPassword });
impersonate.StopImpersonate(); de.Close();
}
///
/// 修改用户密码
///
/// 用户公共名称
/// 旧密码
/// 新密码
public static void ChangeUserPassword(string commonName, string oldPassword, string newPassword)
{
// to-do: 需要解决密码策略问题
DirectoryEntry oUser = GetDirectoryEntry(commonName);
oUser.Invoke("ChangePassword", new Object[] { oldPassword, newPassword });
oUser.Close();
} ///
/// 启用指定公共名称的用户
///
/// 用户公共名称
public static void EnableUser(string commonName)
{
EnableUser(GetDirectoryEntry(commonName));
} ///
/// 启用指定 的用户
///
///
public static void EnableUser(DirectoryEntry de)
{
impersonate.BeginImpersonate();
de.Properties["userAccountControl"][] = ADHelper.ADS_USER_FLAG_ENUM.ADS_UF_NORMAL_ACCOUNT | ADHelper.ADS_USER_FLAG_ENUM.ADS_UF_DONT_EXPIRE_PASSWD;
de.CommitChanges();
impersonate.StopImpersonate();
de.Close();
} ///
/// 禁用指定公共名称的用户
///
/// 用户公共名称
public static void DisableUser(string commonName)
{
DisableUser(GetDirectoryEntry(commonName));
} ///
/// 禁用指定 的用户
///
///
public static void DisableUser(DirectoryEntry de)
{
impersonate.BeginImpersonate();
de.Properties["userAccountControl"][] = ADHelper.ADS_USER_FLAG_ENUM.ADS_UF_NORMAL_ACCOUNT | ADHelper.ADS_USER_FLAG_ENUM.ADS_UF_DONT_EXPIRE_PASSWD | ADHelper.ADS_USER_FLAG_ENUM.ADS_UF_ACCOUNTDISABLE;
de.CommitChanges();
impersonate.StopImpersonate();
de.Close();
} ///
/// 将指定的用户添加到指定的组中。默认为 Users 下的组和用户。
///
/// 用户公共名称
/// 组名
public static void AddUserToGroup(string userCommonName, string groupName)
{
DirectoryEntry oGroup = GetDirectoryEntryOfGroup(groupName);
DirectoryEntry oUser = GetDirectoryEntry(userCommonName); impersonate.BeginImpersonate();
oGroup.Properties["member"].Add(oUser.Properties["distinguishedName"].Value);
oGroup.CommitChanges();
impersonate.StopImpersonate(); oGroup.Close();
oUser.Close();
} ///
/// 将用户从指定组中移除。默认为 Users 下的组和用户。
///
/// 用户公共名称
/// 组名
public static void RemoveUserFromGroup(string userCommonName, string groupName)
{
DirectoryEntry oGroup = GetDirectoryEntryOfGroup(groupName);
DirectoryEntry oUser = GetDirectoryEntry(userCommonName); impersonate.BeginImpersonate();
oGroup.Properties["member"].Remove(oUser.Properties["distinguishedName"].Value);
oGroup.CommitChanges();
impersonate.StopImpersonate(); oGroup.Close();
oUser.Close();
} #endregion Management #region Client private static DirectoryEntry InitEntry(string condition)
{
DirectoryEntry entry = null;
DirectorySearcher searcher = new DirectorySearcher(condition); if (ADHelper.ADUser != "")
{
searcher.SearchRoot.Username = ADHelper.ADUser;
searcher.SearchRoot.Password = ADHelper.ADPassword;
}
SearchResult result = searcher.FindOne();
if (result == null)
{
return null;
}
if (ADHelper.ADUser != "")
{
entry = new DirectoryEntry(result.Path, ADHelper.ADUser, ADHelper.ADPassword);
}
else
{
entry = new DirectoryEntry(result.Path);
}
entry.RefreshCache();
return entry;
} public static string ExtractUserName(string userName)
{
int index = userName.IndexOf(@"\");
string str = userName;
if (index != -)
{
str = userName.Substring(index + , (userName.Length - index) - );
}
else
{
index = userName.IndexOf("@");
if (index != -)
{
str = userName.Substring(index + , (userName.Length - index) - );
}
}
return str;
} public static string[] GetMembersOfGroup(string groupName)
{
DirectoryEntry entry = InitEntry("(&(objectClass=group)(cn=" + groupName + "))");
DirectoryEntry entry2 = new DirectoryEntry();
string[] strArray = new string[entry.Properties["member"].Count];
for (int i = ; i < strArray.Length; i++)
{
entry2 = new DirectoryEntry("LDAP://" + entry.Properties["member"][i]);
strArray[i] = entry2.Properties["sAMAccountName"].Value.ToString();
}
return strArray;
} public static string GetDisplayName(string userName)
{
DirectoryEntry entry = InitEntry("(&(&(objectCategory=person)(objectClass=user))(sAMAccountName=" + ExtractUserName(userName) + "))");
if (entry == null)
{
throw new Exception("Could not found the badge number: " + userName);
}
string str = "";
if (entry.Properties.Contains("displayName"))
{
str = str + entry.Properties["displayName"].Value.ToString();
}
return str;
} public static string GetUserMail(string userName)
{
DirectoryEntry entry = InitEntry("(&(&(objectCategory=person)(objectClass=user))(sAMAccountName=" + ExtractUserName(userName) + "))");
if (entry == null)
{
throw new Exception("Could not found the badge number: " + userName);
}
object obj = ADHelper.GetProperty(entry, "mail");
return (obj == null) ? "" : obj.ToString();
