public static string verifyNTuser(string userName)
{
DirectoryEntry dEntry = new DirectoryEntry("LDAP://ds.kycourts.net/CN=Users,DC=ds,DC=kycourts,DC=net");
DirectorySearcher dSearch = new DirectorySearcher(dEntry);
dSearch.PageSize = 6000;
dSearch.Filter = "cn="+userName;
dSearch.PropertiesToLoad.Add("cn");
dSearch.PropertiesToLoad.Add("mail");
dSearch.PropertiesToLoad.Add("objectSid");
dSearch.CacheResults = true;
if (dSearch.FindAll().Count > 0)
{
foreach (SearchResult sResultSet in dSearch.FindAll())
{
SecurityIdentifier sid = new SecurityIdentifier((byte[])sResultSet.Properties["objectSid"][0], 0);
string[] namesid = sid.ToString().Split('-');
dEntry.Close();
return sResultSet.Properties["cn"][0].ToString() + ";" + sResultSet.Properties["mail"][0].ToString() + ";" +
namesid[namesid.Length - 1].ToString();
}
}
else
{
dEntry.Close();
return "false";
}
return "false";
}
public static ActiveDirectoryRole CreateFromSecurityIdentifier(SecurityIdentifier sid)
{
if (sid == null)
throw new ArgumentNullException("sid");
ActiveDirectoryRole role = new ActiveDirectoryRole(GetRootEntry(), new DirectoryRootQuery("objectSID", sid.ToString(), DirectoryQueryOperation.Equal));
role.Operations.Add(s_directoryGroupQuery);
ValidateRole(role);
return role;
}
public static string GetPropertyAsSID(this DirectoryEntry entry, string name)
{
if (entry.Properties.Contains(name))
{
byte[] byteArray = (byte[])entry.Properties[name][0];
SecurityIdentifier si = new SecurityIdentifier(byteArray, 0);
return(si.ToString());
}
else
{
return(string.Empty);
}
}
//make this searching the GC
public static bool LookUpAcctSid(string contextSystem, byte[] abSID, StringBuilder sbDomain)
{
SecurityIdentifier sid = new SecurityIdentifier(abSID, 0);
string[] splits = contextSystem.Split('.');
string sDCs = "";
foreach (string split in splits)
{
sDCs = string.Concat(sDCs, "DC=", split, ",");
}
sDCs = sDCs.Substring(0, sDCs.Length - 1);
//some hack to obtain the creds to establish a GC dirContext [Wei]
string username = string.Empty;
string password = string.Empty;
DirectoryEntry.ObtainCreds(out username, out password, contextSystem.ToLower());
GlobalCatalog gc = GlobalCatalog.GetGlobalCatalog(
new System.DirectoryServices.ActiveDirectory.DirectoryContext(DirectoryContextType.Domain, contextSystem.ToLower(),
username, password));
if (gc == null) //cannot talk to GC
{
string contextldapPath = string.Concat("LDAP://", contextSystem.ToLower(), "/", sDCs);
DirectoryEntry context = new DirectoryEntry(contextldapPath);
string filter = string.Concat("(objectSid=", sid.ToString(), ")");
DirectorySearcher ds = new DirectorySearcher(context, filter);
ds.SearchScope = SearchScope.Subtree;
SearchResult de = ds.FindOne();
if (de == null)
{
//Console.WriteLine("GetSidDomain::LookUpAcctSid (Not Found!)");
return(false);
}
else
{
//Console.WriteLine("GetSidDomain::LookUpAcctSid (Found!)");
sbDomain.Append(contextSystem);
return(true);
}
}
else //search in GC
{
DirectorySearcher ds = gc.GetDirectorySearcher();
ds.Filter = string.Concat("(objectSid=", sid.ToString(), ")");
ds.SearchScope = SearchScope.Subtree;
SearchResult sr = ds.FindOne();
if (sr == null)
{
//Console.WriteLine("GetSidDomain::LookUpAcctSid (Not Found!) (in GC)");
return(false);
}
else
{
//Console.WriteLine("GetSidDomain::LookUpAcctSid (Found!) (in GC)");
sbDomain.Append(contextSystem);
return(true);
}
}
}
private static string GetObjectSid(System.DirectoryServices.ResultPropertyCollection props, string name)
{
