public ExternalSecurityGroup[] FindGroups(string name, CancellationToken cancellationToken)
{
if (!configurationStore.GetAreSecurityGroupsEnabled())
{
return(new ExternalSecurityGroup[0]);
}
var results = new List <ExternalSecurityGroup>();
string domain;
string partialGroupName;
objectNameNormalizer.NormalizeName(name, out partialGroupName, out domain);
using (var context = contextProvider.GetContext(domain))
{
var searcher = new PrincipalSearcher();
searcher.QueryFilter = new GroupPrincipal(context)
{
Name = partialGroupName + "*"
};
var iterGroup = searcher.FindAll().GetEnumerator();
using (iterGroup)
{
while (iterGroup.MoveNext())
{
try
{
var p = iterGroup.Current as GroupPrincipal;
if (p == null || !(p.IsSecurityGroup ?? false))
{
continue;
}
results.Add(new ExternalSecurityGroup {
Id = p.Sid.ToString(), DisplayName = p.Name
});
}
catch (NoMatchingPrincipalException)
{
}
if (cancellationToken.IsCancellationRequested)
{
return(null);
}
}
}
}
return(results.OrderBy(o => o.DisplayName).ToArray());
}
public Identity Match(string name, CancellationToken cancellationToken)
{
if (!configurationStore.GetIsEnabled())
{
return(null);
}
string domain;
string normalisedName;
objectNameNormalizer.NormalizeName(name, out normalisedName, out domain);
using (var context = contextProvider.GetContext(domain))
{
if (cancellationToken.IsCancellationRequested)
{
return(null);
}
var userPrincipal = new UserPrincipal(context);
if (normalisedName.Contains("@"))
{
userPrincipal.UserPrincipalName = normalisedName;
}
else
{
userPrincipal.SamAccountName = normalisedName;
}
var searcher = new PrincipalSearcher
{
QueryFilter = userPrincipal
};
var users = searcher.FindAll();
if (!users.Any() || users.Count() > 1)
{
return(null);
}
return(users
.Select(u => identityCreator.Create("", u.UserPrincipalName, ConvertSamAccountName(u, domain), u.DisplayName))
.First());
}
}
public ExternalUserLookupResult Search(string searchTerm, CancellationToken cancellationToken)
{
if (!configurationStore.GetIsEnabled())
{
return(new ExternalUserLookupResult(DirectoryServicesAuthentication.ProviderName, Enumerable.Empty <IdentityResource>().ToArray()));
}
objectNameNormalizer.NormalizeName(searchTerm, out var partialName, out var domain);
using (var context = contextProvider.GetContext(domain))
{
if (cancellationToken.IsCancellationRequested)
{
return(null);
}
var identities = new List <Principal>(SearchBy(new UserPrincipal(context)
{
Name = "*" + partialName + "*"
}));
identities.AddRange(SearchBy(new UserPrincipal(context)
{
UserPrincipalName = "*" + partialName + "*"
}));
identities.AddRange(SearchBy(new UserPrincipal(context)
{
SamAccountName = "*" + partialName + "*"
}));
var identityResources = identities.Distinct(new PrincipalComparer())
.Select(u => identityCreator.Create("", u.UserPrincipalName, ConvertSamAccountName(u, domain),
u.DisplayName).ToResource())
.ToArray();
return(new ExternalUserLookupResult(DirectoryServicesAuthentication.ProviderName, identityResources));
}
}
public AuthenticationUserCreateOrUpdateResult ValidateCredentials(string username, string password)
{
if (!configurationStore.GetIsEnabled() ||
!configurationStore.GetAllowFormsAuthenticationForDomainUsers())
{
return(new AuthenticationUserCreateOrUpdateResult());
}
if (username == null)
{
throw new ArgumentNullException(nameof(username));
}
log.Verbose($"Validating credentials provided for '{username}'...");
string domain;
objectNameNormalizer.NormalizeName(username, out username, out domain);
using (var context = contextProvider.GetContext(domain))
{
var principal = UserPrincipal.FindByIdentity(context, username);
if (principal == null)
{
var searchedContext = domain ?? context.Name ?? context.ConnectedServer;
log.Info($"A principal identifiable by '{username}' was not found in '{searchedContext}'");
if (username.Contains("@"))
{
return(new AuthenticationUserCreateOrUpdateResult("Username not found. UPN format may not be supported for your domain configuration."));
}
return(new AuthenticationUserCreateOrUpdateResult("Username not found"));
}
var hToken = IntPtr.Zero;
try
{
var logon = domain == null ? principal.UserPrincipalName : username;
log.Verbose($"Calling LogonUser(\"{logon}\", \"{domain}\", ...)");
if (!LogonUser(logon, domain, password, LOGON32_LOGON_NETWORK, LOGON32_PROVIDER_DEFAULT, out hToken))
{
var error = new Win32Exception();
log.Warn(error, $"Principal '{logon}' (Domain: '{domain}') could not be logged on via WIN32: 0x{error.NativeErrorCode:X8}.");
return(new AuthenticationUserCreateOrUpdateResult("Active directory login error"));
}
}
finally
{
if (hToken != IntPtr.Zero)
{
CloseHandle(hToken);
}
}
log.Verbose($"Credentials for '{username}' validated, mapped to principal '{principal.UserPrincipalName ?? ("(NTAccount)" + principal.Name)}'");
return(GetOrCreateUser(principal, username, domain));
}
}
