Active Directory Membership Provider - how to expa

2020-07-24 03:51发布

问题:

I'm working on getting an MVC app up and running via AD Membership Provider and I'm having some issues figuring this out. I have a base configuration setup and working when I login as foo@my.domain.com + password.

   <connectionStrings>
      <add name="MyConnString" connectionString="LDAP://domaincontroller/OU=Product Users,DC=my,DC=domain,DC=com" />
   </connectionStrings>

  <membership defaultProvider="MyProvider">
     <providers>
        <clear />
        <add name="MyProvider" connectionStringName="MyConnString"
             connectionUsername="my.domain.com\service_account"
             connectionPassword="biguglypassword"
             type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
     </providers>
  </membership>

However, I'd LIKE to do some other things and I'm not sure how to go about them.

  1. Login without typing the domain (i.e. the "@my.domain.com"). I realize that this could only work if I limit myself to just one domain - that's fine.
  2. Organize users in up to N different OUs within a single OU. As you can tell from my current connection string, I'm authenticating users in my Product Users OU. I would LIKE to create OUs for various companies within this OU and put the users into those OUs. How can I authenticate across all of these different OUs?
  3. I'm trying to figure out how the Active Directory Membership Provider ties in with the Profile and Role providers. Are there AD versions of those too or am I stuck with SQL, home-grown, or finding something somebody else has coded up?

Many thanks!!

回答1:

In response to point 3:

I answered a similar question about this a while back: "How can i implement a role-hierarchy in an asp.net mvc app using activedirectorymembershipprovider".

There is the WindowsTokenRoleProvider that should provide you with details of the Users roles from AD - it's a read-only provider, and only provides methods for IsUserInRole and GetRolesForUser, but may be sufficient for your needs.



回答2:

For item #1, I found my answer. I need to add attributeMapUsername="sAMAccountName"

    <add name="MyProvider" connectionStringName="MyConnString"
         attributeMapUsername="sAMAccountName"
         connectionUsername="my.domain.com\service_account"
         connectionPassword="biguglypassword"
         type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />


回答3:

In response to point 2:

I had the same problem, so what I did was remove the OU from the connection string. Something like this:

<add name="MyConnString" connectionString="LDAP://domaincontroller/DC=my,DC=domain,DC=com" />

Now, I can authenticate users across all of these different OUs.