if (!props.Contains(name))
{
return string.Empty;
}
ResultPropertyValueCollection pvc = props[name];
if (pvc == null || pvc.Count == 0)
{
return string.Empty;
}
byte[] sidInBytes = (byte[])pvc[0];
SecurityIdentifier sid = new SecurityIdentifier(sidInBytes, 0);
return sid.ToString();
}
public static UsuarioActiveDirectoryBD AutenticarAD(string login, string senha, string nomGrupo)
{
bool valido = false;
DirectoryEntry de = null;
DirectoryEntry deUser = null;
DirectoryEntry deGroup = null;
DirectorySearcher deSearchUser = null;
DirectorySearcher deSearchGroup = null;
UsuarioActiveDirectoryBD usuarioAD = null;
List<GrupoActiveDirectoryBD> listaGruposAD = new List<GrupoActiveDirectoryBD>();
WS.srvParametros srvParametros = new WS.srvParametros();
using (de = GetDirectoryObject("LDAP://" + srvParametros.ActiveDirectoryIP(), login, senha))
{
using (deSearchUser = new DirectorySearcher())
{
deSearchUser.SearchRoot = de;
deSearchUser.Filter = "(&(objectClass=user)(objectCategory=person)(SamAccountName=" + login + "))";
deSearchUser.SearchScope = SearchScope.Subtree;
try
{
SearchResult results = deSearchUser.FindOne();
if (results != null)
{
using (deUser = new DirectoryEntry(results.Path, login, senha, AuthenticationTypes.Secure))
{
System.DirectoryServices.PropertyCollection propertiesUser = deUser.Properties;
//512 - Conta habilitada 514 - Conta desabilitada
if (propertiesUser["UserAccountControl"].ToString() == "514")
{
new Exception("Conta desabilitada.");
}
if (propertiesUser["UserAccountControl"].ToString() == "8388608")
{
new Exception("Senha expirada.");
}
SecurityIdentifier sidUser = new SecurityIdentifier(propertiesUser["objectSid"][0] as byte[], 0);
usuarioAD = new UsuarioActiveDirectoryBD();
usuarioAD.sid = sidUser.ToString();
usuarioAD.nome = propertiesUser["displayname"].Value.ToString();
usuarioAD.login = login;
usuarioAD.senha = senha;
string dominio = srvParametros.DominioFrescatto();
string ActiveDirectoryIP = srvParametros.ActiveDirectoryIP();
PrincipalContext context = new PrincipalContext(ContextType.Domain, ActiveDirectoryIP, login + "@" + dominio, senha);
{
using (UserPrincipal user = UserPrincipal.FindByIdentity(context, IdentityType.SamAccountName, login))
{
foreach (Principal p in user.GetGroups())
{
if (p.Name.IndexOf(nomGrupo) != -1)
{
GrupoActiveDirectoryBD grupoAD = new GrupoActiveDirectoryBD();
grupoAD.sidGrupo = p.Sid.ToString();
grupoAD.nomGrupo = p.Name;
listaGruposAD.Add(grupoAD);
valido = true;
}
//if (!valido)
if (valido)
{
foreach (Principal m in p.GetGroups(context))
{
GroupPrincipal group2 = GroupPrincipal.FindByIdentity(context, IdentityType.Name, m.Name);
if (group2 != null)
{
valido = true;
SecurityIdentifier sidGroup = group2.Sid;
GrupoActiveDirectoryBD grupoAD = new GrupoActiveDirectoryBD();
grupoAD.sidGrupo = sidGroup.Value;
grupoAD.nomGrupo = m.Name;
listaGruposAD.Add(grupoAD);
}
}
string grupo = string.Empty;
using (deGroup = new DirectoryEntry(results.Path + "/" + p.Name, login, senha, AuthenticationTypes.Secure))
{
string memberOf = p.Name;
deSearchGroup = new DirectorySearcher();
deSearchGroup.SearchRoot = new DirectoryEntry("LDAP://" + srvParametros.ActiveDirectoryIP() + "/" + memberOf, login, senha);
deSearchGroup.SearchScope = SearchScope.Subtree;
deSearchGroup.Filter = String.Format("(&(ObjectCategory=group)(SamAccountName={0}))", memberOf);
try
{
SearchResult sr = deSearchGroup.FindOne();
if (sr != null)
{
System.DirectoryServices.PropertyCollection groupProperties = deSearchGroup.SearchRoot.Properties;
