logo标签列表

如何确定用户帐户是否是(间接)属于AD组的成员?

delphiactive-directorydelphi-2007
8
如何确定用户帐户是否是AD组的成员,特别是当用户不是该组的直接成员时?
一个例子:
- user1是group1的成员 - group1是group2的成员 - 函数调用IsUserMemberOf('user1', 'group2')的结果应为TRUE(虚构)
对于.NET,有一个解决方案:
static bool IsUserMemberOf(string userName, string groupName)
{
    using (var ctx = new PrincipalContext(ContextType.Domain))
    using (var groupPrincipal = GroupPrincipal.FindByIdentity(ctx, groupName))
    using (var userPrincipal = UserPrincipal.FindByIdentity(ctx, userName))
    {
        return userPrincipal.IsMemberOf(groupPrincipal);
    }
}

我该如何在Delphi(Delphi-2007)中实现它?

解决方案:

我接受Remko的答案,但由于他的代码在Delphi-2007下无法运行(一些String / WideString问题),这是我的D2007版本:

unit Unit1;

interface

uses  // Jedi ApiLib
  SysUtils, Classes, Windows, JwaActiveDs, JwaAdsTlb, JwaNative, JwaWinNT, JwaWinBase,
  JwaNtSecApi, JwaNtStatus,  JwaWinType;    

type
  // Some Helper Types
  TSidArray = array of PSID;
  PSidArray = ^TSidArray;

  TAdsValueArray = array[0..ANYSIZE_ARRAY-1] of ADSVALUE;
  PAdsValueArray = ^TAdsValueArray;

  TLsaTranslatedNameArray = array[0..ANYSIZE_ARRAY-1] of LSA_TRANSLATED_NAME;
  PLsaTranslatedNameArray = ^TLsaTranslatedNameArray;

  function GetPolicyHandle(const Computer: WideString=''): PLSA_HANDLE;
  function GetGroupMembership(const AdsPath: WideString; var Groups: TStringList): Boolean;

implementation

function GetPolicyHandle(const Computer: WideString=''): PLSA_HANDLE;
var
  ObjectAttributes: LSA_OBJECT_ATTRIBUTES;
  lusSystemName: LSA_UNICODE_STRING;
  nts: NTSTATUS;
  dwError: DWORD;
begin
  ZeroMemory(@ObjectAttributes, SizeOf(ObjectAttributes));

  RtlInitUnicodeString(@lusSystemName, PWideChar(Computer));

  nts := LsaOpenPolicy(@lusSystemName, ObjectAttributes,  POLICY_LOOKUP_NAMES,
    Pointer(Result));

  if nts <> STATUS_SUCCESS then
  begin
    dwError := LsaNtStatusToWinError(nts);
    raise EOSError.Create(SysErrorMessage(dwError));
  end;
end;

function GetGroupMembership(const AdsPath: WideString; var Groups: TStringList): Boolean;
const
  Username: PChar = 'Administrator';
  Password: PChar = 'password';
var
  hr: HRESULT;
  nts: NTSTATUS;
  PolicyHandle: PLSA_HANDLE;
  DirObject: IDirectoryObject;
  Domains: PLSA_REFERENCED_DOMAIN_LIST;
  Names: PLsaTranslatedNameArray;
  SidArray: TSidArray;
  Attributes: array of PChar;
  AdValue: PAdsValueArray;
  AdAttrInfo: PADS_ATTR_INFO;
  dwNumAttributes: DWORD;
  i: Integer;
  s: WideString;
begin
  Result := False;

  Assert(Assigned(Groups));

  // Get Lsa Policy Handle
  PolicyHandle := GetPolicyHandle;

  try
    // Open AD object, note that I am using username, password because I am
    // connecting from a machine that's not a domain member.
    // I am also passing the ADS_SERVER_BIND flag because I am directly
    // connecting to a specific Domain Controller
    hr := ADsOpenObject(PWideChar(AdsPath), Username, Password, 
      ADS_SERVER_BIND or ADS_SECURE_AUTHENTICATION, IID_IDirectoryObject,
        Pointer(DirObject));
    if Failed(hr) then
      Exit;

