我有两个域,处于信任关系中,我试图从 C# Web 应用程序管理它们.为此,我必须模拟两个不同的技术用户,但效果很好,所以我不会强调那部分代码.
I have two domains, in a trusted relationship, that I'm trying to manage from a C# web application. To do that, I have to impersonate two different technical users, but that works good, so I will not emphasize that part of the code.
要为文件系统构建适当且易于管理的 ACL,我必须
To build proper and easy to manage ACLs for the file system, I must
服务器上没有此类对象.(来自 HRESULT 的异常:0x80072030)
)如果我添加来自同一个域的用户,则代码运行良好,所以我相信我在这里只遗漏了一小部分信息.我使用本文档作为参考看到了这个问题 以及(还有一些引用此错误消息),但它们都没有帮助.
If I'm adding a user from the same domain, the code works perfectly, so I believe I'm only missing a small partial info here. I used this document as a reference and saw this question as well (and a few more citing this error message) but neither of them helped.
代码(删除了try-catch块以使其更简单)
Code (try-catch block removed to make it simpler)
// de is a DirectoryEntry object of the AD group, received by the method as a parameter
// first impersonation to search in domainB
// works all right
if (impersonator.impersonateUser("techUser1", "domainB", "pass")) {
DirectoryEntry dom = new DirectoryEntry("LDAP://domainB.company.com/OU=MyOU,DC=domainB,DC=company,DC=com", "techUser1", "pass");
de.Invoke("Add", new object[] { "LDAP://domainB.company.com/CN=theUserIWantToAdd,OU=MyOU,DC=domainB,DC=company,DC=com" });
// de.Invoke("Add", new object[] { "LDAP://domainA.company.com/CN=anotherUserFromDomainA,OU=AnotherOU,DC=domainB,DC=company,DC=com" });
impersonator.undoImpersonation();
}
// second impersonation because the group (de) is in domainA
// and techUser2 has account operator privileges there
if (impersonator.impersonateUser("techUser2", "domainA", "pass"))
{
de.CommitChanges();
impersonator.undoImpersonation();
return true;
}
else
{
// second impersonation was unsuccessful, so return an empty object
return false;
}
第 6 行有效,如果我调试它或强制将属性写入 HttpResponse,它显然就在那里.所以 LDAP 查询似乎没问题.
Line 6 works, if I debug it or force the properties to be written to HttpResponse, it is clearly there. So the LDAP queries seem to be OK.
此外,如果我注释掉第 6 行并取消注释第 7 行,那么基本上我添加了一个来自同一域的用户,整个事情会奇迹般地运行.对于域B,我被卡住了.有什么好的建议吗?
Also, if I comment out line 6 and uncomment 7, so basically I add a user from the same domain, the whole thing works miraculously. With domainB, I'm stuck. Any good piece of advice?
按照你的代码,我看到你得到 de
作为参数,它在 Domain A代码>.然后你正在创建
DirectoryEntry
对象 dom
,它被 模拟
,但从未被使用过.但是,您正在尝试使用 LDAP
直接将对象从 Domain B
添加到 de
.这一行:
Following your code, I see that you're getting de
as a parameter, which is in Domain A
. Then you're creating DirectoryEntry
object dom
, which is getting impersonated
, but never getting used. However, you're trying to add an object from Domain B
to de
directly using LDAP
. This line:
de.Invoke("Add", new object[{"LDAP://domainB.company.com/CN=theUserIWantToAdd,OU=MyOU,DC=domainB,DC=company,DC=com" });
没有被模拟
.
假设您的 impersonation
工作正常, 使用 dom
对象,该对象已经 impersonated
和 DirectorySearcher
在Domain B
中找到用户,然后将Domain B
中的用户对象添加到de
.
Assuming your impersonation
works correctly, use dom
object which is already impersonated
with DirectorySearcher
to find the user in Domain B
and then add the user object from Domain B
to de
.
...
using (DirectoryEntry dom = new DirectoryEntry("LDAP://domainB.company.com/OU=MyOU,DC=domainB,DC=company,DC=com", "techUser1", "pass"))
{
using (DirectorySearcher searcher = new DirectorySearcher(dom))
{
searcher.Filter = "(&(objectClass=user)(CN=theUserIWantToAdd))";
SearchResult result = searcher.FindOne();
de.Invoke("Add", new object[] { result.Path });
}
}
...
此示例将向您展示如何从一个域中获取用户 SID
、从另一个域中搜索组并使用 SID
将用户添加到组中.
This example will show you how to get user SID
from one domain, search group from another domain and add user to group using SID
.
//GET THE USER FROM DOMAIN B
using (UserPrincipal userPrincipal = UserPrincipal.FindByIdentity(domainContext, UPN))
{
if (userPrincipal != null)
{
//FIND THE GROUP IN DOMAIN A
using (GroupPrincipal groupPrincipal = GroupPrincipal.FindByIdentity(domainContext, groupName))
{
if (groupPrincipal != null)
{
//CHECK TO MAKE SURE USER IS NOT IN THAT GROUP
if (!userPrincipal.IsMemberOf(groupPrincipal))
{
string userSid = string.Format("<SID={0}>", userPrincipal.SID.ToString());
DirectoryEntry groupDirectoryEntry = (DirectoryEntry)groupPrincipal.GetUnderlyingObject();
groupDirectoryEntry.Properties["member"].Add(userSid);
groupDirectoryEntry.CommitChanges();
}
}
}
}
}
请注意,我跳过了上面代码中的所有impersonation
.
Please note that I skipped all the impersonation
in the above code.
这篇关于将成员从受信任的域添加到 AD 组的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持html5模板网!