626 lines
22 KiB
C#
626 lines
22 KiB
C#
using System;
|
|
using System.Collections.Generic;
|
|
using System.Collections.ObjectModel;
|
|
using System.DirectoryServices;
|
|
using System.DirectoryServices.Protocols;
|
|
using System.Linq;
|
|
using System.Net;
|
|
using System.Security.Cryptography.X509Certificates;
|
|
using System.Text;
|
|
|
|
namespace FineUIPro.Web
|
|
{
|
|
|
|
public sealed class LdapAuthentication
|
|
{
|
|
private bool _allowAnyCertificates;
|
|
|
|
private string _domain;
|
|
|
|
private string _path;
|
|
|
|
private string _userNameProxyUser;
|
|
|
|
private string _passwordProxyUser;
|
|
|
|
private AuthenticationTypes _authenticationType;
|
|
|
|
public static readonly string LdapUriString = "LDAP";
|
|
|
|
public static readonly int LdapPort = 389;
|
|
|
|
public static readonly int LdapPortSsl = 636;
|
|
|
|
private X509Certificate _locallyVerificationCertificate;
|
|
|
|
private string _locallyVerificationCertificateSerialNumber;
|
|
|
|
private bool _useSecureSocketLayer;
|
|
|
|
private bool _verifyCertificateLocally;
|
|
|
|
private LdapDirectoryIdentifier _directoryIdentifier;
|
|
|
|
public bool AllowAnyCertificates
|
|
{
|
|
get
|
|
{
|
|
return _allowAnyCertificates;
|
|
}
|
|
set
|
|
{
|
|
_allowAnyCertificates = value;
|
|
}
|
|
}
|
|
|
|
public string Domain
|
|
{
|
|
get
|
|
{
|
|
return _domain;
|
|
}
|
|
set
|
|
{
|
|
_domain = value;
|
|
}
|
|
}
|
|
|
|
public string Path
|
|
{
|
|
get
|
|
{
|
|
return _path;
|
|
}
|
|
set
|
|
{
|
|
_path = value;
|
|
}
|
|
}
|
|
|
|
public string UserNameProxyUser
|
|
{
|
|
get
|
|
{
|
|
return _userNameProxyUser;
|
|
}
|
|
set
|
|
{
|
|
_userNameProxyUser = value;
|
|
}
|
|
}
|
|
|
|
public string PasswordProxyUser
|
|
{
|
|
get
|
|
{
|
|
return _passwordProxyUser;
|
|
}
|
|
set
|
|
{
|
|
_passwordProxyUser = value;
|
|
}
|
|
}
|
|
|
|
public AuthenticationTypes AuthenticationType
|
|
{
|
|
get
|
|
{
|
|
return _authenticationType;
|
|
}
|
|
set
|
|
{
|
|
_authenticationType = value;
|
|
}
|
|
}
|
|
|
|
public X509Certificate LocallyVerificationCertificate
|
|
{
|
|
get
|
|
{
|
|
return _locallyVerificationCertificate;
|
|
}
|
|
set
|
|
{
|
|
_locallyVerificationCertificate = value;
|
|
}
|
|
}
|
|
|
|
public string LocallyVerificationCertificateSerialNumber
|
|
{
|
|
get
|
|
{
|
|
return _locallyVerificationCertificateSerialNumber;
|
|
}
|
|
set
|
|
{
|
|
_locallyVerificationCertificateSerialNumber = value;
|
|
}
|
|
}
|
|
|
|
public bool UseSecureSocketLayer
|
|
{
|
|
get
|
|
{
|
|
return _useSecureSocketLayer;
|
|
}
|
|
set
|
|
{
|
|
lock (this)
|
|
{
|
|
_useSecureSocketLayer = value;
|
|
}
|
|
}
|
|
}
|
|
|
|
public bool VerifyCertificateLocally
|
|
{
|
|
get
|
|
{
|
|
return _verifyCertificateLocally;
|
|
}
|
|
set
|
|
{
|
|
lock (this)
|
|
{
|
|
_verifyCertificateLocally = value;
|
|
}
|
|
}
|
|
}
|
|
|
|
public LdapDirectoryIdentifier DirectoryIdentifier
|
|
{
|
|
get
|
|
{
|
|
if (_directoryIdentifier == null)
|
|
{
|
|
