问题
I am using LdapAuthentication to log a user into Active Directory. I want to find all the groups that the user belongs to. I am using the following code:
string adPath = "LDAP://OU=HR Controlled Users,OU=All Users,DC=myDomain,DC=local";
LdapAuthentication adAuth = new LdapAuthentication(adPath);
try
{
if (true == adAuth.IsAuthenticated("myDomain", txtLoginEmail.Text, txtLoginPassword.Text))
{
string email = txtLoginEmail.Text;
using (PrincipalContext context = new PrincipalContext(ContextType.Domain))
{
UserPrincipal user = UserPrincipal.FindByIdentity(context, IdentityType.Name, email);
foreach (var group in user.GetGroups())
{
Console.WriteLine(group.Name);
}
}
}
}
catch(Exception e) { /* Handle Error */ }
My problem is that when I call UserPrincipal.FindByIdentity() I always get a null value, even though the user authentication works as intended.
Why is this happening? Is there a problem with the code or with my approach? This is running inside an ASP.NET 4.0 WebForms application.
Update:
Apparently I have been using the wrong IdentityType (cn). I checked in debug and the name of the account is "UserA".
So I tried using the following code manually:
UserPrincipal user = UserPrincipal.FindByIdentity(context, IdentityType.Name, "UserA");
But still I get null.
Update 2 (solved):
The issue was two fold. I needed to specify the name of my domain controller when declaring the PrincipalContext.
using (PrincipalContext context = new PrincipalContext(ContextType.Domain, "myDomain"))
{
// code here...
}
Then, when searching for the UserPrincipal I was using the wrong IdentityType; I was searching with IdentityType.Name - which is the name of the account - instead of IdentityType.SamAccountName - which is the username.
UserPrincipal user = UserPrincipal.FindByIdentity(context, IdentityType.SamAccountName, email);
Issue solved.
回答1:
By using IdentityType.Name, you're telling it that the value you're passing is the name of the account (which is the cn attribute). If you want to match by username (the sAMAccountName atrribute), you'll need to pass IdentityType.SamAccountName.
Old answer: But you seem to be sending it the email address. So that will indeed always return nothing.
AD does not consider an email address to be a unique identifier, so you cannot use FindByIdentity with an email address.
Here is an example on how to search by email address: http://doogalbellend.blogspot.ca/2012/03/finding-userprincipal-for-email-address.html
来源:https://stackoverflow.com/questions/37050930/userprincipal-findbyidentity-always-returns-null