DirectoryEntry 安全加密
DirectoryEntry secure ecrypted
您好,我有一个 exe 运行,它 运行 在我登录的域帐户的上下文中。该代码仅查询特定 OU 下用户的活动目录。我 运行 来自加入森林的机器的代码:CompanyNameDomain.NET。
现在安全团队要求我确保此脚本与域控制器之间的所有通信都是安全的、加密的等。请注意,我没有在 DirectoryEntry() 构造函数中传递用户名/密码数据。我查看了 Whosebug,大多数问题都是关于如何通过在 DirectoryEntry 构造函数中传递 username/password 来加密身份验证。但我的问题是如何确保这个脚本和域控制器之间的所有通信都是加密的?该代码可以正常工作。我只是不知道我是否需要做其他事情?我在 LDAP 名字对象值中使用 :636。
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using System.DirectoryServices;
namespace ConsoleApplication1
{
public class CompanyNameExtranetUser
{
public byte[] objectGUID { get; set; }
public string sAMAccountName { get; set; }
public string givenName { get; set; }
public string sn { get; set; }
public string displayName { get; set; }
public string telephoneNumber { get; set; }
public string extensionAttribute1 { get; set; }
public string extensionAttribute5 { get; set; }
public string extensionAttribute8 { get; set; }
public int userAccountControl { get; set; }
public bool isEnabled { get; set; }
private string _mail;
public string mail { get { return _mail; } set { _mail = value.ToLower(); } }
public string inviteId { get; set; }
public string AzureObjectId { get; set; }
}
class Program
{
static void Main(string[] args)
{
const int UF_ACCOUNTDISABLE = 0x0002;
string ldapPath = "LDAP://CompanyNameDomain.NET:636/OU=CompanyNameClientsSCIMProv,DC=CompanyNameDomain,DC=NET";
DirectoryEntry _de = new DirectoryEntry(ldapPath);
string ldapFilter = "(&(objectClass=user)(extensionAttribute8=2))";
List<CompanyNameExtranetUser> _CompanyNameExtranetUsers;
SearchResultCollection src;
string[] _attributeList = {
"objectGUID",
"sAMAccountName",
"mail",
"givenName",
"sn",
"displayName",
"telephoneNumber",
"userAccountControl",
"extensionAttribute1",
"extensionAttribute5",
"extensionAttribute8"
};
try
{
using (DirectorySearcher _ds = new DirectorySearcher(_de))
{
_ds.SearchScope = SearchScope.Subtree;
_ds.Filter = ldapFilter;
_ds.PropertiesToLoad.AddRange(_attributeList);
_ds.Asynchronous = true;
src = _ds.FindAll();
if (src.Count > 0)
{
_CompanyNameExtranetUsers = new List<CompanyNameExtranetUser>();
foreach (SearchResult sr in src)
{
CompanyNameExtranetUser user = new CompanyNameExtranetUser();
foreach (string _attributeName in _ds.PropertiesToLoad)
{
try
{
switch (_attributeName)
{
case "sAMAccountName":
user.sAMAccountName = sr.Properties[_attributeName][0].ToString();
break;
case "mail":
user.mail = sr.Properties[_attributeName][0].ToString();
break;
case "extensionAttribute1":
user.extensionAttribute1 = sr.Properties[_attributeName][0].ToString();
break;
case "extensionAttribute5":
user.extensionAttribute5 = sr.Properties[_attributeName][0].ToString();
break;
case "extensionAttribute8":
user.extensionAttribute8 = sr.Properties[_attributeName][0].ToString();
break;
case "telephoneNumber":
user.telephoneNumber = sr.Properties[_attributeName][0].ToString();
break;
case "givenName":
user.givenName = sr.Properties[_attributeName][0].ToString();
break;
case "sn":
user.sn = sr.Properties[_attributeName][0].ToString();
break;
case "displayName":
user.displayName = sr.Properties[_attributeName][0].ToString();
break;
case "objectGUID":
user.objectGUID = (byte[])sr.Properties[_attributeName][0];
break;
case "userAccountControl":
user.userAccountControl = (Int32)sr.Properties[_attributeName][0];
user.isEnabled = Convert.ToBoolean(user.userAccountControl & UF_ACCOUNTDISABLE) ? false : true;
break;
default:
break;
}
}
catch (ArgumentOutOfRangeException Ex)
{
// do nothing.
