如何获取活动目录查询中的用户组？

Question

我在Windows Server 2012中安装活动目录并定义任何用户。 如何获取活动目录查询中的用户组？ 用户是管理员组的成员。 如何在搜索中实现？

public static void main(String[] args) throws NamingException { 
    try { 
     Hashtable<String, String> ldapEnv = new Hashtable<String, String>(11); 
     ldapEnv.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory"); 
     ldapEnv.put(Context.PROVIDER_URL, "ldap://192.168.1.51:389"); 
     ldapEnv.put(Context.SECURITY_AUTHENTICATION, "simple"); 
     ldapEnv.put(Context.SECURITY_PRINCIPAL, "cn=reza2,ou=test,dc=domain,dc=ir"); 
     ldapEnv.put(Context.SECURITY_CREDENTIALS, "pass"); 
     ldapContext = new InitialDirContext(ldapEnv); 
     SearchControls searchCtls = new SearchControls(); 
     String returnedAtts[] = {"samAccountName"; 
     searchCtls.setReturningAttributes(returnedAtts); 
     searchCtls.setSearchScope(SearchControls.SUBTREE_SCOPE); 
     String searchFilter = "(&(objectClass=User))"; 
     String searchBase = "dc=domain,dc=ir"; 
     int totalResults = 0; 
     NamingEnumeration<SearchResult> answer = ldapContext.search(searchBase, searchFilter, searchCtls); 
     while (answer.hasMoreElements()) { 
      SearchResult sr = answer.next(); 
      String dn = sr.getName() + ", " + searchBase; 
      totalResults++; 
      Attributes attrs = ldapContext.getAttributes(dn, returnedAtts); 

      for (int i = 0; i < returnedAtts.length; i++) { 
       Attribute attr = attrs.get(returnedAtts[i]); 
       if (attr == null) { 
        continue; 
       } 
       System.out.println(returnedAtts[i] + ":"); 
       for (Enumeration vals = attr.getAll(); vals.hasMoreElements();) { 
        System.out.println("\t" + vals.nextElement()); 

       } 
      } 
     } 

     System.out.println("Total results: " + totalResults); 
     ldapContext.close(); 
    } catch (Exception e) { 
     System.out.println(" Search error: " + e); 
     e.printStackTrace(); 
     System.exit(-1); 
    } 
} 

Answer 1

您是否真的需要使用这种非常低级别的LDAP方法？

如果您使用的是.NET 3.5及更高版本，则应检查System.DirectoryServices.AccountManagement（S.DS.AM）命名空间。在这里阅读全部内容：

• Managing Directory Security Principals in the .NET Framework 3.5
• MSDN docs on System.DirectoryServices.AccountManagement

基本上，你可以定义域范围内，并可以轻松地查找用户和/或组AD：

// set up domain context 
using (PrincipalContext ctx = new PrincipalContext(ContextType.Domain, "yourDomain", username, password)) 
{ 
    // find a user 
    UserPrincipal user = UserPrincipal.FindByIdentity(ctx, "SomeUserName"); 

    if(user != null) 
    { 
     // get groups for user 
     var groups = user.GetGroups(); 

     foreach(Principal group in groups) 
     { 
      // do something with the groups 
     } 
    } 
} 

的新的S.DS.AM可以很容易地与AD中的用户和群组玩耍！