给定一个NT风格的帐户名（域\用户名）是有可能推断出该LDAP地址的访问，使用户信息可以抬起头来？

Given a NT style account name (DOMAIN\UserName) is it possible to infer what the LDAP address for that domain is so that user info can be looked up?

我的情景： 我有一个asp.net应用程序在IIS上接受匿名和域用户运行。匿名用户可以登录，但域中的用户我检查服务器头由IIS提供的域用户名。我需要仰视的，如电子邮件地址等活动目录的一些信息，我已经得到了这个工作，如果我提供LDAP地址的配置，但将preFER不要有保持这种额外的配置值，如果我能避免它。

My scenario: I have an asp.net app running on IIS that accepts both anonymous and domain users. The anonymous users have to sign in but the domain users I check the server headers for the domain user name provided by IIS. I need to look up some info from active directory like email address etc. I have got this working if I supply the LDAP address in config but would prefer not to have to maintain this extra config value if I can avoid it.

推荐答案

如果所有的域是同林的一部分，你应该能够做到全局编录SEACH（GC：//而不是LDAP：// ）。你只得到了部分属性集回来，但你可以得到的distinguishedName，然后以标准的LDAP：//查找

If all of the domains are part of the same forest, you should be able to do a global catalog seach (GC:// instead of LDAP://). You only get a partial attribute set back but you can get the distinguishedName and then to a standard LDAP:// lookup.

如果你是在你有不同的域在不同的林中的情况，那么一个简单的办法是建立您的NetBIOS域名的查询表。对于每一个森林，你做一个子树搜索的CN =分区，CN =配置，DC =您的域，DC = COM用（NETBIOSNAME = *）的过滤器，你会回来在林中的域列表。该dnsRoot属性会给你的域的DNS名称，你可以用它来结合，或做它的DNS查找，并用你绑定到第一个地址。或者您可以使用dnsRoot创建System.DirectoryServices.ActiveDirectory.DirectoryContext同为directoryserver的DirectoryContextType让你引用的域控制器。或者你可以使用NCNAME（给人的域名，你的NamingContext的）。

If you're in the situation where you have different domains that are in different forests, then one simple way would be to build a look-up table of your NetBIOS domain names. For each forest, you do a subtree search of CN=Partitions,CN=Configuration,DC=YourDomain,DC=com with a filter of (netBIOSname=*) and you'll get back a list of the domains in that forest. The dnsRoot attribute will give you the DNS name of the domain and you can just use that to bind to, or do a DNS lookup of it and use the first address you get to bind to. Or you can use the dnsRoot to create System.DirectoryServices.ActiveDirectory.DirectoryContext to with a DirectoryContextType of DirectoryServer to get you a reference to the domain controller. Or you could use nCName (gives you the namingContext of the domain).

我也许可以帮助更多的，如​​果你能提供更多的细节，或者是否有任何这是不明确的。

I can probably help more, if you can provide more details, or if any of that wasn't clear.

其他：

您可以通过执行服务器绑定，只需提供目录中的对象的distinguishedName来得到一个DirectoryEntry。例如。 LDAP：// CN =用户​​1，CN =用户​​，DC = YOURDOMAIN，DC = COM。这将自动发现适当的域控制器，并绑定到它得到的对象。 如果你正在做使用DirectorySearcher从一个搜索，你不提供SearchRoot对象，它会自动绑定到当前域的根。你可以提供一个SearchRoot设置缩小搜索范围，但你没有。 如果你绝对需要得到当前域名，可以绑定到所谓的RootDSE对象（LDAP：//的RootDSE），并获得了defaultNamingContext属性的值。这将返回DC = YOURDOMAIN，DC = COM位。

坦率地说，更普遍的code可能是不值得的，除非你确信你会需要它，因为它会依赖于你的域和林的结构的痛苦​​。例如。如果你有两个森林，是有他们之间的信任：你不会知道这一点，直到你有两个森林和解决方案将取决于此。有一个精辟的格言一点在敏捷开发其脱离了我，但随之而来的线没有code你现在不需要。

Frankly, more general code is probably not worth the pain unless you're sure you're going to need it because it will be dependent on the structure of your domains and forests. E.g. if you have two forests, is there a trust between them: you won't know this until you have two forests and the solution will depend on this. There's a pithy little maxim in agile development which escapes me but it goes along the lines of don't code what you don't need now.

下面是一个控制台程序，将执行这样的搜索：

Here's a console program that will perform such a search:

using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.DirectoryServices;

namespace SearchDirectory
{
    class Program
    {
        static void Main(string[] args)
        {
            string user = @"YOURDOMAIN\yourid";

            using (DirectorySearcher ds = new DirectorySearcher())
            {
                ds.SearchScope = SearchScope.Subtree;
                ds.Filter = String.Format("(&(objectClass=user)(objectCategory=person)(sAMAccountName={0}))",
                    user.Split('\\')[1]);
                ds.PageSize = 1000;
                using (SearchResultCollection src = ds.FindAll())
                {
                    foreach (SearchResult sr in src)
                        Console.WriteLine(sr.Properties["distinguishedName"][0].ToString());
                }
            }

            Console.WriteLine("\r\nPress a key to continue...");
            Console.ReadKey(true);
        }
    }
}

我剪了这方面的一些角落，但它应该让你开始。我的建议是把它在一个控制台程序的工作，然后将类移动到你的ASP.NET项目。有很多奇怪的错误System.DirectoryServices中可以抛出您使用S.DS ASP.NET里面可以很有趣过于所以最好知道你的code ++工程，你所有的ASP.NET可爱的包装它。

I've cut some corners on this but it should get you started. My advice is to get it working in a console program and then move the class to your ASP.NET project. There are plenty of odd errors System.DirectoryServices can throw you and using S.DS inside of ASP.NET can be fun too so it's best to know your code works before you wrap it in all of that ASP.NET loveliness.