使用 ASP.NET Boilerplate/Module-Zero 覆盖默认的 LDAP 用户创建行为
Override default LDAP user creation behavior with ASP.NET Boilerplate/Module-Zero
首先让我说 ASP.NET 样板模块零 LDAP 集成正在按预期工作。
我的问题是我能否覆盖此模块的默认行为。
默认情况下,当 LDAP 用户首次对应用程序进行身份验证时,它会为每个用户生成一个用户帐户并为他们分配默认用户配置文件。
我的意图是拒绝用户访问,直到有人手动注销他们的用户帐户并分配他们的角色(基本上关闭自动用户创建)。
如果您对如何通过 ASP.NET Boilerplate/Module-Zero 实现此目标有任何想法,请分享。
关注文档How to create external authentication source
我认为您可以覆盖 CreateUserAsync 方法。 LDAP 认证成功后,创建新用户并将其设置为非活动状态。
我通过实现我自己的 Ldap 身份验证源来执行覆盖。这是 class 代码,以防其他人发现它有用。
using Abp;
using Abp.Zero.Ldap.Authentication;
using Abp.Zero.Ldap.Configuration;
using MCMT.Quotes.Authorization.Users;
using MCMT.Quotes.MultiTenancy;
using System.Threading.Tasks;
using System.DirectoryServices.AccountManagement;
namespace MCMT.Quotes.Authorization.Ldap
{
public class AppLdapAuthenticationSource : LdapAuthenticationSource<Tenant, User>
{
private readonly ILdapSettings _settings;
private readonly IAbpZeroLdapModuleConfig _ldapModuleConfig;
public AppLdapAuthenticationSource(ILdapSettings settings, IAbpZeroLdapModuleConfig ldapModuleConfig)
: base(settings, ldapModuleConfig)
{
_settings = settings;
_ldapModuleConfig = ldapModuleConfig;
}
public async override Task<User> CreateUserAsync(string userNameOrEmailAddress, Tenant tenant)
{
await CheckIsEnabled(tenant);
var user = await base.CreateUserAsync(userNameOrEmailAddress, tenant);
using (var principalContext = await CreatePrincipalContext(tenant))
{
var userPrincipal = UserPrincipal.FindByIdentity(principalContext, userNameOrEmailAddress);
if (userPrincipal == null)
{
throw new AbpException("Unknown LDAP user: " + userNameOrEmailAddress);
}
UpdateUserFromPrincipal(user, userPrincipal);
user.IsEmailConfirmed = true;
user.IsActive = false;
return user;
}
}
public async override Task UpdateUserAsync(User user, Tenant tenant)
{
await CheckIsEnabled(tenant);
await base.UpdateUserAsync(user, tenant);
using (var principalContext = await CreatePrincipalContext(tenant))
{
var userPrincipal = UserPrincipal.FindByIdentity(principalContext, user.UserName);
if (userPrincipal == null)
{
throw new AbpException("Unknown LDAP user: " + user.UserName);
}
UpdateUserFromPrincipal(user, userPrincipal);
}
}
protected override void UpdateUserFromPrincipal(User user, UserPrincipal userPrincipal)
{
user.UserName = userPrincipal.SamAccountName;
user.Name = userPrincipal.GivenName;
user.Surname = userPrincipal.Surname;
user.EmailAddress = userPrincipal.EmailAddress;
}
private async Task CheckIsEnabled(Tenant tenant)
{
if (!_ldapModuleConfig.IsEnabled)
{
throw new AbpException("Ldap Authentication module is disabled globally!");
}
var tenantId = GetIdOrNull(tenant);
if (!await _settings.GetIsEnabled(tenantId))
{
throw new AbpException("Ldap Authentication is disabled for given tenant (id:" + tenantId + ")! You can enable it by setting '" + LdapSettingNames.IsEnabled + "' to true");
}
}
private static int? GetIdOrNull(Tenant tenant)
