internal WindowsServiceCredential(WindowsServiceCredential other)
{
_allowAnonymousLogons = other._allowAnonymousLogons;
_includeWindowsGroups = other._includeWindowsGroups;
_isReadOnly = other._isReadOnly;
_ldapSettings = other._ldapSettings;
}
public static async Task <List <Claim> > RetrieveClaimsAsync(LdapSettings settings, string originalUserName)
{
var upnIndex = originalUserName.IndexOf('@');
var userAccountName = "";
if (upnIndex == -1)
{
int domainIndex = originalUserName.IndexOf("\\");
if (domainIndex == -1)
{
return(null);
}
userAccountName = originalUserName.Substring(domainIndex + 1);
}
else
{
userAccountName = originalUserName.Substring(0, upnIndex);
}
List <Claim> roleClaims = new List <IdentityModel.Claims.Claim>();
if (settings.ClaimsCache.TryGetValue <IEnumerable <string> >(originalUserName, out var cachedClaims))
{
foreach (var claim in cachedClaims)
{
roleClaims.Add(new Claim(ClaimTypes.Role, claim, Rights.Identity));
}
return(roleClaims);
}
var distinguishedName = settings.Domain.Split('.').Select(name => $"dc={name}").Aggregate((a, b) => $"{a},{b}");
var retrievedClaims = new List <string>();
if (!string.IsNullOrEmpty(settings.OrgUnit))
{
distinguishedName = "OU=" + settings.OrgUnit + "," + distinguishedName;
}
var genericFilter = $"(&(objectClass=user)(sAMAccountName={userAccountName}))"; // This is using ldap search query language, it is looking on the server for someUser
var upnFilter = $"(&(objectClass=user)(userPrincipalName={originalUserName}))";
var genericSearchRequest = new SearchRequest(distinguishedName, genericFilter, SearchScope.Subtree, null);
var upnSearchRequest = new SearchRequest(distinguishedName, upnFilter, SearchScope.Subtree, null);
SearchResponse searchResponse = null;
try
{
if (upnIndex > 0)
{
searchResponse = (SearchResponse)await Task <DirectoryResponse> .Factory.FromAsync(
settings.LdapConnection.BeginSendRequest, settings.LdapConnection.EndSendRequest,
upnSearchRequest, PartialResultProcessing.NoPartialResultSupport, null);
if (searchResponse != null && searchResponse.Entries != null && searchResponse.Entries.Count > 1)
{
throw new Exception(SR.DuplicateUPN); //resource
}
}
if (searchResponse == null || searchResponse.Entries == null || searchResponse.Entries.Count == 0)
{
searchResponse = (SearchResponse)await Task <DirectoryResponse> .Factory.FromAsync(
settings.LdapConnection.BeginSendRequest, settings.LdapConnection.EndSendRequest,
genericSearchRequest, PartialResultProcessing.NoPartialResultSupport, null);
}
}
catch (Exception ex)
{
if (searchResponse?.ErrorMessage != null)
{
throw new Exception(searchResponse.ErrorMessage);
}
else
{
throw ex;
}
}
if (searchResponse.Entries.Count > 0)
{
var userFound = searchResponse.Entries[0]; //Get the object that was found on ldap
var memberof = userFound.Attributes["memberof"]; // You can access ldap Attributes with Attributes property
foreach (var group in memberof)
{
// Example distinguished name: CN=TestGroup,DC=KERB,DC=local
var groupDN = $"{Encoding.UTF8.GetString((byte[])group)}";
var groupCN = groupDN.Split(',')[0].Substring("CN=".Length);
retrievedClaims.Add(groupCN);
}
var entrySize = originalUserName.Length * 2; //Approximate the size of stored key in memory cache.
foreach (var claim in retrievedClaims)
{
roleClaims.Add(new Claim(ClaimTypes.Role, claim, Rights.Identity));
entrySize += claim.Length * 2; //Approximate the size of stored value in memory cache.
}
settings.ClaimsCache.Set(originalUserName,
retrievedClaims,
new MemoryCacheEntryOptions()
.SetSize(entrySize)
.SetSlidingExpiration(settings.ClaimsCacheSlidingExpiration)
.SetAbsoluteExpiration(settings.ClaimsCacheAbsoluteExpiration));
}
return(roleClaims);
}
