检查 AD 组是否是另一个组的成员(递归)
Check if AD Group is Member of another group (recursive)
假设我有结构
RootGroup <- Group{x} .... <- Group{x+n} <- Group100
如何检查 Group100 是 RootGroup
的成员
我有这个 returns 总是 false
private bool IsMemberOfInternal(string userOrGroupDistinguishedName, string groupMembershipDistinguishedName)
{
GroupPrincipal principal = null;
GroupPrincipal target = null;
try
{
principal = _getUserGroupPrincipalFunc(principalContext, userOrGroupDistinguishedName);
target = _getUserGroupPrincipalFunc(principalContext, groupMembershipDistinguishedName);
if (principal != default(GroupPrincipal)
&& target != default(GroupPrincipal))
{
return principal.IsMemberOf(target);
}
}
catch
{
}
return false;
}
你最好不要为此使用 GroupPrincipal。 AD 实际上有一种 built-in 方法来进行这种搜索,它比 GroupPrincipal 可以做的任何事情都快得多。您可以通过直接使用 DirectoryEntry 和 DirectorySearcher 来使用它(这就是 GroupPrincipal 和 PrincipalSearcher 在幕后使用的方式)。
我写了一篇关于确定 用户 是否是特定组的成员的文章,但它同样适用于组。我有一个 sample method 在那里你可以用它:
private static bool IsUserInGroup(DirectoryEntry user, DirectoryEntry group, bool recursive) {
//fetch the attributes we're going to need
user.RefreshCache(new [] {"distinguishedName", "objectSid"});
group.RefreshCache(new [] {"distinguishedName", "groupType"});
//This magic number tells AD to look for the user recursively through any nested groups
var recursiveFilter = recursive ? ":1.2.840.113556.1.4.1941:" : "";
var userDn = (string) user.Properties["distinguishedName"].Value;
var groupDn = (string) group.Properties["distinguishedName"].Value;
var filter = $"(member{recursiveFilter}={userDn})";
if (((int) group.Properties["groupType"].Value & 8) == 0) {
var groupDomainDn = groupDn.Substring(
groupDn.IndexOf(",DC=", StringComparison.Ordinal));
var userDomainDn = userDn.Substring(
userDn.IndexOf(",DC=", StringComparison.Ordinal));
if (groupDomainDn != userDomainDn) {
//It's a Domain Local group, and the user and group are on
//different domains, so the account might show up as a Foreign
//Security Principal. So construct a list of SID's that could
//appear in the group for this user
var fspFilters = new StringBuilder();
var userSid =
new SecurityIdentifier((byte[]) user.Properties["objectSid"].Value, 0);
fspFilters.Append(
$"(member{recursiveFilter}=CN={userSid},CN=ForeignSecurityPrincipals{groupDomainDn})");
if (recursive) {
//Any of the groups the user is in could show up as an FSP,
//so we need to check for them all
user.RefreshCache(new [] {"tokenGroupsGlobalAndUniversal"});
var tokenGroups = user.Properties["tokenGroupsGlobalAndUniversal"];
foreach (byte[] token in tokenGroups) {
var groupSid = new SecurityIdentifier(token, 0);
fspFilters.Append(
$"(member{recursiveFilter}=CN={groupSid},CN=ForeignSecurityPrincipals{groupDomainDn})");
}
}
filter = $"(|{filter}{fspFilters})";
}
}
var searcher = new DirectorySearcher {
Filter = filter,
SearchRoot = group,
PageSize = 1, //we're only looking for one object
SearchScope = SearchScope.Base
};
searcher.PropertiesToLoad.Add("cn"); //just so it doesn't load every property
return searcher.FindOne() != null;
}
此方法还处理 user(或您的子组)位于来自根组的外部受信任域的情况。这可能是也可能不是你需要担心的事情。
只需为您的 Group100 传递一个 DirectoryEntry 作为 user 参数。像这样:
var isMemberOf = IsUserInGroup(
new DirectoryEntry($"LDAP://{userOrGroupDistinguishedName}"),
new DirectoryEntry($"LDAP://{groupMembershipDistinguishedName}"),
true);
对于递归搜索(当您为 recursive 参数传递 true 时),它使用 LDAP_MATCHING_RULE_IN_CHAIN "matching rule OID"(如 here 所述):
This rule is limited to filters that apply to the DN. This is a special "extended" match operator that walks the chain of ancestry in objects all the way to the root until it finds a match.