lock (this)
|
|
{
|
|
SetDirectoryIdentifier();
|
|
}
|
|
}
|
|
return _directoryIdentifier;
|
|
}
|
|
}
|
|
|
|
public LdapAuthentication()
|
|
{
|
|
_authenticationType = AuthenticationTypes.FastBind;
|
|
}
|
|
|
|
private void SetDirectoryIdentifier()
|
|
{
|
|
int num = 0;
|
|
_directoryIdentifier = new LdapDirectoryIdentifier(portNumber: (!UseSecureSocketLayer) ? LdapPort : LdapPortSsl, server: _domain);
|
|
}
|
|
|
|
public DirectoryEntry GetDirectoryEntryOfProxyUser()
|
|
{
|
|
string text = $"{LdapUriString}://{_domain}/{_path}";
|
|
using (DirectoryEntry result = new DirectoryEntry(text, _userNameProxyUser, _passwordProxyUser, _authenticationType))
|
|
{
|
|
try
|
|
{
|
|
return result;
|
|
}
|
|
catch (Exception innerException)
|
|
{
|
|
throw new Exception(text, innerException);
|
|
}
|
|
}
|
|
}
|
|
|
|
private bool OnLdapConnectionVerifyServerCertificate(LdapConnection connection, X509Certificate serverCertificate)
|
|
{
|
|
if (AllowAnyCertificates)
|
|
{
|
|
return true;
|
|
}
|
|
if (!VerifyCertificateLocally)
|
|
{
|
|
return true;
|
|
}
|
|
if (LocallyVerificationCertificate != null)
|
|
{
|
|
if (LocallyVerificationCertificate.Equals(serverCertificate))
|
|
{
|
|
return true;
|
|
}
|
|
return false;
|
|
}
|
|
if (!string.IsNullOrEmpty(LocallyVerificationCertificateSerialNumber))
|
|
{
|
|
if (serverCertificate.GetSerialNumberString() == LocallyVerificationCertificateSerialNumber)
|
|
{
|
|
return true;
|
|
}
|
|
return false;
|
|
}
|
|
X509Store x509Store = new X509Store("My");
|
|
x509Store.Open(OpenFlags.ReadOnly);
|
|
X509Certificate2Enumerator enumerator = x509Store.Certificates.GetEnumerator();
|
|
while (enumerator.MoveNext())
|
|
{
|
|
X509Certificate2 current = enumerator.Current;
|
|
if (current.SerialNumber == serverCertificate.GetSerialNumberString())
|
|
{
|
|
return true;
|
|
}
|
|
}
|
|
return false;
|
|
}
|
|
|
|
public bool CheckPassword(string userName, string password)
|
|
{
|
|
Collection<string> groupMemberships = null;
|
|
LdapUser ldapUserInfo = null;
|
|
return CheckPassword(userName, password, readGroupMemberships: false, out groupMemberships, readLdapUserInfo: false, out ldapUserInfo);
|
|
}
|
|
|
|
public bool CheckPassword(string userName, string password, out Collection<string> groupMemberships)
|
|
{
|
|
LdapUser ldapUserInfo = null;
|
|
return CheckPassword(userName, password, readGroupMemberships: true, out groupMemberships, readLdapUserInfo: false, out ldapUserInfo);
|
|
}
|
|
|
|
public bool CheckPassword(string userName, string password, out LdapUser ldapUserInfo)
|
|
{
|
|
Collection<string> groupMemberships = null;
|
|
return CheckPassword(userName, password, readGroupMemberships: false, out groupMemberships, readLdapUserInfo: true, out ldapUserInfo);
|
|
}
|
|
|
|
public bool CheckPassword(string userName, string password, out Collection<string> groupMemberships, out LdapUser ldapUserInfo)
|
|
{
|
|