    // Attribute array
    SetLength(Attributes, 1);
    s := 'tokenGroups';
    Attributes[0] := @s[1];

    hr := DirObject.GetObjectAttributes(@Attributes[0], Length(Attributes), AdAttrInfo, dwNumAttributes);
    if Failed(hr) then
      Exit;

    // Setup an Array for the PSID's
    SetLength(SidArray, AdAttrInfo^.dwNumValues);
    AdValue := PAdsValueArray(AdAttrInfo^.pADsValues);

    for i := 0 to AdAttrInfo^.dwNumValues-1 do
    begin
      // Copy Pointer to Array
      Assert(AdValue^[i].OctetString.dwLength > 0);
      SidArray[i] := PSid(AdValue^[i].OctetString.lpValue);
    end;

    nts := LsaLookupSids(PolicyHandle, Length(SidArray), @SidArray[0], Domains, PLSA_TRANSLATED_NAME(Names));
    if nts >= STATUS_SUCCESS then
    begin

      for i := 0 to AdAttrInfo^.dwNumValues - 1 do
      begin
        SetLength(s, Names[i].Name.Length div SizeOf(WideChar));
        CopyMemory(@s[1], Names[i].Name.Buffer, Names[i].Name.Length);
        Groups.Add(s);
      end;

      // even if nts returns STATUS_NONE_MAPPED or STATUS_SOME_NOT_MAPPED we
      // must Free the Mem!
      LsaFreeMemory(Names);
      LsaFreeMemory(Domains);

      Result := True;
    end;

     FreeAdsMem(AdAttrInfo);

  finally
    // Close the Lsa Policy Handle
    LsaClose(PolicyHandle);
  end;
end;

end.
我没有注意到你在使用Delphi-2007(当然可以通过标签看出来):D - Remko
1个回答
6
tokenGroups 属性包含用户直接或间接成员的所有组的 SID 数组。可以使用 LsaLookupSids 一次性转换一个 SID 数组中的名称。请参考以下示例代码:
uses  // Jedi ApiLib
  JwaActiveDs, JwaAdsTlb, JwaNative, JwaNtSecApi, JwaNtStatus, JwaWinType;

type
  // Some Helper Types
  TSidArray = array of PSID;
  PSidArray = ^TSidArray;

  TAdsValueArray = array[0..ANYSIZE_ARRAY-1] of ADSVALUE;
  PAdsValueArray = ^TAdsValueArray;

  TLsaTranslatedNameArray = array[0..ANYSIZE_ARRAY-1] of LSA_TRANSLATED_NAME;
  PLsaTranslatedNameArray = ^TLsaTranslatedNameArray;

function GetPolicyHandle(const Computer: String=''): PLSA_HANDLE;
var
  ObjectAttributes: LSA_OBJECT_ATTRIBUTES;
  lusSystemName: LSA_UNICODE_STRING;
  nts: NTSTATUS;
  dwError: DWORD;
begin
  ZeroMemory(@ObjectAttributes, SizeOf(ObjectAttributes));

  RtlInitUnicodeString(@lusSystemName, PChar(Computer));

  nts := LsaOpenPolicy(@lusSystemName, ObjectAttributes,  POLICY_LOOKUP_NAMES,
    Pointer(Result));

  if nts <> STATUS_SUCCESS then
  begin
    dwError := LsaNtStatusToWinError(nts);
    raise EOSError.Create(SysErrorMessage(dwError));
  end;
end;

function GetGroupMembership(const AdsPath: String;
  var Groups: TStringList): Boolean;
const
  Username: PChar = 'Administrator';
  Password: PChar = 'password';
var
  hr: HRESULT;
  nts: NTSTATUS;
  PolicyHandle: PLSA_HANDLE;
  DirObject: IDirectoryObject;
  Domains: PLSA_REFERENCED_DOMAIN_LIST;
  Names: PLsaTranslatedNameArray;
  SidArray: TSidArray;
  Attributes: array of PChar;
  AdValue: PAdsValueArray;
  AdAttrInfo: PADS_ATTR_INFO;
  dwNumAttributes: DWORD;
  i: Integer;
  s: String;
begin
  Result := False;