假设我有结构
RootGroup <- Group{x} .... <- Group{x+n} <- Group100
如何检查 Group100 是 RootGroup
我有这个 returns 总是 false
private bool IsMemberOfInternal(string userOrGroupDistinguishedName, string groupMembershipDistinguishedName)
{
GroupPrincipal principal = null;
GroupPrincipal target = null;
try
{
principal = _getUserGroupPrincipalFunc(principalContext, userOrGroupDistinguishedName);
target = _getUserGroupPrincipalFunc(principalContext, groupMembershipDistinguishedName);
if (principal != default(GroupPrincipal)
&& target != default(GroupPrincipal))
{
return principal.IsMemberOf(target);
}
}
catch
{
}
return false;
}
你最好不要为此使用 GroupPrincipal。 AD 实际上有一种 built-in 方法来进行这种搜索,它比 GroupPrincipal 可以做的任何事情都快得多。您可以通过直接使用 DirectoryEntry 和 DirectorySearcher 来使用它(这就是 GroupPrincipal 和 PrincipalSearcher 在幕后使用的方式)。
我写了一篇关于确定 用户 是否是特定组的成员的文章,但它同样适用于组。我有一个 sample method 在那里你可以用它:
private static bool IsUserInGroup(DirectoryEntry user, DirectoryEntry group, bool recursive) {
//fetch the attributes we're going to need
user.RefreshCache(new [] {"distinguishedName", "objectSid"});
group.RefreshCache(new [] {"distinguishedName", "groupType"});
//This magic number tells AD to look for the user recursively through any nested groups
var recursiveFilter = recursive ? ":1.2.840.113556.1.4.1941:" : "";
var userDn = (string) user.Properties["distinguishedName"].Value;
var groupDn = (string) group.Properties["distinguishedName"].Value;
var filter = $"(member{recursiveFilter}={userDn})";
if (((int) group.Properties["groupType"].Value & 8) == 0) {
var groupDomainDn = groupDn.Substring(
groupDn.IndexOf(",DC=", StringComparison.Ordinal));
var userDomainDn = userDn.Substring(
userDn.IndexOf(",DC=", StringComparison.Ordinal));
if (groupDomainDn != userDomainDn) {
//It's a Domain Local group, and the user and group are on
//different domains, so the account might show up as a Foreign
//Security Principal. So construct a list of SID's that could
//appear in the group for this user
var fspFilters = new StringBuilder();
var userSid =
new SecurityIdentifier((byte[]) user.Properties["objectSid"].Value, 0);
fspFilters.Append(
$"(member{recursiveFilter}=CN={userSid},CN=ForeignSecurityPrincipals{groupDomainDn})");
if (recursive) {
//Any of the groups the user is in could show up as an FSP,
//so we need to check for them all
user.RefreshCache(new [] {"tokenGroupsGlobalAndUniversal"});
var tokenGroups = user.Properties["tokenGroupsGlobalAndUniversal"];
foreach (byte[] token in tokenGroups) {
var groupSid = new SecurityIdentifier(token, 0);
fspFilters.Append(
$"(member{recursiveFilter}=CN={groupSid},CN=ForeignSecurityPrincipals{groupDomainDn})");
}
}
filter = $"(|{filter}{fspFilters})";
}
}
var searcher = new DirectorySearcher {
Filter = filter,
SearchRoot = group,
PageSize = 1, //we're only looking for one object
SearchScope = SearchScope.Base
};
searcher.PropertiesToLoad.Add("cn"); //just so it doesn't load every property
return searcher.FindOne() != null;
}
此方法还处理 user(或您的子组)位于来自根组的外部受信任域的情况。这可能是也可能不是你需要担心的事情。
只需为您的 Group100 传递一个 DirectoryEntry 作为 user 参数。像这样:
var isMemberOf = IsUserInGroup(
new DirectoryEntry($"LDAP://{userOrGroupDistinguishedName}"),
new DirectoryEntry($"LDAP://{groupMembershipDistinguishedName}"),
true);
对于递归搜索(当您为 recursive 参数传递 true 时),它使用 LDAP_MATCHING_RULE_IN_CHAIN "matching rule OID"(如 here 所述):
This rule is limited to filters that apply to the DN. This is a special "extended" match operator that walks the chain of ancestry in objects all the way to the root until it finds a match.