for (int m = 0; m < groupProperties["memberOf"].Count; m++)
{
string grupoSistema = string.Empty;
string memberOfSistemas = groupProperties["memberOf"][m].ToString();
int pos_ = memberOfSistemas.IndexOf("CN=");
if (pos_ != -1)
{
for (int n = pos_ + 3; n < memberOfSistemas.Length; n++)
{
if (memberOfSistemas.Substring(n, 1) != ",")
{
grupoSistema += memberOfSistemas.Substring(n, 1);
}
else
{
n = memberOfSistemas.Length;
}
}
}
}
}
}
catch (Exception)
{
}
}
}
}
}
}
#region Obter grupos (antigo)
/*
for (int i = 0; i < propertiesUser["memberOf"].Count; i++)
{
string grupo = string.Empty;
using (deGroup = new DirectoryEntry(results.Path + "/" + propertiesUser["memberOf"][i], login, senha, AuthenticationTypes.Secure))
//using (deGroup = new DirectoryEntry(results.Path + "/" + p.Name, login, senha, AuthenticationTypes.Secure))
{
string memberOf = propertiesUser["memberOf"][i].ToString();
//string memberOf = p.Name;
int pos = memberOf.IndexOf("CN=");
if (pos != -1)
{
for (int j = pos + 3; j < memberOf.Length; j++)
{
if (memberOf.Substring(j, 1) != ",")
{
grupo += memberOf.Substring(j, 1);
}
else
{
j = memberOf.Length;
}
}
}
deSearchGroup = new DirectorySearcher();
deSearchGroup.SearchRoot = new DirectoryEntry("LDAP://" + FrescattoConnection.sPathAD + "/" + memberOf, login, senha);
deSearchGroup.SearchScope = SearchScope.Subtree;
deSearchGroup.Filter = String.Format("(&(ObjectCategory=group)(SamAccountName={0}))", grupo);
SearchResult sr = deSearchGroup.FindOne();
if (sr != null)
{
System.DirectoryServices.PropertyCollection groupProperties = deSearchGroup.SearchRoot.Properties;
for (int m = 0; m < groupProperties["memberOf"].Count; m++)
{
string grupoSistema = string.Empty;
string memberOfSistemas = groupProperties["memberOf"][m].ToString();
int pos_ = memberOfSistemas.IndexOf("CN=");
if (pos_ != -1)
{
for (int n = pos_ + 3; n < memberOfSistemas.Length; n++)
{
if (memberOfSistemas.Substring(n, 1) != ",")
{
grupoSistema += memberOfSistemas.Substring(n, 1);
}
else
{
n = memberOfSistemas.Length;
}
}
}
PrincipalContext ctx2 = new PrincipalContext(ContextType.Domain, FrescattoConnection.sPathAD, "OU=Sistemas,OU=Frescatto,DC=frescatto,DC=com", ContextOptions.SimpleBind, login + "@" + FrescattoConnection.sDominio, senha);
GroupPrincipal group2 = GroupPrincipal.FindByIdentity(ctx2, IdentityType.Name, grupoSistema);
if (group2 != null)
{
valido = true;
SecurityIdentifier sidGroup = group2.Sid;
GrupoActiveDirectoryBD grupoAD = new GrupoActiveDirectoryBD();
grupoAD.sidGrupo = sidGroup.Value;
grupoAD.nomGrupo = grupoSistema;
listaGruposAD.Add(grupoAD);
}
}
}
}
}*/
#endregion
}
}
}
catch (Exception ex)
{
//throw new Exception(Messages.message3);
throw new Exception("Erro na autenticação com o AD. " + ex.Message);
}
}
}
if (valido)
{
usuarioAD.grupos = listaGruposAD;
}
else
{
usuarioAD = null;
}
return usuarioAD;
}
public static string FindGroup(SecurityIdentifier searchSid)
{
using(var ad = new DirectoryEntry("WinNT://" + Environment.MachineName + ",computer"))
{
ad.Children.SchemaFilter.Add("group");
foreach(DirectoryEntry dChildEntry in ad.Children)
{
var bytes = (byte[])dChildEntry.Properties["objectSid"].Value;
var sid = new SecurityIdentifier(bytes, 0).ToString();
if(sid == searchSid.ToString())
{
return dChildEntry.Name;
}
}
}
throw new Exception("Cannot find group");
}
// Advance the enumerator to the next principal in the result set, pulling in additional pages
// of results (or ranges of attribute values) as needed.
