I am using Active Directory in a custom MembershipProvider class to authenticate users in an ASP.NET 2.0 intranet application and associate their sid with a profile for the application.
我在自定义MembershipProvider类中使用Active Directory来验证ASP.NET 2.0 Intranet应用程序中的用户,并将其sid与应用程序的配置文件相关联。
When the ActiveDirectoryMembershipProvider is used, the ProviderUserKey object for the MembershipUser is as follows
使用ActiveDirectoryMembershipProvider时,MembershipUser的ProviderUserKey对象如下所示
SecurityIdentifier sid = (SecurityIdentifier)Membership.GetUser().ProviderUserKey;
string sidValue = sid.ToString();
/* sidValue = "S-1-5-21-XXXX-XXXX-XXXX-YY" */
As I understand it, YY is the principal within the namespace (also referred to as a group/domain).
据我了解,YY是命名空间中的主体(也称为组/域)。
When using the custom MembershipProvider, I can get the sid using the objectSid property of a DirectoryEntry object
使用自定义MembershipProvider时,我可以使用DirectoryEntry对象的objectSid属性获取sid
DirectoryEntry entry = new DirectoryEntry(path, username, password);
SecurityIdentifier sid = new SecurityIdentifier((byte[])entry.Properties["objectSid"].Value, 0);
string sidValue = sid.ToString();
/* sidValue = "S-1-5-21-XXXX-XXXX-XXXX" */
The sidValue in this case is identical, except it does not contain the principal YY.
在这种情况下,sidValue是相同的,除了它不包含主YY。
My question is two-fold
我的问题是双重的
- Is the principal required in order to uniquely identify an individual?
- 是否需要本人才能唯一地识别个人?
- Is it possible to obtain the principal from the DirectoryEntry object (or through any other classes available in
System.DirectoryServices)? - 是否可以从DirectoryEntry对象(或通过System.DirectoryServices中可用的任何其他类)获取主体?
EDIT:
编辑:
Having done some further reading ({1} {2}), I now know that the sid can change if the user is moved from one group/domain to another. In light of this, would using the GUID defined in the DirectoryEntry Properties["objectGUID"] be a better choice for uniquely identifying a user?
做了一些进一步的阅读({1} {2})后,我现在知道如果用户从一个组/域移动到另一个组/域,sid可能会改变。鉴于此,使用DirectoryEntry属性[“objectGUID”]中定义的GUID是否是唯一识别用户的更好选择?
1 个解决方案
#1
3
The objectGUID is the best choice for identifying a user account. I highlight this because the objectGUID is unique and fixed for an instance of an account. If you delete and recreate the account with the same distinguishedName you'll get a different objectGUID. So, objectGUID doesn't identify the user, it identifies the account.
objectGUID是识别用户帐户的最佳选择。我强调这一点,因为objectGUID是唯一的,并且对于帐户实例是固定的。如果删除并重新创建具有相同distinguishedName的帐户,则会获得不同的objectGUID。因此,objectGUID不识别用户,它识别帐户。
So, if you want to identify the account, use objectGUID.
因此,如果要识别帐户,请使用objectGUID。
Sometimes, accounts can be deleted and recreated by admins to solve problems. If you need to identify the user even after this has happened, you need to pick something else on the account object. That will probably have to depend on your account definition policies. Maybe you have sAMAccountNames that are not based on the user's name? Maybe the admins populate employeeid or employeeNumber? Maybe they enforce uniqueness for displayNames?
有时,管理员可以删除并重新创建帐户以解决问题。如果您需要在发生这种情况后识别用户,则需要在帐户对象上选择其他内容。这可能需要依赖于您的帐户定义政策。也许你有sAMAccountNames不是基于用户的名字?也许管理员填充employeeid或employeeNumber?也许他们强制displayNames的唯一性?
Here's a link to AD attribute info. Here's a link to DirectoryEntry Properties.
这是AD属性信息的链接。这是DirectoryEntry属性的链接。
#1
3
The objectGUID is the best choice for identifying a user account. I highlight this because the objectGUID is unique and fixed for an instance of an account. If you delete and recreate the account with the same distinguishedName you'll get a different objectGUID. So, objectGUID doesn't identify the user, it identifies the account.
objectGUID是识别用户帐户的最佳选择。我强调这一点,因为objectGUID是唯一的,并且对于帐户实例是固定的。如果删除并重新创建具有相同distinguishedName的帐户,则会获得不同的objectGUID。因此,objectGUID不识别用户,它识别帐户。
So, if you want to identify the account, use objectGUID.
因此,如果要识别帐户,请使用objectGUID。
Sometimes, accounts can be deleted and recreated by admins to solve problems. If you need to identify the user even after this has happened, you need to pick something else on the account object. That will probably have to depend on your account definition policies. Maybe you have sAMAccountNames that are not based on the user's name? Maybe the admins populate employeeid or employeeNumber? Maybe they enforce uniqueness for displayNames?
有时,管理员可以删除并重新创建帐户以解决问题。如果您需要在发生这种情况后识别用户,则需要在帐户对象上选择其他内容。这可能需要依赖于您的帐户定义政策。也许你有sAMAccountNames不是基于用户的名字?也许管理员填充employeeid或employeeNumber?也许他们强制displayNames的唯一性?
Here's a link to AD attribute info. Here's a link to DirectoryEntry Properties.
这是AD属性信息的链接。这是DirectoryEntry属性的链接。