Active Directory:检索用户信息

作者: 搁浅大哥哥
来源: 51数据库
2022-10-21

问题描述

我有一个 Web 应用程序，它使用我们的 Active Directory 针对 Windows 身份验证运行.我有一个新要求，从 Active Directory 条目中提取一些个人信息.获取这些信息的最简单方法是什么?

I've got a web application that is running against Windows Authentication using our Active Directory. I've got a new requirement to pull some personal information through from the Active Directory entry. What would be the easiest way to get access to this information?

推荐答案

通过 DirectoryEntry 直接访问用户似乎是最直接的方法.以下是我从我的第一个 AD 相关项目中学到的一些 AD 相关花絮:

Accessing the user directly through a DirectoryEntry seems like the most straightforward approach. Here are some AD-related tidbits I learned from my first AD-related project:

在 URI 中，以小写形式写入 LDAP.否则你会得到一个神秘的错误.我在这个令人沮丧的问题上花了一天多的时间......
要清除单值属性，请将其设置为空字符串，而不是 null.Null 会导致异常.
要清除多值属性，请使用 DirectoryEntry.Property.Clear() 方法.
Active Directory 架构参考将说明值将是哪种数据类型以及它是多值还是单值.
您不需要在 Directoryentry 上手动 RefreshCache() 但如果您曾经使用它并指定要缓存的属性，请知道它将来不会自动检索任何其他属性.
在您使用 System.DirectoryServices 中的类的任何时候都可以抛出 COMException.留意那些 try 块.不要假设任何事情都是安全的.

如果您不知道用户的目录条目，则可能需要使用 DirectorySearcher 来获取用户的目录条目(您不会，只要让他登录即可).使用它相当容易，但要注意 LDAP 语法中的怪癖；即，必须对非 ASCII(和其他?)字符进行编码.您使用的搜索字符串可能类似于:(&(sAMAccountName=whatever)(class=user)).这在我的脑海里，可能有点不正确.

You'll probably need to use DirectorySearcher to get your user's directory entry if you don't know its path (which you wouldn't, just by having him logged in). Using it was fairly easy but beware of the quirks in LDAP syntax; namely, having to encode non-ASCII (and other?) characters. The search string you'd use would probably be something like: (&(sAMAccountName=whatever)(class=user)). This is off the top of my head and may be slightly incorrect.

Active Directory 架构参考有用.请了解架构可以修改和扩展(例如，安装 Exchange 会向用户添加邮箱信息).

The Active Directory schema reference will be useful. Do understand that the schema can be modified and extended (e.g. installing Exchange will add mailbox information to users).

AD Explorer 是一个有用的工具，可用于调试和低级 AD 数据管理.当我知道要设置哪个属性但在 AD 管理工具中找不到正确的对话框时，我发现它很有用.

AD Explorer is a useful tool which you can use for debugging and low-level AD data management. I've found it useful when I know which property I want to set but cannot find the right dialog box in the AD management tool.