I'm writing an intranet application for a client and I want to give them the ability to configure through an admin interface, which users and user groups can access certain areas. What I'd like to know is the best way of storing the reference to the user or group that is assigned to an area of the intranet.
我正在为客户端编写Intranet应用程序,我想让他们通过管理界面进行配置,用户和用户组可以访问某些区域。我想知道的是存储分配给Intranet区域的用户或组的引用的最佳方法。
Should I be using the domain\username and domain\groupname strings or should i perhaps be using the fully qualified ad name ie ou=computer room;cn=blah etc?
我应该使用domain \ username和domain \ groupname字符串,还是应该使用完全限定的广告名称,即ou = computer room; cn = blah等?
I will be storing the reference in SQL.
我将在SQL中存储引用。
3 个解决方案
#1
0
I would use domain\group in case the group gets moved or deleted/recreated. Using CN is brittle in the face of changes to the OU structure. SIDs are not human readable and will break if the object is deleted/recreated.
如果组被移动或删除/重新创建,我将使用domain \ group。面对OU结构的变化,使用CN是脆弱的。 SID不是人类可读的,如果删除/重新创建对象,它将会中断。
#2
0
Personally, I believe that the "Domain\Username" format is sufficiently readable.
就个人而言,我认为“域\用户名”格式具有足够的可读性。
Also, if you were editing the SQL table directly, you could pretty easily insert a record for a user for testing or debugging purposes.
此外,如果您直接编辑SQL表,则可以非常轻松地为用户插入记录以进行测试或调试。
#3
0
If you want to be absolutley sure you have the right user / group you could use the SID (security identifier that exist on any object in active directory that can be assigned permissions, and its a GUID)
如果你想成为absolutley,你确定你有合适的用户/组,你可以使用SID(活动目录中任何可以分配权限的对象上存在的安全标识符,以及它的GUID)
I am not sure what the context is of the application, but perhaps look at using Active Directory security to stop users from going to place the should not be going, or if it is not a high volume site, some of that could perhaps be done with integrated authentication, and doing the security validation on sql.
我不确定应用程序的上下文是什么,但也许看看使用Active Directory安全性来阻止用户不应该去的地方,或者如果它不是一个高容量的站点,其中一些也许可以完成使用集成身份验证,并在sql上进行安全验证。
I have had frustrations with LDAP query's and AD, as diffrent domain controllers can sometimes give diffrent answers, or not even find the object, or require you to log in before you can query AD.
我对LDAP查询和AD感到沮丧,因为不同的域控制器有时会给出不同的答案,甚至找不到对象,或者要求您在查询AD之前登录。
#1
0
I would use domain\group in case the group gets moved or deleted/recreated. Using CN is brittle in the face of changes to the OU structure. SIDs are not human readable and will break if the object is deleted/recreated.
如果组被移动或删除/重新创建,我将使用domain \ group。面对OU结构的变化,使用CN是脆弱的。 SID不是人类可读的,如果删除/重新创建对象,它将会中断。
#2
0
Personally, I believe that the "Domain\Username" format is sufficiently readable.
就个人而言,我认为“域\用户名”格式具有足够的可读性。
Also, if you were editing the SQL table directly, you could pretty easily insert a record for a user for testing or debugging purposes.
此外,如果您直接编辑SQL表,则可以非常轻松地为用户插入记录以进行测试或调试。
#3
0
If you want to be absolutley sure you have the right user / group you could use the SID (security identifier that exist on any object in active directory that can be assigned permissions, and its a GUID)
如果你想成为absolutley,你确定你有合适的用户/组,你可以使用SID(活动目录中任何可以分配权限的对象上存在的安全标识符,以及它的GUID)
I am not sure what the context is of the application, but perhaps look at using Active Directory security to stop users from going to place the should not be going, or if it is not a high volume site, some of that could perhaps be done with integrated authentication, and doing the security validation on sql.
我不确定应用程序的上下文是什么,但也许看看使用Active Directory安全性来阻止用户不应该去的地方,或者如果它不是一个高容量的站点,其中一些也许可以完成使用集成身份验证,并在sql上进行安全验证。
I have had frustrations with LDAP query's and AD, as diffrent domain controllers can sometimes give diffrent answers, or not even find the object, or require you to log in before you can query AD.
我对LDAP查询和AD感到沮丧,因为不同的域控制器有时会给出不同的答案,甚至找不到对象,或者要求您在查询AD之前登录。