return CheckPassword(userName, password, readGroupMemberships: true, out groupMemberships, readLdapUserInfo: true, out ldapUserInfo);
|
|
}
|
|
|
|
private bool CheckPassword(string userName, string password, bool readGroupMemberships, out Collection<string> groupMemberships, bool readLdapUserInfo, out LdapUser ldapUserInfo)
|
|
{
|
|
if (string.IsNullOrEmpty(userName))
|
|
{
|
|
throw new ArgumentNullException("userName");
|
|
}
|
|
if (string.IsNullOrEmpty(password))
|
|
{
|
|
throw new ArgumentNullException("password");
|
|
}
|
|
if (password.Length >= 128)
|
|
{
|
|
throw new Exception();
|
|
}
|
|
groupMemberships = null;
|
|
ldapUserInfo = null;
|
|
List<string> list = new List<string>();
|
|
DirectoryEntry directoryEntryOfProxyUser = GetDirectoryEntryOfProxyUser();
|
|
if (directoryEntryOfProxyUser == null)
|
|
{
|
|
throw new Exception();
|
|
}
|
|
lock (this)
|
|
{
|
|
|
|
BLL.ErrLogInfo.WriteLog("lock锁这里");
|
|
using (LdapConnection ldapConnection = new LdapConnection(DirectoryIdentifier))
|
|
{
|
|
try
|
|
{
|
|
|
|
BLL.ErrLogInfo.WriteLog("ldap验证");
|
|
|
|
ldapConnection.SessionOptions.SecureSocketLayer = UseSecureSocketLayer;
|
|
if (UseSecureSocketLayer && (AllowAnyCertificates || VerifyCertificateLocally))
|
|
{
|
|
LdapSessionOptions sessionOptions = ldapConnection.SessionOptions;
|
|
sessionOptions.VerifyServerCertificate = (VerifyServerCertificateCallback)Delegate.Combine(sessionOptions.VerifyServerCertificate, new VerifyServerCertificateCallback(OnLdapConnectionVerifyServerCertificate));
|
|
}
|
|
ldapConnection.Credential = new NetworkCredential(UserNameProxyUser, PasswordProxyUser);
|
|
ldapConnection.AuthType = AuthType.Basic;
|
|
ldapConnection.SessionOptions.ProtocolVersion = 3;
|
|
ldapConnection.Bind();
|
|
}
|
|
catch (DirectoryServicesCOMException innerException)
|
|
{
|
|
|
|
BLL.ErrLogInfo.WriteLog($"ldap验证失败:{innerException.Message}");
|
|
throw new Exception("Proxyuser_NotFound", innerException);
|
|
}
|
|
catch (Exception ex)
|
|
{
|
|
BLL.ErrLogInfo.WriteLog($"捕获异常信息:{ex.Message}");
|
|
throw ex;
|
|
}
|
|
finally
|
|
{
|
|
if (UseSecureSocketLayer && (AllowAnyCertificates || VerifyCertificateLocally))
|
|
{
|
|
LdapSessionOptions sessionOptions2 = ldapConnection.SessionOptions;
|
|
sessionOptions2.VerifyServerCertificate = (VerifyServerCertificateCallback)Delegate.Remove(sessionOptions2.VerifyServerCertificate, new VerifyServerCertificateCallback(OnLdapConnectionVerifyServerCertificate));
|
|
}
|
|
}
|
|
string ldapFilter = $" (cn={userName})";
|
|
if (readGroupMemberships)
|
|
{
|
|
list.Add("groupmembership");
|
|
}
|
|
if (readLdapUserInfo)
|
|
{
|
|
BLL.ErrLogInfo.WriteLog($"readLdapUserInfo信息:{readLdapUserInfo}");
|
|
GetUserAttrs(list);
|
|
}
|
|
SearchRequest request = new SearchRequest(_path, ldapFilter, System.DirectoryServices.Protocols.SearchScope.Subtree, list.ToArray());
|
|
SearchResponse searchResponse = (SearchResponse)ldapConnection.SendRequest(request);
|
|
if (searchResponse == null || searchResponse.Entries == null || searchResponse.Entries.Count < 1)