{
return tenant == null
? (int?)null
: tenant.Id;
}
}
}
首先让我说 ASP.NET 样板模块零 LDAP 集成正在按预期工作。
我的问题是我能否覆盖此模块的默认行为。
默认情况下,当 LDAP 用户首次对应用程序进行身份验证时,它会为每个用户生成一个用户帐户并为他们分配默认用户配置文件。
我的意图是拒绝用户访问,直到有人手动注销他们的用户帐户并分配他们的角色(基本上关闭自动用户创建)。
如果您对如何通过 ASP.NET Boilerplate/Module-Zero 实现此目标有任何想法,请分享。
关注文档How to create external authentication source
我认为您可以覆盖 CreateUserAsync 方法。 LDAP 认证成功后,创建新用户并将其设置为非活动状态。
我通过实现我自己的 Ldap 身份验证源来执行覆盖。这是 class 代码,以防其他人发现它有用。
using Abp;
using Abp.Zero.Ldap.Authentication;
using Abp.Zero.Ldap.Configuration;
using MCMT.Quotes.Authorization.Users;
using MCMT.Quotes.MultiTenancy;
using System.Threading.Tasks;
using System.DirectoryServices.AccountManagement;
namespace MCMT.Quotes.Authorization.Ldap
{
public class AppLdapAuthenticationSource : LdapAuthenticationSource<Tenant, User>
{
private readonly ILdapSettings _settings;
private readonly IAbpZeroLdapModuleConfig _ldapModuleConfig;
public AppLdapAuthenticationSource(ILdapSettings settings, IAbpZeroLdapModuleConfig ldapModuleConfig)
: base(settings, ldapModuleConfig)
{
_settings = settings;
_ldapModuleConfig = ldapModuleConfig;
}
public async override Task<User> CreateUserAsync(string userNameOrEmailAddress, Tenant tenant)
{
await CheckIsEnabled(tenant);
var user = await base.CreateUserAsync(userNameOrEmailAddress, tenant);
using (var principalContext = await CreatePrincipalContext(tenant))
{
var userPrincipal = UserPrincipal.FindByIdentity(principalContext, userNameOrEmailAddress);
if (userPrincipal == null)
{
throw new AbpException("Unknown LDAP user: " + userNameOrEmailAddress);
}
UpdateUserFromPrincipal(user, userPrincipal);
user.IsEmailConfirmed = true;
user.IsActive = false;
return user;
}
}
public async override Task UpdateUserAsync(User user, Tenant tenant)
{
await CheckIsEnabled(tenant);
await base.UpdateUserAsync(user, tenant);
using (var principalContext = await CreatePrincipalContext(tenant))
{
var userPrincipal = UserPrincipal.FindByIdentity(principalContext, user.UserName);
if (userPrincipal == null)
{
throw new AbpException("Unknown LDAP user: " + user.UserName);
}
UpdateUserFromPrincipal(user, userPrincipal);
}
}
protected override void UpdateUserFromPrincipal(User user, UserPrincipal userPrincipal)
{
user.UserName = userPrincipal.SamAccountName;
user.Name = userPrincipal.GivenName;
user.Surname = userPrincipal.Surname;
user.EmailAddress = userPrincipal.EmailAddress;
}
private async Task CheckIsEnabled(Tenant tenant)
{
if (!_ldapModuleConfig.IsEnabled)
{
throw new AbpException("Ldap Authentication module is disabled globally!");
}
var tenantId = GetIdOrNull(tenant);
if (!await _settings.GetIsEnabled(tenantId))
{
throw new AbpException("Ldap Authentication is disabled for given tenant (id:" + tenantId + ")! You can enable it by setting '" + LdapSettingNames.IsEnabled + "' to true");
}
}
private static int? GetIdOrNull(Tenant tenant)
{
return tenant == null
? (int?)null
: tenant.Id;
}
}
}