// Returns true if successful, false if no more results to return.
override internal bool MoveNext()
{
if (_atBeginning)
{
Debug.Assert(_principalDN != null);
_current = SDSUtils.BuildDirectoryEntry(
BuildPathFromDN(_principalDN),
_storeCtx.Credentials,
_storeCtx.AuthTypes);
_current.RefreshCache(new string[] { _attributeToQuery });
_tokenGroupsEnum = _current.Properties[_attributeToQuery].GetEnumerator();
_atBeginning = false;
}
GlobalDebug.WriteLineIf(GlobalDebug.Info, "TokenGroupSet", "MoveNextLocal: returning primary group {0}", _current.Path);
if (_tokenGroupsEnum.MoveNext())
{
// Got a member from this group (or, got a group of which we're a member).
// Create a DirectoryEntry for it.
byte[] sid = (byte[])_tokenGroupsEnum.Current;
_currentSID = new SecurityIdentifier(sid, 0);
GlobalDebug.WriteLineIf(GlobalDebug.Info, "TokenGroupSet", "MoveNextLocal: got a value from the enumerator: {0}", _currentSID.ToString());
return true;
}
return false;
}
public static string GetSID(DirectoryEntry item, string ADpropName)
{
string SID = "";
if (item.Properties.Contains(ADpropName))
{
try
{
SecurityIdentifier sid = new SecurityIdentifier(
item.Properties[ADpropName][0] as byte[], 0);
SID = sid.ToString();
}
catch (Exception ex)
{
SqlContext.Pipe.Send("Warning: GetSID (" + ADpropName + ") failed for object (" + GetDistinguishedName(item) + ")"
+ " Exception: " + ex.Message);
}
}
return SID;
}
public static UserPrincipal GetUserPrincipal(SecurityIdentifier sid)
{
// This could be updated to use PrincipalSearcher, but the method is currently
// unused.
return UserPrincipal.FindByIdentity(m_machinePrincipal, IdentityType.Sid, sid.ToString());
}
//
// Cross-store support
//
// Given a native store object that represents a "foreign" principal (e.g., a FPO object in this store that
// represents a pointer to another store), maps that representation to the other store's StoreCtx and returns
// a Principal from that other StoreCtx. The implementation of this method is highly dependent on the
// details of the particular store, and must have knowledge not only of this StoreCtx, but also of how to
// interact with other StoreCtxs to fulfill the request.
//
// This method is typically used by ResultSet implementations, when they're iterating over a collection
// (e.g., of group membership) and encounter a entry that represents a foreign principal.
internal override Principal ResolveCrossStoreRefToPrincipal(object o)
{
Debug.Assert(o is DirectoryEntry);
// Get the SID of the foreign principal
DirectoryEntry foreignDE = (DirectoryEntry)o;
if (foreignDE.Properties["objectSid"].Count == 0)
{
GlobalDebug.WriteLineIf(GlobalDebug.Warn, "SAMStoreCtx", "ResolveCrossStoreRefToPrincipal: no objectSid found");
throw new PrincipalOperationException(StringResources.SAMStoreCtxCantRetrieveObjectSidForCrossStore);
}
Debug.Assert(foreignDE.Properties["objectSid"].Count == 1);
byte[] sid = (byte[])foreignDE.Properties["objectSid"].Value;
// Ask the OS to resolve the SID to its target.
int accountUsage = 0;
string name;
string domainName;
int err = Utils.LookupSid(this.MachineUserSuppliedName, _credentials, sid, out name, out domainName, out accountUsage);
if (err != 0)
{
GlobalDebug.WriteLineIf(GlobalDebug.Warn,
"SAMStoreCtx",
"ResolveCrossStoreRefToPrincipal: LookupSid failed, err={0}, server={1}",
err,
this.MachineUserSuppliedName);
throw new PrincipalOperationException(
String.Format(CultureInfo.CurrentCulture,
StringResources.SAMStoreCtxCantResolveSidForCrossStore,
err));
}
GlobalDebug.WriteLineIf(GlobalDebug.Info,
"SAMStoreCtx",
"ResolveCrossStoreRefToPrincipal: LookupSid found {0} in {1}",
name,
domainName);
// Since this is SAM, the remote principal must be an AD principal.
// Build a PrincipalContext for the store which owns the principal
// Use the ad default options so we turn sign and seal back on.