|
|
{
|
|
throw new Exception();
|
|
}
|
|
BLL.ErrLogInfo.WriteLog($"searchResponse不等于空");
|
|
SearchResultEntry searchResultEntry = searchResponse.Entries[0];
|
|
string distinguishedName = searchResultEntry.DistinguishedName;
|
|
BLL.ErrLogInfo.WriteLog($"distinguishedName={distinguishedName}");
|
|
if (readGroupMemberships)
|
|
{
|
|
groupMemberships = ReadGroupMembershipsInternal(searchResultEntry);
|
|
}
|
|
if (readLdapUserInfo)
|
|
{
|
|
ldapUserInfo = GetUserInfoFromDirectoryEntry(searchResultEntry);
|
|
}
|
|
ldapConnection.Credential = new NetworkCredential(distinguishedName, password);
|
|
try
|
|
{
|
|
ldapConnection.Bind();
|
|
}
|
|
catch (LdapException innerException2)
|
|
{
|
|
BLL.ErrLogInfo.WriteLog($"ldap错误={innerException2.Message}");
|
|
throw new Exception("LdapAuthentication_WrongPassword", innerException2);
|
|
}
|
|
return true;
|
|
}
|
|
}
|
|
}
|
|
|
|
private static void GetUserAttrs(List<string> attrs)
|
|
{
|
|
attrs.Add("basfANRED");
|
|
attrs.Add("basfBuilding");
|
|
attrs.Add("basfCCCompany");
|
|
attrs.Add("basfCCPN");
|
|
attrs.Add("basfCompanyID");
|
|
attrs.Add("basfContractStatus");
|
|
attrs.Add("basfCostCenter");
|
|
attrs.Add("basfEPSapGroup");
|
|
attrs.Add("basfEPSapUserID");
|
|
attrs.Add("basfCCPN");
|
|
attrs.Add("basfGCDID");
|
|
attrs.Add("basfIDtype");
|
|
attrs.Add("basfPersg");
|
|
attrs.Add("basfPersonID");
|
|
attrs.Add("basfRegion");
|
|
attrs.Add("basfRPID");
|
|
attrs.Add("basfSBNR");
|
|
attrs.Add("basfSex");
|
|
attrs.Add("basfSIAMID");
|
|
attrs.Add("dn");
|
|
attrs.Add("cn");
|
|
attrs.Add("uid");
|
|
attrs.Add("co");
|
|
attrs.Add("employeeStatus");
|
|
attrs.Add("facsimileTelephoneNumber");
|
|
attrs.Add("fullName");
|
|
attrs.Add("givenName");
|
|
attrs.Add("GroupMembership");
|
|
attrs.Add("InternetEmailAddress");
|
|
attrs.Add("l");
|
|
attrs.Add("mobile");
|
|
attrs.Add("o");
|
|
attrs.Add("ou");
|
|
attrs.Add("postalCode");
|
|
attrs.Add("roomNumber");
|
|
attrs.Add("s");
|
|
attrs.Add("sa");
|
|
attrs.Add("surname");
|
|
attrs.Add("telephoneNumber");
|
|
attrs.Add("title");
|
|
attrs.Add("mail");
|
|
attrs.Add("sn");
|
|
attrs.Add("employeeNumber");
|
|
attrs.Add("basfUDMSID");
|
|
attrs.Add("postalAddress");
|
|
attrs.Add("c");
|
|
}
|
|
|
|
private static LdapUser GetUserInfoFromDirectoryEntry(SearchResultEntry entry)
|
|
{
|
|
LdapUser ldapUser = new LdapUser();
|
|
if (entry.Attributes.Contains("cn"))
|
|
{
|
|
ldapUser.UserName = (string)entry.Attributes["cn"].GetValues(typeof(string))[0];
|
|
}
|
|
if (entry.Attributes.Contains("mail"))
|
|
{
|
|
ldapUser.EmailAddress = (string)entry.Attributes["mail"].GetValues(typeof(string))[0];
|
|
}
|
|
if (entry.Attributes.Contains("givenName"))
|
|
{
|
|
ldapUser.FirstName = (string)entry.Attributes["givenName"].GetValues(typeof(string))[0];
|
|
}
|
|
if (entry.Attributes.Contains("sn"))
|
|
{
|
|
ldapUser.LastName = (string)entry.Attributes["sn"].GetValues(typeof(string))[0];
