将成员从受信任的域添加到 AD 组

问题描述

我有两个域，处于信任关系中，我试图从 C# Web 应用程序管理它们.为此，我必须模拟两个不同的技术用户，但效果很好，所以我不会强调那部分代码.

I have two domains, in a trusted relationship, that I'm trying to manage from a C# web application. To do that, I have to impersonate two different technical users, but that works good, so I will not emphasize that part of the code.

要为文件系统构建适当且易于管理的 ACL，我必须

To build proper and easy to manage ACLs for the file system, I must

• 在域 A 中创建一个组(好的！)
• 在 domainB 中查找用户(好的！)
• 将用户添加到组中(提交更改时失败，错误消息:服务器上没有此类对象.(来自 HRESULT 的异常:0x80072030))

如果我添加来自同一个域的用户，则代码运行良好，所以我相信我在这里只遗漏了一小部分信息.我使用本文档作为参考看到了这个问题 以及(还有一些引用此错误消息)，但它们都没有帮助.

If I'm adding a user from the same domain, the code works perfectly, so I believe I'm only missing a small partial info here. I used this document as a reference and saw this question as well (and a few more citing this error message) but neither of them helped.

代码(删除了try-catch块以使其更简单)

Code (try-catch block removed to make it simpler)

// de is a DirectoryEntry object of the AD group, received by the method as a parameter
// first impersonation to search in domainB
// works all right
if (impersonator.impersonateUser("techUser1", "domainB", "pass")) {
    DirectoryEntry dom = new DirectoryEntry("LDAP://domainB.company.com/OU=MyOU,DC=domainB,DC=company,DC=com", "techUser1", "pass");
    de.Invoke("Add", new object[] { "LDAP://domainB.company.com/CN=theUserIWantToAdd,OU=MyOU,DC=domainB,DC=company,DC=com" });
    // de.Invoke("Add", new object[] { "LDAP://domainA.company.com/CN=anotherUserFromDomainA,OU=AnotherOU,DC=domainB,DC=company,DC=com" });
    impersonator.undoImpersonation();
}

// second impersonation because the group (de) is in domainA
// and techUser2 has account operator privileges there
if (impersonator.impersonateUser("techUser2", "domainA", "pass"))
{
    de.CommitChanges();
    impersonator.undoImpersonation();
    return true;
}
else
{
    // second impersonation was unsuccessful, so return an empty object
    return false;
}

第 6 行有效，如果我调试它或强制将属性写入 HttpResponse，它显然就在那里.所以 LDAP 查询似乎没问题.

Line 6 works, if I debug it or force the properties to be written to HttpResponse, it is clearly there. So the LDAP queries seem to be OK.

此外，如果我注释掉第 6 行并取消注释第 7 行，那么基本上我添加了一个来自同一域的用户，整个事情会奇迹般地运行.对于域B，我被卡住了.有什么好的建议吗?

Also, if I comment out line 6 and uncomment 7, so basically I add a user from the same domain, the whole thing works miraculously. With domainB, I'm stuck. Any good piece of advice?

推荐答案

按照你的代码，我看到你得到 de 作为参数，它在 Domain A.然后你正在创建 DirectoryEntry 对象 dom，它被 模拟，但从未被使用过.但是，您正在尝试使用 LDAP 直接将对象从 Domain B 添加到 de.这一行:

de.Invoke("Add", new object[{"LDAP://domainB.company.com/CN=theUserIWantToAdd,OU=MyOU,DC=domainB,DC=company,DC=com" }); 

...
using (DirectoryEntry dom = new DirectoryEntry("LDAP://domainB.company.com/OU=MyOU,DC=domainB,DC=company,DC=com", "techUser1", "pass"))
{
    using (DirectorySearcher searcher = new DirectorySearcher(dom))
    {
        searcher.Filter = "(&(objectClass=user)(CN=theUserIWantToAdd))";
        SearchResult result = searcher.FindOne();
        de.Invoke("Add", new object[] { result.Path });
    }
}
...

//GET THE USER FROM DOMAIN B
using (UserPrincipal userPrincipal = UserPrincipal.FindByIdentity(domainContext, UPN))
{
    if (userPrincipal != null)
    {
       //FIND THE GROUP IN DOMAIN A
       using (GroupPrincipal groupPrincipal = GroupPrincipal.FindByIdentity(domainContext, groupName))
       {
          if (groupPrincipal != null)
          {
             //CHECK TO MAKE SURE USER IS NOT IN THAT GROUP
             if (!userPrincipal.IsMemberOf(groupPrincipal))
             {
                string userSid = string.Format("<SID={0}>", userPrincipal.SID.ToString());
                DirectoryEntry groupDirectoryEntry = (DirectoryEntry)groupPrincipal.GetUnderlyingObject();
                groupDirectoryEntry.Properties["member"].Add(userSid);
                groupDirectoryEntry.CommitChanges();
              }
           }
        }
     }
 }