我有一个应用程序使用典型的System.DirectoryServices.DirectoryEntry code目录服务复制数据。我现在有一个要求从Novell eDirectory的使用SSL使用自签名证书复制。我怀疑现有的code将与可能被核实，或者如果自签名证书被添加到本地计算机密钥库的有效证书。为了使之成为确保工作，但是自签名证书，唯一的解决办法我能找到的是使用System.DirectoryServices.Protocols命名空间和LdapConnection类，因此我可以连线了VerifyServerCertificate回调。我找不到适用于一个DirectoryEntry实例，或与LdapConnection实例连接，并在某种程度上是同一个概念的转换，要一个DirectoryEntry实例的方式。也许这是不可能的，我只是想确认，真的。任何其他的想法表示欢迎。

I have an application replicating data from a directory service using typical System.DirectoryServices.DirectoryEntry code. I now have a requirement to replicate from Novell eDirectory using SSL with a self-signed certificate. I suspect that the existing code would work with a valid certificate that could be verified, or perhaps if the self-signed cert is added to the local machine keystore. In order to make it work for sure with a self-signed cert however, the only solution I can find is to use the System.DirectoryServices.Protocols namespace and the LdapConnection class, whereby I can wire up a VerifyServerCertificate callback. I can't find any way of applying the same concept to a DirectoryEntry instance, or of connecting with an LdapConnection instance and somehow "converting" that to a DirectoryEntry instance. Maybe it isn't possible, I'd just like to confirm that really. Any other thoughts welcome.

我发现的唯一有关的链接是：http://www.$c$cproject.com/Articles/19097/eDirectory-Authentication-using-LdapConnection-and

The only pertinent link I've found is at: http://www.codeproject.com/Articles/19097/eDirectory-Authentication-using-LdapConnection-and

推荐答案

这是一个惊人的问题。

This is a phenomenal question.

我一直在争夺同样的问题了几天，现在，我终于登上了为什么DirectoryEntry对象不会在这种情况下工作的一些确切的证据。

I've been battling this same issue for a few days now, and I've finally got some definitive proof on why the DirectoryEntry object will not work in this scenario.

这特定的LDAP服务器（在LDAPS 636上运行）也发出它自己的自签名证书。使用LdapConnection（并通过Wireshark的监控流量），我注意到一个握手考虑使用的DirectoryEntry时不会出现的地方：

This particular Ldap server (running on LDAPS 636) also issues it's own self signed certificate. Using LdapConnection (and monitoring the traffic via Wireshark), I noticed a handshake taking place that does not occur when using DirectoryEntry :

第一个序列是从安全的LDAP服务器，第二序列是从我的机器。在code，提示第二顺序是：

The first sequence is the from the secured ldap server, the second sequence is from my machine. The code that prompts the second sequence is :

ldapConnection.SessionOptions.VerifyServerCertificate += delegate { return true; };

有其他的方式来欺骗的回调，但我一直使用的是什么。

There are others way to "fake out" the callback, but this what I've been using.

不幸的是，的DirectoryEntry不具有选项或方法来验证的自签名的证书，该证书的从而接受从未发生（第二序列），和连接失败初始化

Unfortunately, DirectoryEntry does not have an option or method to verify a self signed cert, thus the acceptance of the certificate never happens (second sequence), and the connection fails to initialize.

要做到这一点，唯一可行的办法是使用LdapConnection，在一个SearchRequest和SearchResponse一起。这是我有这么远：

The only feasible way to accomplish this is by using LdapConnection, in conjunction with a SearchRequest and SearchResponse. This is what I've got so far :

LdapConnection ldapConnection = new LdapConnection("xxx.xxx.xxx:636");

var networkCredential = new NetworkCredential("Hey", "There", "Guy");
ldapConnection.SessionOptions.SecureSocketLayer = true;
ldapConnection.SessionOptions.VerifyServerCertificate += delegate { return true; };
ldapConnection.AuthType = AuthType.Negotiate;
ldapConnection.Bind(networkCredential);

SearchRequest request = new SearchRequest("DC=xxx,DC=xxx,DC=xxx", "(sAMAccountName=3074861)", SearchScope.Subtree);
SearchResponse response = (SearchResponse)ldapConnection.SendRequest(request);

if(response.Entries.Count == 1)
{SearchResultEntry entry = response.Entries[0];
 string DN = entry.DistinguishedName;}

从那里，你可以收集AD从SearchResponse相应的属性，方法。这是一个总的长号虽然，因为SearchRequest似乎要慢得多然后使用的DirectoryEntry

From there you can gather AD Properties from the SearchResponse, and process accordingly. This is a total bummer though, because the SearchRequest seems to be much slower then using the DirectoryEntry.

希望这有助于！