#if USE_CTX_CACHE
PrincipalContext remoteCtx = SDSCache.Domain.GetContext(domainName, _credentials, DefaultContextOptions.ADDefaultContextOption);
#else
PrincipalContext remoteCtx = new PrincipalContext(
ContextType.Domain,
domainName,
null,
(this.credentials != null ? credentials.UserName : null),
(this.credentials != null ? credentials.Password : null),
DefaultContextOptions.ADDefaultContextOption);
#endif
SecurityIdentifier sidObj = new SecurityIdentifier(sid, 0);
Principal p = remoteCtx.QueryCtx.FindPrincipalByIdentRef(
typeof(Principal),
UrnScheme.SidScheme,
sidObj.ToString(),
DateTime.UtcNow);
if (p != null)
return p;
else
{
GlobalDebug.WriteLineIf(GlobalDebug.Warn, "SAMStoreCtx", "ResolveCrossStoreRefToPrincipal: no matching principal");
throw new PrincipalOperationException(StringResources.SAMStoreCtxFailedFindCrossStoreTarget);
}
}
public ADDomain GetDomainFromSecurityIdentifier(SecurityIdentifier SecurityIdentifier)
{
ADDomain domain;
if (!TryGetDomainFromSecurityIdentifier(SecurityIdentifier, out domain))
throw new ArgumentException(string.Format("The domain for specified Security Identifier is unknown [{0}]", SecurityIdentifier.ToString()), "SecurityIdentifier");
return domain;
}
internal override Principal ResolveCrossStoreRefToPrincipal(object o)
{
string str = null;
string str1 = null;
DirectoryEntry directoryEntry = (DirectoryEntry)o;
if (directoryEntry.Properties["objectSid"].Count != 0)
{
byte[] value = (byte[])directoryEntry.Properties["objectSid"].Value;
int num = 0;
int num1 = Utils.LookupSid(this.MachineUserSuppliedName, this.credentials, value, out str, out str1, out num);
if (num1 == 0)
{
PrincipalContext context = SDSCache.Domain.GetContext(str1, this.credentials, DefaultContextOptions.ADDefaultContextOption);
SecurityIdentifier securityIdentifier = new SecurityIdentifier(value, 0);
Principal principal = context.QueryCtx.FindPrincipalByIdentRef(typeof(Principal), "ms-sid", securityIdentifier.ToString(), DateTime.UtcNow);
if (principal == null)
{
throw new PrincipalOperationException(StringResources.SAMStoreCtxFailedFindCrossStoreTarget);
}
else
{
return principal;
}
}
else
{
object[] objArray = new object[1];
objArray[0] = num1;
throw new PrincipalOperationException(string.Format(CultureInfo.CurrentCulture, StringResources.SAMStoreCtxCantResolveSidForCrossStore, objArray));
}
}
else
{
throw new PrincipalOperationException(StringResources.SAMStoreCtxCantRetrieveObjectSidForCrossStore);
}
}
// Handles all the work required to implement FindPrincipalByIdentRef (and FindPrincipalBySID).
private Principal FindPrincipalByIdentRefHelper(
Type principalType,
string urnScheme,
string urnValue,
DateTime referenceDate,
bool useSidHistory)
{
GlobalDebug.WriteLineIf(GlobalDebug.Info,
"ADStoreCtx",
"FindPrincipalByIdentRefHelper: type={0}, scheme={1}, value={2}, useSidHistory={3}",
principalType.ToString(),
(urnScheme != null ? urnScheme : "NULL"),
(urnValue != null ? urnValue : "NULL"),
useSidHistory);
//
// Set up a DirectorySearcher
//
DirectorySearcher ds = new DirectorySearcher(this.ctxBase);
SearchResultCollection src = null;
try
{
ds.SizeLimit = 2; // so we can efficiently check for duplicates
// If we are searching for AuthPrincpal or Principal in the end we will construct the acutal type
// i.e. if the objects objectClass is User we will construct a UserPrincipal even though they searched for Principal.FindByIdentity
// At this time we don't know the actual object type so we have to ask AD for all the attributes of the derived types so they are there
// when we go to load the principal.
if (principalType == typeof(Principal) || principalType == typeof(AuthenticablePrincipal))
{
BuildPropertySet(typeof(UserPrincipal), ds.PropertiesToLoad);
BuildPropertySet(typeof(GroupPrincipal), ds.PropertiesToLoad);
BuildPropertySet(typeof(ComputerPrincipal), ds.PropertiesToLoad);
if (principalType == typeof(Principal))
{
BuildPropertySet(typeof(AuthenticablePrincipal), ds.PropertiesToLoad);
}
}
BuildPropertySet(principalType, ds.PropertiesToLoad);
//
// Build an appropriate filter
//
StringBuilder ldapFilter = new StringBuilder();
// Limit the results returned to principalType by specifying the corresponding objectClass/objectCategory
ldapFilter.Append(GetObjectClassPortion(principalType));
// Build the rest of the filter based off of the user's specified IdentityReference.
