問題描述
我有兩個域,處于信任關系中,我試圖從 C# Web 應用程序管理它們.為此,我必須模擬兩個不同的技術用戶,但效果很好,所以我不會強調那部分代碼.
I have two domains, in a trusted relationship, that I'm trying to manage from a C# web application. To do that, I have to impersonate two different technical users, but that works good, so I will not emphasize that part of the code.
要為文件系統構建適當且易于管理的 ACL,我必須
To build proper and easy to manage ACLs for the file system, I must
- 在域 A 中創建一個組(好的!)
- 在 domainB 中查找用戶(好的!)
- 將用戶添加到組中(提交更改時失敗,錯誤消息:
服務器上沒有此類對象.(來自 HRESULT 的異常:0x80072030))
如果我添加來自同一個域的用戶,則代碼運行良好,所以我相信我在這里只遺漏了一小部分信息.我使用本文檔作為參考看到了這個問題 以及(還有一些引用此錯誤消息),但它們都沒有幫助.
If I'm adding a user from the same domain, the code works perfectly, so I believe I'm only missing a small partial info here. I used this document as a reference and saw this question as well (and a few more citing this error message) but neither of them helped.
代碼(刪除了try-catch塊以使其更簡單)
Code (try-catch block removed to make it simpler)
// de is a DirectoryEntry object of the AD group, received by the method as a parameter
// first impersonation to search in domainB
// works all right
if (impersonator.impersonateUser("techUser1", "domainB", "pass")) {
DirectoryEntry dom = new DirectoryEntry("LDAP://domainB.company.com/OU=MyOU,DC=domainB,DC=company,DC=com", "techUser1", "pass");
de.Invoke("Add", new object[] { "LDAP://domainB.company.com/CN=theUserIWantToAdd,OU=MyOU,DC=domainB,DC=company,DC=com" });
// de.Invoke("Add", new object[] { "LDAP://domainA.company.com/CN=anotherUserFromDomainA,OU=AnotherOU,DC=domainB,DC=company,DC=com" });
impersonator.undoImpersonation();
}
// second impersonation because the group (de) is in domainA
// and techUser2 has account operator privileges there
if (impersonator.impersonateUser("techUser2", "domainA", "pass"))
{
de.CommitChanges();
impersonator.undoImpersonation();
return true;
}
else
{
// second impersonation was unsuccessful, so return an empty object
return false;
}
第 6 行有效,如果我調試它或強制將屬性寫入 HttpResponse,它顯然就在那里.所以 LDAP 查詢似乎沒問題.
Line 6 works, if I debug it or force the properties to be written to HttpResponse, it is clearly there. So the LDAP queries seem to be OK.
此外,如果我注釋掉第 6 行并取消注釋第 7 行,那么基本上我添加了一個來自同一域的用戶,整個事情會奇跡般地運行.對于域B,我被卡住了.有什么好的建議嗎?
Also, if I comment out line 6 and uncomment 7, so basically I add a user from the same domain, the whole thing works miraculously. With domainB, I'm stuck. Any good piece of advice?
推薦答案
按照你的代碼,我看到你得到 de 作為參數,它在 Domain A.然后你正在創建 DirectoryEntry 對象 dom,它被 模擬,但從未被使用過.但是,您正在嘗試使用 LDAP 直接將對象從 Domain B 添加到 de.這一行:
Following your code, I see that you're getting de as a parameter, which is in Domain A. Then you're creating DirectoryEntry object dom, which is getting impersonated, but never getting used. However, you're trying to add an object from Domain B to de directly using LDAP. This line:
de.Invoke("Add", new object[{"LDAP://domainB.company.com/CN=theUserIWantToAdd,OU=MyOU,DC=domainB,DC=company,DC=com" });
沒有被模擬.
假設您的 impersonation 工作正常, 使用 dom 對象,該對象已經 impersonated 和 DirectorySearcher在Domain B中找到用戶,然后將Domain B中的用戶對象添加到de.
Assuming your impersonation works correctly, use dom object which is already impersonated with DirectorySearcher to find the user in Domain B and then add the user object from Domain B to de.
...
using (DirectoryEntry dom = new DirectoryEntry("LDAP://domainB.company.com/OU=MyOU,DC=domainB,DC=company,DC=com", "techUser1", "pass"))
{
using (DirectorySearcher searcher = new DirectorySearcher(dom))
{
searcher.Filter = "(&(objectClass=user)(CN=theUserIWantToAdd))";
SearchResult result = searcher.FindOne();
de.Invoke("Add", new object[] { result.Path });
}
}
...
UDPATE
此示例將向您展示如何從一個域中獲取用戶 SID、從另一個域中搜索組并使用 SID 將用戶添加到組中.
UDPATE
This example will show you how to get user SID from one domain, search group from another domain and add user to group using SID.
//GET THE USER FROM DOMAIN B
using (UserPrincipal userPrincipal = UserPrincipal.FindByIdentity(domainContext, UPN))
{
if (userPrincipal != null)
{
//FIND THE GROUP IN DOMAIN A
using (GroupPrincipal groupPrincipal = GroupPrincipal.FindByIdentity(domainContext, groupName))
{
if (groupPrincipal != null)
{
//CHECK TO MAKE SURE USER IS NOT IN THAT GROUP
if (!userPrincipal.IsMemberOf(groupPrincipal))
{
string userSid = string.Format("<SID={0}>", userPrincipal.SID.ToString());
DirectoryEntry groupDirectoryEntry = (DirectoryEntry)groupPrincipal.GetUnderlyingObject();
groupDirectoryEntry.Properties["member"].Add(userSid);
groupDirectoryEntry.CommitChanges();
}
}
}
}
}
請注意,我跳過了上面代碼中的所有impersonation.
Please note that I skipped all the impersonation in the above code.
這篇關于將成員從受信任的域添加到 AD 組的文章就介紹到這了,希望我們推薦的答案對大家有所幫助,也希望大家多多支持html5模板網!