0
我從.net應用程序(asp.net VB .net 4.0)連接到DMZ中的Microsoft Active Directory服務器。我需要在名爲「SingleCustomerAccount」的orgunit中創建一個新的「inetorgperson」。通過AD 2008 R2中的System.DirectoryServices.Protocols設置用戶密碼
因爲ADSI類(System.DirectoryServices命名空間)不能正確地跨DMZ工作,所以我必須使用System.DirectoryServices.Protocols命名空間來處理所有的工作。
無論如何,它一直工作正常連接到Windows Server 2003 R2上的Active Directory;但是我們正在針對Windows Server 2008 R2上的Active Directory運行測試(2008r2處於森林和域的純模式),以便升級。
我創建用戶的現有代碼不起作用。
System.DirectoryServices.Protocols.DirectoryOperationException: The server cannot handle directory requests.
at System.DirectoryServices.Protocols.LdapConnection.ConstructResponse(Int32 messageId, LdapOperation operation, ResultAll resultType, TimeSpan requestTimeOut, Boolean exceptionOnTimeOut)
at System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request, TimeSpan requestTimeout)
at System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request)
at Salford.LDAP.LDAPUser.SaveNewToDirectory(String UsersFirstPassword) in C:\Projects\SCA\App_Code\SCA\LDAPUser.vb:line 1059
at SCA.Web.Service.CitizenService.CreateNewAccount(String Username, String Title, String FirstName, String Surname, String Street, String City, String County, String Postcode, String EmailAddress, String HomeTel, String MobileTel, String UPRN, String SpinID, Int16 AccountLevel) in C:\Projects\SCA\App_Code\CitizenService.vb:line 255
我發現當我刪除添加密碼屬性的代碼位時,用戶被創建,但沒有密碼。所以錯誤的代碼就是我添加密碼的地方。但是在2003年到2008年之間會發生什麼變化,會阻止它的發揮?
這是我的代碼。
Using ldapConn As New LdapConnection(New LdapDirectoryIdentifier(LDAPServerAddress), credential)
ldapConn.SessionOptions.ProtocolVersion = 3
ldapConn.SessionOptions.Signing = Not _UseSecureConnection
ldapConn.SessionOptions.Sealing = Not _UseSecureConnection
ldapConn.SessionOptions.SecureSocketLayer = _UseSecureConnection
If _UseSecureConnection Then
ldapConn.SessionOptions.VerifyServerCertificate = New VerifyServerCertificateCallback(AddressOf ServerCallback)
End If
ldapConn.AuthType = AuthType.Negotiate
ldapConn.Bind()
Dim DistinguishedName As String = String.Format("CN={0},OU={1},{2}", Me.AccountName, Me.OrgUnit, Me.DCSuffix)
' Save this distinguished name to the local object; so that the group memberships addition works in a minute.
Me._DistinguishedName = DistinguishedName
Dim addRequest As New AddRequest(DistinguishedName, Me.LDAPUserObjectType)
'' Add an AccountName attribute
addRequest.Attributes.Add(New DirectoryAttribute(GetLDAPSchemaMapping(LDAPUserProperties.AccountName), AccountName))
'' Look in any derived classes, if they want any attributes adding as part of this save operation.
'' Hint: Derived classes will override the "GetDirectoryAttributesForAddNewRequest" function and return a list of anything they want adding
'' to the AD at the time of creation.
If Not GetDirectoryAttributesForAddNewRequest() Is Nothing Then
For Each kvp As KeyValuePair(Of String, String) In GetDirectoryAttributesForAddNewRequest()
addRequest.Attributes.Add(New DirectoryAttribute(kvp.Key, kvp.Value))
Next
End If
'' Hash up the password into a Unicode byte array and send this as the requried initial password.
addRequest.Attributes.Add(New DirectoryAttribute("unicodePwd", GetPasswordData(UsersFirstPassword)))
' Execute the request on the directory server.
Dim addResponse As DirectoryResponse = ldapConn.SendRequest(addRequest)
' Need to return the GUID, need to search against the ldap server:
Dim request As New SearchRequest(String.Format("OU={0},{1}", Me.OrgUnit, Me.DCSuffix), "(&(objectCategory=" & Me.LDAPUserObjectType & ")(sAMAccountName=" & Me.AccountName & "))", System.DirectoryServices.Protocols.SearchScope.Subtree)
Dim searchResponse As SearchResponse = DirectCast(ldapConn.SendRequest(request), SearchResponse)
returnedGuid = DirectCast(searchResponse.Entries(0).Attributes("objectGuid").Item(0), Byte())
' Set up the search request object so we can do searches now based on this new user:
Dim rq As SearchRequest = BuildLdapSearchRequest("sAMAccountName", Me.AccountName)
' ** Send the query to the LDAP server, and save the response into the private _SearchResponse object **
_SearchResponse = DirectCast(ldapConn.SendRequest(rq), SearchResponse)
End Using
_useSecureConnection對於此調用爲false - 綁定工作正常。 就像我曾經說過,當我註釋掉這一行,它的工作原理:
addRequest.Attributes.Add(New DirectoryAttribute("unicodePwd", GetPasswordData(UsersFirstPassword)))
的GetPasswordData方法是下面的完整性。
''' <summary>
''' Returns a unicode-encoded byte array based on the incoming password string.
''' </summary>
''' <param name="password">The password to turn into a byte array</param>
Public Function GetPasswordData(ByVal password As String) As Byte()
Dim formattedPassword As String
formattedPassword = String.Format("""{0}""", password)
Return Encoding.Unicode.GetBytes(formattedPassword)
End Function
我明白任何見解......
問候 bgs264
感謝您的回覆。密碼是有效的,因爲它是一個強大的密碼,並且使用「Active Directory用戶」管理單元,密碼可以按預期設置。 我試着按照你給的鏈接指導的教程。該過程可以工作,但它指示更改「userpassword」屬性的位置,我認爲這不適用 - 它不會更改密碼 - 它只是爲您指定的內容添加一個屬性。你可以打印回來,看起來不錯: \t 1> postalCode:BL4 1RR; \t 1> userPassword:ben; \t 1> givenName:Ben; 它也不會更改該帳戶的密碼。 此致, 本 – bgs264 2010-06-29 12:54:01
嗯,我認爲這個問題可能是當這只是「正常的」活動目錄時,本教程涉及「Active Directory輕型目錄服務」。但是,感謝這個想法。 – bgs264 2010-06-29 12:55:23
@ bgs264:如果您可以使用該域的任何密碼設置完全相同的密碼,那麼這可能足以證明我的猜測是錯誤的,我不認爲您需要擔心ldp(我沒有用過很長時間時間,無法記住它是如何工作的)。 – 2010-06-29 13:01:13