}
}
_CompanyNameExtranetUsers.Add(user);
Console.WriteLine(string.Format("{0}", user.mail));
}
}
}
}
catch(Exception Ex1)
{
}
}
}
}
你是对的。您只需要连接到端口 636 就可以了。
建立连接后它做的第一件事是 SSL 握手(与 HTTPS 中发生的事情完全相同)。然后所有其他通信都通过加密连接进行。
即使您没有指定凭据,也会发送您的凭据。
您好,我有一个 exe 运行,它 运行 在我登录的域帐户的上下文中。该代码仅查询特定 OU 下用户的活动目录。我 运行 来自加入森林的机器的代码:CompanyNameDomain.NET。
现在安全团队要求我确保此脚本与域控制器之间的所有通信都是安全的、加密的等。请注意,我没有在 DirectoryEntry() 构造函数中传递用户名/密码数据。我查看了 Whosebug,大多数问题都是关于如何通过在 DirectoryEntry 构造函数中传递 username/password 来加密身份验证。但我的问题是如何确保这个脚本和域控制器之间的所有通信都是加密的?该代码可以正常工作。我只是不知道我是否需要做其他事情?我在 LDAP 名字对象值中使用 :636。
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using System.DirectoryServices;
namespace ConsoleApplication1
{
public class CompanyNameExtranetUser
{
public byte[] objectGUID { get; set; }
public string sAMAccountName { get; set; }
public string givenName { get; set; }
public string sn { get; set; }
public string displayName { get; set; }
public string telephoneNumber { get; set; }
public string extensionAttribute1 { get; set; }
public string extensionAttribute5 { get; set; }
public string extensionAttribute8 { get; set; }
public int userAccountControl { get; set; }
public bool isEnabled { get; set; }
private string _mail;
public string mail { get { return _mail; } set { _mail = value.ToLower(); } }
public string inviteId { get; set; }
public string AzureObjectId { get; set; }
}
class Program
{
static void Main(string[] args)
{
const int UF_ACCOUNTDISABLE = 0x0002;
string ldapPath = "LDAP://CompanyNameDomain.NET:636/OU=CompanyNameClientsSCIMProv,DC=CompanyNameDomain,DC=NET";
DirectoryEntry _de = new DirectoryEntry(ldapPath);
string ldapFilter = "(&(objectClass=user)(extensionAttribute8=2))";
List<CompanyNameExtranetUser> _CompanyNameExtranetUsers;
SearchResultCollection src;
string[] _attributeList = {
"objectGUID",
"sAMAccountName",
"mail",
"givenName",
"sn",
"displayName",
"telephoneNumber",
"userAccountControl",
"extensionAttribute1",
"extensionAttribute5",
"extensionAttribute8"
};
try
{
using (DirectorySearcher _ds = new DirectorySearcher(_de))
{
_ds.SearchScope = SearchScope.Subtree;
_ds.Filter = ldapFilter;
_ds.PropertiesToLoad.AddRange(_attributeList);
_ds.Asynchronous = true;
src = _ds.FindAll();
if (src.Count > 0)
{
_CompanyNameExtranetUsers = new List<CompanyNameExtranetUser>();
foreach (SearchResult sr in src)
{
CompanyNameExtranetUser user = new CompanyNameExtranetUser();
foreach (string _attributeName in _ds.PropertiesToLoad)
{
try
{
switch (_attributeName)
{
case "sAMAccountName":
user.sAMAccountName = sr.Properties[_attributeName][0].ToString();
break;
case "mail":
user.mail = sr.Properties[_attributeName][0].ToString();
break;
case "extensionAttribute1":
user.extensionAttribute1 = sr.Properties[_attributeName][0].ToString();
break;
case "extensionAttribute5":
user.extensionAttribute5 = sr.Properties[_attributeName][0].ToString();
break;
case "extensionAttribute8":
user.extensionAttribute8 = sr.Properties[_attributeName][0].ToString();
break;
case "telephoneNumber":
user.telephoneNumber = sr.Properties[_attributeName][0].ToString();
break;
case "givenName":
user.givenName = sr.Properties[_attributeName][0].ToString();
break;
case "sn":
user.sn = sr.Properties[_attributeName][0].ToString();
break;
case "displayName":
user.displayName = sr.Properties[_attributeName][0].ToString();
break;
case "objectGUID":
user.objectGUID = (byte[])sr.Properties[_attributeName][0];
break;
case "userAccountControl":
user.userAccountControl = (Int32)sr.Properties[_attributeName][0];
user.isEnabled = Convert.ToBoolean(user.userAccountControl & UF_ACCOUNTDISABLE) ? false : true;
break;
default:
break;
}
}
catch (ArgumentOutOfRangeException Ex)
{
// do nothing.
}
}
_CompanyNameExtranetUsers.Add(user);
Console.WriteLine(string.Format("{0}", user.mail));
}
}
}
}
catch(Exception Ex1)
{
}
}
}
}
你是对的。您只需要连接到端口 636 就可以了。
建立连接后它做的第一件事是 SSL 握手(与 HTTPS 中发生的事情完全相同)。然后所有其他通信都通过加密连接进行。
即使您没有指定凭据,也会发送您的凭据。