if (urnScheme != null)
{
// If they're searching by SID for a SID corresponding to a fake group, construct
// and return the fake group
if ((urnScheme == UrnScheme.SidScheme) &&
(principalType == typeof(Principal) || principalType == typeof(GroupPrincipal) || principalType.IsSubclassOf(typeof(GroupPrincipal))))
{
SecurityIdentifier sid = new SecurityIdentifier(urnValue);
byte[] sidb = new byte[sid.BinaryLength];
sid.GetBinaryForm(sidb, 0);
// = Utils.StringToByteArray(urnValue);
if (sid == null)
throw new ArgumentException(StringResources.StoreCtxSecurityIdentityClaimBadFormat);
IntPtr pSid = IntPtr.Zero;
try
{
pSid = Utils.ConvertByteArrayToIntPtr(sidb);
if (UnsafeNativeMethods.IsValidSid(pSid) && (Utils.ClassifySID(pSid) == SidType.FakeObject))
{
GlobalDebug.WriteLineIf(GlobalDebug.Info,
"ADStoreCtx",
"FindPrincipalByIdentRefHelper: fake principal, SID Scheme, {0}",
sid.ToString());
return ConstructFakePrincipalFromSID(sidb);
}
}
finally
{
if (pSid != IntPtr.Zero)
Marshal.FreeHGlobal(pSid);
}
}
// This is the simple case --- we got a specific UrnScheme, so we'll just build
// a filter for it.
// Ignore referenceDate --- all IdentityClaims in AD are forever
string innerLdapFilter = null;
BuildLdapFilterFromIdentityClaim(urnValue, urnScheme, ref innerLdapFilter, useSidHistory, true);
ldapFilter.Append(innerLdapFilter);
}
else
{
// Are they perhaps searching for a fake group?
// If they passed in a valid SID for a fake group, construct and return the fake
// group.
if (principalType == typeof(Principal) || principalType == typeof(GroupPrincipal) || principalType.IsSubclassOf(typeof(GroupPrincipal)))
{
SecurityIdentifier sid = null;
byte[] sidb = null;
try
{
sid = new SecurityIdentifier(urnValue);
sidb = new byte[sid.BinaryLength];
sid.GetBinaryForm(sidb, 0);
}
catch (ArgumentException)
{
}
if (sidb != null)
{
// They passed in a hex string, is it a valid SID, and if so, does it correspond to a fake
// principal?
IntPtr pSid = IntPtr.Zero;
try
{
pSid = Utils.ConvertByteArrayToIntPtr(sidb);
if (UnsafeNativeMethods.IsValidSid(pSid) && (Utils.ClassifySID(pSid) == SidType.FakeObject))
{
GlobalDebug.WriteLineIf(GlobalDebug.Info,
"ADStoreCtx",
"FindPrincipalByIdentRefHelper: fake principal, null Scheme, {0}",
sid.ToString());
return ConstructFakePrincipalFromSID(sidb);
}
}
finally
{
if (pSid != IntPtr.Zero)
Marshal.FreeHGlobal(pSid);
}
}
}
// This is the tricky case. They didn't specify a UrnScheme, so we need to
// try all of them.
string[] urnSchemesToTry = new string[]
{
UrnScheme.SamAccountScheme,
UrnScheme.UpnScheme,
UrnScheme.DistinguishedNameScheme,
UrnScheme.SidScheme,
UrnScheme.GuidScheme,
UrnScheme.NameScheme
};
StringBuilder innerLdapFilter = new StringBuilder();
innerLdapFilter.Append("(|");
string filterVal = null;
foreach (string urnSchemeToTry in urnSchemesToTry)
{
if (BuildLdapFilterFromIdentityClaim(urnValue, urnSchemeToTry, ref filterVal, useSidHistory, false))
if (null != filterVal)
innerLdapFilter.Append(filterVal);
}
innerLdapFilter.Append(")");
ldapFilter.Append(innerLdapFilter.ToString());
}
// Wrap off the filter
ldapFilter.Append(")");
ds.Filter = ldapFilter.ToString();
GlobalDebug.WriteLineIf(GlobalDebug.Info, "ADStoreCtx", "FindPrincipalByIdentRefHelper: using LDAP filter {0}", ds.Filter);
//
// Perform the actual search
//
src = ds.FindAll();
Debug.Assert(src != null);
if (src == null)
return null;
// Did we find a match?