} public static string GetUserEnglishName(string userName)
{
DirectoryEntry entry = InitEntry("(&(&(objectCategory=person)(objectClass=user))(sAMAccountName=" + ExtractUserName(userName) + "))");
if (entry == null)
{
throw new Exception("Could not found the badge number: " + userName);
}
string str = "";
if (entry.Properties.Contains("givenName"))
{
str = str + entry.Properties["givenName"].Value.ToString();
}
if (entry.Properties.Contains("sn"))
{
str = str + " " + entry.Properties["sn"].Value.ToString();
}
return str;
} public static string[] GetGroupsOfUser(string userName)
{
DirectoryEntry entry = InitEntry("(&(&(objectCategory=person)(objectClass=user))(sAMAccountName=" + ExtractUserName(userName) + "))");
if (entry == null)
{
return null;
}
DirectoryEntry entry2 = new DirectoryEntry();
string[] strArray = new string[entry.Properties["memberOf"].Count];
for (int i = ; i < strArray.Length; i++)
{
entry2 = new DirectoryEntry("LDAP://" + entry.Properties["memberOf"][i]);
strArray[i] = entry2.Properties["name"].Value.ToString();
}
return strArray;
} public static string GetUserAccountByEmail(string email)
{
DirectoryEntry entry = InitEntry("(&(&(objectCategory=person)(objectClass=user))(mail=" + ExtractUserName(email) + "))");
if (entry == null)
{
throw new Exception("Could not find the email:" + email);
}
return entry.Properties["sAMAccountName"].Value.ToString();
} public static string GetUserAccountByEmailORAccount(string emailOrAccount)
{
if (IsAccount(emailOrAccount))
{
return emailOrAccount;
}
return GetUserAccountByEmail(emailOrAccount);
} public static string GetUserNameByEmail(string email)
{
DirectoryEntry entry = InitEntry("(&(&(objectCategory=person)(objectClass=user))(mail=" + ExtractUserName(email) + "))");
if (entry == null)
{
throw new Exception("Could not found the email: " + email);
}
return DomainName + "\\" + entry.Properties["sAMAccountName"].Value.ToString();
} public static bool IsAccount(string rawAccount)
{
if (InitEntry("(&(&(objectCategory=person)(objectClass=user))(sAMAccountName=" + ExtractUserName(rawAccount) + "))") == null)
{
return false;
}
return true;
} #endregion Client }
///
/// 用户模拟角色类。实现在程序段内进行用户角色模拟。
///
public class IdentityImpersonation
{
[DllImport("advapi32.dll", SetLastError = true)]
public static extern bool LogonUser(String lpszUsername, String lpszDomain, String lpszPassword, int dwLogonType, int dwLogonProvider, ref IntPtr phToken); [DllImport("advapi32.dll", CharSet = CharSet.Auto, SetLastError = true)]
public extern static bool DuplicateToken(IntPtr ExistingTokenHandle, int SECURITY_IMPERSONATION_LEVEL, ref IntPtr DuplicateTokenHandle); [DllImport("kernel32.dll", CharSet = CharSet.Auto)]
public extern static bool CloseHandle(IntPtr handle); // 要模拟的用户的用户名、密码、域(机器名)
private String _sImperUsername;
private String _sImperPassword;
private String _sImperDomain;
// 记录模拟上下文
private WindowsImpersonationContext _imperContext;
private IntPtr _adminToken;
private IntPtr _dupeToken;
// 是否已停止模拟
private Boolean _bClosed; private WindowsIdentity fakeId;
public WindowsIdentity Identity
{
get
{
return this.fakeId;
}
} ///
/// 构造函数
///
/// 所要模拟的用户的用户名
/// 所要模拟的用户的密码
/// 所要模拟的用户所在的域
public IdentityImpersonation(String impersonationUsername, String impersonationPassword, String impersonationDomain)
{
_sImperUsername = impersonationUsername;
_sImperPassword = impersonationPassword;
_sImperDomain = impersonationDomain; _adminToken = IntPtr.Zero;
_dupeToken = IntPtr.Zero;
_bClosed = true;
} ///
/// 析构函数
///
~IdentityImpersonation()
{
if (!_bClosed)
{
StopImpersonate();
}
} ///
/// 开始身份角色模拟。
///
///
public Boolean BeginImpersonate()
{
Boolean bLogined = LogonUser(_sImperUsername, _sImperDomain, _sImperPassword, , , ref _adminToken);
if (!bLogined)
{
return false;
}
Boolean bDuped = DuplicateToken(_adminToken, , ref _dupeToken);
if (!bDuped)
{
return false;
}
fakeId = new WindowsIdentity(_dupeToken);
_imperContext = fakeId.Impersonate();
_bClosed = false;
return true;
} ///
/// 开始身份角色模拟。
///
///
public Boolean BeginImpersonate(string type)
{
Boolean bLogined = LogonUser(_sImperUsername, _sImperDomain, _sImperPassword, , , ref _adminToken);
if (!bLogined)
{
return false;
}
fakeId = new WindowsIdentity(_adminToken, type, WindowsAccountType.Normal, true);
_imperContext = fakeId.Impersonate();
_bClosed = false;
return true;
}
///
/// 停止身分角色模拟。
///
public void StopImpersonate()
{
_imperContext.Undo();
CloseHandle(_dupeToken);
CloseHandle(_adminToken);
_bClosed = true;
}
}