  Assert(Assigned(Groups));

  // Get Lsa Policy Handle
  PolicyHandle := GetPolicyHandle;

  try
    // Open AD object, note that I am using username, password because I am
    // connecting from a machine that's not a domain member.
    // I am also passing the ADS_SERVER_BIND flag because I am directly
    // connecting to a specific Domain Controller
    hr := ADsOpenObject(PChar(AdsPath), Username, Password,
      ADS_SERVER_BIND or ADS_SECURE_AUTHENTICATION, IID_IDirectoryObject,
      Pointer(DirObject));
    if Failed(hr) then
      Exit;

    // Attribute array
    SetLength(Attributes, 1);
    Attributes[0] := 'tokenGroups';

    hr := DirObject.GetObjectAttributes(@Attributes[0], Length(Attributes),
      PADS_ATTR_INFO(AdAttrInfo), dwNumAttributes);
    if Failed(hr) then
      Exit;

    // Setup an Array for the PSID's
    SetLength(SidArray, AdAttrInfo^.dwNumValues);
    AdValue := PAdsValueArray(AdAttrInfo^.pADsValues);

    for i := 0 to AdAttrInfo^.dwNumValues-1 do
    begin
      // Copy Pointer to Array
      Assert(AdValue^[i].OctetString.dwLength > 0);
      SidArray[i] := PSid(AdValue^[i].OctetString.lpValue);
    end;

    nts := LsaLookupSids(PolicyHandle, Length(SidArray), @SidArray[0], Domains,
      PLSA_TRANSLATED_NAME(Names));
    if nts >= STATUS_SUCCESS then
    begin

      for i := 0 to AdAttrInfo^.dwNumValues - 1 do
      begin
        SetLength(s, Names[i].Name.Length div SizeOf(Char));
        CopyMemory(@s[1], Names[i].Name.Buffer, Names[i].Name.Length);
        Groups.Add(s);
      end;

      // even if nts returns STATUS_NONE_MAPPED or STATUS_SOME_NOT_MAPPED we
      // must Free the Mem!
      LsaFreeMemory(Names);
      LsaFreeMemory(Domains);

      Result := True;
    end;

     FreeAdsMem(AdAttrInfo);

  finally
    // Close the Lsa Policy Handle
    LsaClose(PolicyHandle);
  end;
end;

使用示例:

procedure TForm4.Button1Click(Sender: TObject);
var
  Groups: TStringList;
  bRes: Boolean;
  i: Integer;
begin
  Groups := TStringList.Create;
  Groups.Duplicates := dupIgnore;
  Groups.Sorted := True;

  try
    bRes := GetGroupMembership('LDAP://2003DC/CN=Administrator,CN=Users,DC=contoso,DC=com', Groups);

    if bRes then
    begin
      for i := 0 to Groups.Count - 1 do
      begin
        Memo1.Lines.Add(Groups[i]);
      end;
    end;

    Memo1.Lines.Add(Format('IsMemberOf Administrators: %s',
      [BoolToStr(Groups.IndexOf('Administrators') <> -1, True)]));
  finally
    Groups.Free;
  end;
end;
我在思考NetUserGetGroups函数和缓冲区迭代。您建议的解决方案会更容易实现吗? - TLama
它将会快得多,快得多! - Remko
我在这种安全方面真的很迷茫,所以我可能甚至无法构建AdsPath参数字符串。无论如何,感谢您提供的示例![+1] - TLama
谢谢您的解释,尤其是您的示例。然而,这个示例让我有点嫉妒 .NET 程序员。现在我需要下载 JEDI-API 和 -Security 库。请给我一些时间来测试您的代码。 - Heinz Z.
@HeinzZ。最终,.net框架调用(相同的)Windows API。对于Delphi /非托管代码开发人员的优势在于代码运行速度更快:D - Remko
显示剩余2条评论
网页内容由stack overflow 提供, 点击上面的
可以查看英文原文,
原文链接