int count = src.Count;
GlobalDebug.WriteLineIf(GlobalDebug.Info, "ADStoreCtx", "FindPrincipalByIdentRefHelper: found {0} matches", count);
// Did we find more than one match?
if (count > 1)
throw new MultipleMatchesException(StringResources.MultipleMatchingPrincipals);
if (count == 0)
return null;
return GetAsPrincipal(src[0], principalType);
}
catch (System.Runtime.InteropServices.COMException e)
{
throw ExceptionHelper.GetExceptionFromCOMException(e);
}
finally
{
ds.Dispose();
if (src != null)
{
src.Dispose();
}
}
}
//make this searching the GC
public static bool LookUpAcctSid(string contextSystem, byte[] abSID, StringBuilder sbDomain)
{
SecurityIdentifier sid = new SecurityIdentifier(abSID, 0);
string[] splits = contextSystem.Split('.');
string sDCs = "";
foreach (string split in splits)
sDCs = string.Concat(sDCs, "DC=", split, ",");
sDCs = sDCs.Substring(0, sDCs.Length - 1);
//some hack to obtain the creds to establish a GC dirContext [Wei]
string username = string.Empty;
string password = string.Empty;
DirectoryEntry.ObtainCreds(out username, out password, contextSystem.ToLower());
GlobalCatalog gc = GlobalCatalog.GetGlobalCatalog(
new System.DirectoryServices.ActiveDirectory.DirectoryContext(DirectoryContextType.Domain, contextSystem.ToLower(),
username, password));
if (gc == null) //cannot talk to GC
{
string contextldapPath = string.Concat("LDAP://", contextSystem.ToLower(), "/", sDCs);
DirectoryEntry context = new DirectoryEntry(contextldapPath);
string filter = string.Concat("(objectSid=", sid.ToString(), ")");
DirectorySearcher ds = new DirectorySearcher(context, filter);
ds.SearchScope = SearchScope.Subtree;
SearchResult de = ds.FindOne();
if (de == null)
{
//Console.WriteLine("GetSidDomain::LookUpAcctSid (Not Found!)");
return false;
}
else
{
//Console.WriteLine("GetSidDomain::LookUpAcctSid (Found!)");
sbDomain.Append(contextSystem);
return true;
}
}
else //search in GC
{
DirectorySearcher ds = gc.GetDirectorySearcher();
ds.Filter = string.Concat("(objectSid=", sid.ToString(), ")");
ds.SearchScope = SearchScope.Subtree;
SearchResult sr = ds.FindOne();
if (sr == null)
{
//Console.WriteLine("GetSidDomain::LookUpAcctSid (Not Found!) (in GC)");
return false;
}
else
{
//Console.WriteLine("GetSidDomain::LookUpAcctSid (Found!) (in GC)");
sbDomain.Append(contextSystem);
return true;
}
}
}
// Performs store-specific resolution of an IdentityReference to a Principal
// corresponding to the IdentityReference. Returns null if no matching object found.
// principalType can be used to scope the search to principals of a specified type, e.g., users or groups.
// Specify typeof(Principal) to search all principal types.
internal override Principal FindPrincipalByIdentRef(
Type principalType, string urnScheme, string urnValue, DateTime referenceDate)
{
// Perform the appropriate action based on the type of the UrnScheme
if (urnScheme == UrnScheme.SidScheme)
{
// Get the SID from the UrnValue
SecurityIdentifier sidObj = new SecurityIdentifier(urnValue);
byte[] sid = new byte[sidObj.BinaryLength];
sidObj.GetBinaryForm(sid, 0);
if (sid == null)
throw new ArgumentException(StringResources.StoreCtxSecurityIdentityClaimBadFormat);
// If they're searching by SID for a SID corresponding to a fake group, construct
// and return the fake group
IntPtr pSid = IntPtr.Zero;
try
{
pSid = Utils.ConvertByteArrayToIntPtr(sid);
if (UnsafeNativeMethods.IsValidSid(pSid) && (Utils.ClassifySID(pSid) == SidType.FakeObject))
{
GlobalDebug.WriteLineIf(GlobalDebug.Info,
"SAMStoreCtx",
"FindPrincipalByIdentRef: fake principal {0}",
sidObj.ToString());
return ConstructFakePrincipalFromSID(sid);
}
}
finally
{
if (pSid != IntPtr.Zero)
Marshal.FreeHGlobal(pSid);
}
// Not a fake group. Search for the real group.