|
|
}
|
|
if (entry.Attributes.Contains("fullName"))
|
|
{
|
|
ldapUser.FullName = (string)entry.Attributes["fullName"].GetValues(typeof(string))[0];
|
|
}
|
|
if (entry.Attributes.Contains("o"))
|
|
{
|
|
ldapUser.Company = (string)entry.Attributes["o"].GetValues(typeof(string))[0];
|
|
}
|
|
if (entry.Attributes.Contains("ou"))
|
|
{
|
|
ldapUser.OrgCode = (string)entry.Attributes["ou"].GetValues(typeof(string))[0];
|
|
}
|
|
if (entry.Attributes.Contains("telephoneNumber"))
|
|
{
|
|
ldapUser.Phone = (string)entry.Attributes["telephoneNumber"].GetValues(typeof(string))[0];
|
|
}
|
|
if (entry.Attributes.Contains("basfGCDID"))
|
|
{
|
|
ldapUser.GcdId = (string)entry.Attributes["basfGCDID"].GetValues(typeof(string))[0];
|
|
}
|
|
if (entry.Attributes.Contains("basfPersonID"))
|
|
{
|
|
ldapUser.PersonId = (string)entry.Attributes["basfPersonID"].GetValues(typeof(string))[0];
|
|
}
|
|
if (entry.Attributes.Contains("employeeNumber"))
|
|
{
|
|
ldapUser.PersonalNr = (string)entry.Attributes["employeeNumber"].GetValues(typeof(string))[0];
|
|
}
|
|
if (entry.Attributes.Contains("basfCCPN"))
|
|
{
|
|
ldapUser.Ccpn = (string)entry.Attributes["basfCCPN"].GetValues(typeof(string))[0];
|
|
}
|
|
if (entry.Attributes.Contains("basfUDMSID"))
|
|
{
|
|
ldapUser.UdmsId = (string)entry.Attributes["basfUDMSID"].GetValues(typeof(string))[0];
|
|
}
|
|
if (entry.Attributes.Contains("postalAddress"))
|
|
{
|
|
ldapUser.Street = (string)entry.Attributes["postalAddress"].GetValues(typeof(string))[0];
|
|
}
|
|
if (entry.Attributes.Contains("l"))
|
|
{
|
|
ldapUser.City = (string)entry.Attributes["l"].GetValues(typeof(string))[0];
|
|
}
|
|
if (entry.Attributes.Contains("postalCode"))
|
|
{
|
|
ldapUser.ZipCode = (string)entry.Attributes["postalCode"].GetValues(typeof(string))[0];
|
|
}
|
|
if (entry.Attributes.Contains("c"))
|
|
{
|
|
ldapUser.Country = (string)entry.Attributes["c"].GetValues(typeof(string))[0];
|
|
}
|
|
if (entry.Attributes.Contains("facsimileTelephoneNumber"))
|
|
{
|
|
ldapUser.Fax = (string)entry.Attributes["facsimileTelephoneNumber"].GetValues(typeof(string))[0];
|
|
}
|
|
if (entry.Attributes.Contains("mobile"))
|
|
{
|
|
ldapUser.MobilePhone = (string)entry.Attributes["mobile"].GetValues(typeof(string))[0];
|
|
}
|
|
if (entry.Attributes.Contains("basfcompanyid"))
|
|
{
|
|
ldapUser.CompanyId = (string)entry.Attributes["basfcompanyid"].GetValues(typeof(string))[0];
|
|
}
|
|
if (entry.Attributes.Contains("basfidtype"))
|
|
{
|
|
ldapUser.BasfIdType = (string)entry.Attributes["basfidtype"].GetValues(typeof(string))[0];
|
|
}
|
|
return ldapUser;
|
|
}
|
|
|
|
private static Collection<string> ReadGroupMembershipsInternal(SearchResultEntry entry)
|
|
{
|
|
Collection<string> collection = new Collection<string>();
|
|
object[] values = entry.Attributes["groupmembership"].GetValues(typeof(string));
|
|
for (int i = 0; i < values.Length; i++)
|
|
{
|
|
string item = (string)values[i];
