问题
I am trying to create a hybrid membership which authenticates with active directory (ldap) but authorizes using the membership provider and roles.
I do not want to query active directory for each page load, but I want to initially authenticate the user via active directory, and then allow the membership provider to authorize the users access to each page via the web.config authorization properties.
I am new to the .net membership model and how to implement this type of hybrid solution. I have found many examples for implementing Active Directory with Web Forms, but not a solution to my needs.
Any pseudocode or general description for this solution is also very welcome.
Thank you!
UPDATED Question: Currently looking into implement the active directory (AD) authentication on top of the Membership/Roles schema. Basically authenticating initially with AD, updating the Membership database tables with the user/roles as needed, setting the user as authenticated with the Membership and allowing the membership to handle all authorization requirements. Although this is not as clean as creating Custom Membership/Role providers, I am wondering if this solution can be considered valid?
回答1:
You can do this by implementing your own layer above the Membership provider by doing the following
- you need to check if the user authenticated in the active directory
- after that you will need to add this user if he doesn't exist to your Membership database and Roles and use this later on for controlling the use roles and other stuff
- after that you can begin setting an authentication cookie for this user(if the user is valid) and add it to the response.
- every time an authenticated user will request a page you wouldn't need to validate him against the active directory, you will need to do so just for anonymous users.
its a lot of work but you can do it, after all you just need to read more about Asp.net membership
回答2:
I would recommend using NTLM to retrieve the current windows domain username and use it to pre-populate your form's username field. Once the user enters their password and completes authentication to your app, run an LDAP query against active directory. Log them out with a friendly message if AD authentication fails.
Unfortunately, there is way too much code needed for me to post on this one answer.
来源:https://stackoverflow.com/questions/26642363/net-active-directory-ldap-authentication-with-membership-authorization