object o = FindNativeBySIDIdentRef(principalType, sid);
return (o != null) ? GetAsPrincipal(o, null) : null;
}
else if (urnScheme == UrnScheme.SamAccountScheme || urnScheme == UrnScheme.NameScheme)
{
object o = FindNativeByNT4IdentRef(principalType, urnValue);
return (o != null) ? GetAsPrincipal(o, null) : null;
}
else if (urnScheme == null)
{
object sidPrincipal = null;
object nt4Principal = null;
//
// Try UrnValue as a SID IdentityClaim
//
// Get the SID from the UrnValue
byte[] sid = null;
try
{
SecurityIdentifier sidObj = new SecurityIdentifier(urnValue);
sid = new byte[sidObj.BinaryLength];
sidObj.GetBinaryForm(sid, 0);
}
catch (ArgumentException)
{
// must not have been a valid sid claim ignore it.
}
// If null, must have been a non-SID UrnValue. Ignore it, and
// continue on to try NT4 Account IdentityClaim.
if (sid != null)
{
// Are they perhaps searching for a fake group?
// If they passed in a valid SID for a fake group, construct and return the fake
// group.
if (principalType == typeof(Principal) || principalType == typeof(GroupPrincipal) || principalType.IsSubclassOf(typeof(GroupPrincipal)))
{
// They passed in a hex string, is it a valid SID, and if so, does it correspond to a fake
// principal?
IntPtr pSid = IntPtr.Zero;
try
{
pSid = Utils.ConvertByteArrayToIntPtr(sid);
if (UnsafeNativeMethods.IsValidSid(pSid) && (Utils.ClassifySID(pSid) == SidType.FakeObject))
{
GlobalDebug.WriteLineIf(GlobalDebug.Info,
"SAMStoreCtx",
"FindPrincipalByIdentRef: fake principal {0} (scheme==null)",
Utils.ByteArrayToString(sid));
return ConstructFakePrincipalFromSID(sid);
}
}
finally
{
if (pSid != IntPtr.Zero)
Marshal.FreeHGlobal(pSid);
}
}
sidPrincipal = FindNativeBySIDIdentRef(principalType, sid);
}
//
// Try UrnValue as a NT4 IdentityClaim
//
try
{
nt4Principal = FindNativeByNT4IdentRef(principalType, urnValue);
}
catch (ArgumentException)
{
// Must have been a non-NT4 Account UrnValue. Ignore it.
}
GlobalDebug.WriteLineIf(GlobalDebug.Info,
"SAMStoreCtx",
"FindPrincipalByIdentRef: scheme==null, found nt4={0}, found sid={1}",
(nt4Principal != null),
(sidPrincipal != null));
// If they both succeeded in finding a match, we have too many matches.
// Throw an exception.
if ((sidPrincipal != null) && (nt4Principal != null))
throw new MultipleMatchesException(StringResources.MultipleMatchingPrincipals);
// Return whichever one matched. If neither matched, this will return null.
return (sidPrincipal != null) ? GetAsPrincipal(sidPrincipal, null) :
((nt4Principal != null) ? GetAsPrincipal(nt4Principal, null) :
null);
}
else
{
// Unsupported type of IdentityClaim
throw new ArgumentException(StringResources.StoreCtxUnsupportedIdentityClaimForQuery);
}
}
public ADGroup RetrieveADGroupWithSecurityIdentifier(SecurityIdentifier SecurityIdentifier, string[] AdditionalProperties = null)
{
if (SecurityIdentifier == null)
throw new ArgumentNullException("SecurityIdentifier");
if (!SecurityIdentifier.IsEqualDomainSid(this.Domain.SecurityIdentifier))
throw new ArgumentException(string.Format("The specified Security Identifier [{0}] does not belong to this domain [{1}]", SecurityIdentifier.ToString(), this.Domain.Name), "SecurityIdentifier");
var sidBinaryString = SecurityIdentifier.ToBinaryString();
string ldapFilter = string.Format(ADGroup.LdapSecurityIdentifierFilterTemplate, sidBinaryString);
string[] loadProperites = (AdditionalProperties != null && AdditionalProperties.Length > 0)
? ADGroup.LoadProperties.Concat(AdditionalProperties).ToArray()
: ADGroup.LoadProperties;
var result = this.SearchEntireDomain(ldapFilter, loadProperites, ActiveDirectory.SingleSearchResult).FirstOrDefault();
if (result == null)
return null;
else
return result.AsADGroup(AdditionalProperties);
}