|
|
collection.Add(item);
|
|
}
|
|
return collection;
|
|
}
|
|
|
|
private static LdapUser GetUserInfoFromSearchResult(DirectoryEntry entry)
|
|
{
|
|
LdapUser ldapUser = new LdapUser();
|
|
if (entry.Properties.Contains("cn"))
|
|
{
|
|
ldapUser.UserName = entry.Properties["cn"].Value.ToString();
|
|
}
|
|
if (entry.Properties.Contains("mail"))
|
|
{
|
|
ldapUser.EmailAddress = entry.Properties["mail"].Value.ToString();
|
|
}
|
|
if (entry.Properties.Contains("givenName"))
|
|
{
|
|
ldapUser.FirstName = entry.Properties["givenName"].Value.ToString();
|
|
}
|
|
if (entry.Properties.Contains("sn"))
|
|
{
|
|
ldapUser.LastName = entry.Properties["sn"].Value.ToString();
|
|
}
|
|
if (entry.Properties.Contains("fullName"))
|
|
{
|
|
ldapUser.FullName = entry.Properties["fullName"].Value.ToString();
|
|
}
|
|
if (entry.Properties.Contains("o"))
|
|
{
|
|
ldapUser.Company = entry.Properties["o"].Value.ToString();
|
|
}
|
|
if (entry.Properties.Contains("ou"))
|
|
{
|
|
ldapUser.OrgCode = entry.Properties["ou"].Value.ToString();
|
|
}
|
|
if (entry.Properties.Contains("telephoneNumber"))
|
|
{
|
|
ldapUser.Phone = entry.Properties["telephoneNumber"].Value.ToString();
|
|
}
|
|
if (entry.Properties.Contains("basfGCDID"))
|
|
{
|
|
ldapUser.GcdId = entry.Properties["basfGCDID"].Value.ToString();
|
|
}
|
|
if (entry.Properties.Contains("basfPersonID"))
|
|
{
|
|
ldapUser.PersonId = entry.Properties["basfPersonID"].Value.ToString();
|
|
}
|
|
if (entry.Properties.Contains("employeeNumber"))
|
|
{
|
|
ldapUser.PersonalNr = entry.Properties["employeeNumber"].Value.ToString();
|
|
}
|
|
if (entry.Properties.Contains("basfCCPN"))
|
|
{
|
|
ldapUser.Ccpn = entry.Properties["basfCCPN"].Value.ToString();
|
|
}
|
|
if (entry.Properties.Contains("basfUDMSID"))
|
|
{
|
|
ldapUser.UdmsId = entry.Properties["basfUDMSID"].Value.ToString();
|
|
}
|
|
if (entry.Properties.Contains("postalAddress"))
|
|
{
|
|
ldapUser.Street = entry.Properties["postalAddress"].Value.ToString();
|
|
}
|
|
if (entry.Properties.Contains("l"))
|
|
{
|
|
ldapUser.City = entry.Properties["l"].Value.ToString();
|
|
}
|
|
if (entry.Properties.Contains("postalCode"))
|
|
{
|
|
ldapUser.ZipCode = entry.Properties["postalCode"].Value.ToString();
|
|
}
|
|
if (entry.Properties.Contains("c"))
|
|
{
|
|
ldapUser.Country = entry.Properties["c"].Value.ToString();
|
|
}
|
|
if (entry.Properties.Contains("facsimileTelephoneNumber"))
|
|
{
|
|
ldapUser.Fax = entry.Properties["facsimileTelephoneNumber"].Value.ToString();
|
|
}
|
|
if (entry.Properties.Contains("mobile"))
|
|
{
|
|
ldapUser.MobilePhone = entry.Properties["mobile"].Value.ToString();
|
|
}
|
|
if (entry.Properties.Contains("basfcompanyid"))
|
|
{
|
|
ldapUser.CompanyId = entry.Properties["basfcompanyid"].Value.ToString();
|
|
}
|
|
if (entry.Properties.Contains("basfidtype"))
|
|
{
|
|
ldapUser.BasfIdType = entry.Properties["basfidtype"].Value.ToString();
|
|
}
|
|
return ldapUser;
|
|
}
|
|
|
|
}
|
|
}
|