web方式重置域密码及后台同步domino密码的的权限控制及日志统计
前面的文件咱们分别介绍了,通过web方式重置domino邮箱用户的internet密码、web方式重置域密码等功能及重置域密码后台重置domino密码的internet,来保证域密码和邮箱密码统一性;
因为作为管理员来说重置密码是家常便饭,但是安全也是必需考虑的,怎么说呢,比如管理员故意找某些用户的问题,重置用户密码导致不能正常使用,甚至更严重的是,老板的密码被重置了,后果非常严重,老板会问我的密码前一段时间自己更改过,怎么密码突然就不对了,然后老板会问,帮忙查一下,到底是怎么回事,那作为IT部门的责任人会怎么做呢,无从查找,那今天主要介绍,为了防止上面的问题发生,需要做对用户的操作记录通过日志的形式登记,第二:就是通过权限设置对web方式重置页面进行权限控制;具体见下:
目的:
委派指定的用户通过web方式对用户进行密码重置,重置的过程中domino的internet密码也被修改,达到密码统一性,同时对委派的用户进行重置记录的log形式登记
操作步骤:
1.创建委派用户的用户组(restpwd),将权限委派给普通组内的用户,通过提取组内的用户进行验证登陆及重置工作;将重置密码的权限委派个user01、user02、同时将该用户添加到组即可。
2.创建登陆及验证页面及权限控制
3.对用户的重置记录做log形式的登记。
1. 创建用户组resetpwd
2.创建登陆界面借权限控制
首先呢,还是在原有的功能上进行修改(源代码本人博客的附件中,可以通过自己的真实环境下使用,通过修改自己需要的域名即可);、
首先在models下创建登陆界面试图;并且添加脚本内容;
using System;
using System.Collections.Generic;
using System.Configuration;
using System.IO;
using System.Linq;
using System.Web;
namespace ChangePassword.Models
{
public class Logger
{
private static string LogFile = ConfigurationManager.AppSettings["LogFile"].ToString();
public static void CheckLog(string Log)
{
if (File.Exists(LogFile))
{
WriteLog(Log);
}
else
{
CreateLog();
WriteLog(Log);
}
}
private static void CreateLog()
{
StreamWriter SW;
SW = File.CreateText(LogFile);
SW.Close();
}
private static void WriteLog(string Log)
{
using (StreamWriter SW = File.AppendText(LogFile))
{
SW.WriteLine(Log);
SW.Close();
}
}
}
}
接下来添加配置文件,该文件需要在ADOperator.cs下添加:
using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.DirectoryServices;
using System.Runtime.InteropServices;
using System.Security.Principal;
using System.Configuration;
using System.Collections;
namespace ChangePassword.Models
{
public class ADOperator
{
///
///域名
///
private static string DomainName = ConfigurationManager.AppSettings["DomainName"].ToString();
///
/// LDAP 地址
///
private static string LDAPDomain = ConfigurationManager.AppSettings["LDAPDomain"].ToString();
///
/// LDAP绑定路径
///
private static string ADPath = ConfigurationManager.AppSettings["ConnectionLDAP"].ToString();
///
///管理员登录帐号
///
private static string ADUser = ConfigurationManager.AppSettings["LDAPAdminUser"].ToString();
///
///管理员登录密码
///
private static string ADPassword = ConfigurationManager.AppSettings["LDAPAdminPwd"].ToString();
private static string ADGroupName = ConfigurationManager.AppSettings["ADGroupName"].ToString();
public static ArrayList adminlist = null;
private static DirectoryEntry root = null;
//private static DirectorySearcher searcher = null;
//private static SearchResultCollection results = null;
public ADOperator()
{
root = new DirectoryEntry(ADPath, ADUser, ADPassword, AuthenticationTypes.Secure);
//searcher = new DirectorySearcher(root);
//searcher.PropertiesToLoad.Add("cn");
//searcher.PropertiesToLoad.Add("DisplayName");
//searcher.PropertiesToLoad.Add("mail");
//searcher.PropertiesToLoad.Add("SAMAccountName");
//searcher.PropertiesToLoad.Add("Department");
//searcher.PropertiesToLoad.Add("userPassword");
//searcher.Filter = "(objectcategory=user)";
//searcher.SearchScope = SearchScope.Subtree;
//searcher.SizeLimit = Int32.MaxValue;
//searcher.PageSize = 1000;
//searcher.Sort = new SortOption("SAMAccountName", System.DirectoryServices.SortDirection.Ascending);
//results = searcher.FindAll();
}
/// <summary>
/// 释放占用资源
/// </summary>
public void dispose()
{
root.Dispose();
root = null;
//searcher.Dispose();
//searcher = null;
//results.Dispose();
//results = null;
GC.Collect();
GC.WaitForPendingFinalizers();
}
public int Login(string itcode, string pwd)
{
// 这个地方改一下。。 域名
itcode = "iiosoft\\" + itcode;
DirectoryEntry rootUser = new DirectoryEntry(ADPath, itcode, pwd, AuthenticationTypes.None);
DirectorySearcher deSearch = new DirectorySearcher(rootUser);
deSearch.Filter = "(&(&(objectCategory=person)(objectClass=user))(sAMAccountName=" + itcode + "))";
try
{
SearchResult rs = deSearch.FindOne();
rootUser.Dispose();
rootUser = null;
deSearch.Dispose();
deSearch = null;
rs = null;
return 1;
}
catch
{
rootUser.Dispose();
rootUser = null;
deSearch.Dispose();
deSearch = null;
return 0;
}
}
public int IsUserExistsByAccount(string itcode)
{
DirectorySearcher de = new DirectorySearcher(root);
de.Filter = "(&(&(objectCategory=person)(objectClass=user))(sAMAccountName=" + itcode + "))";
de.SearchScope = SearchScope.Subtree;
SearchResultCollection sr = de.FindAll();
if (sr.Count > 0)
{
return 1;
}
else
{
return 0;
}
//foreach (SearchResult result in results)
//{
// DirectoryEntry entry = result.GetDirectoryEntry();
// if (result.Properties["SAMAccountName"][0].ToString().ToUpper() == itcode.ToString().ToUpper())
// {
// return 1;
// }
//}
//return 0;
}
public int ChangeUserPassword(string itcode, string opwd, string npwd)
{
DirectorySearcher de = new DirectorySearcher(root);
de.Filter = "(&(&(objectCategory=person)(objectClass=user))(sAMAccountName=" + itcode + "))";
de.SearchScope = SearchScope.Subtree;
SearchResult sr = de.FindOne();
DirectoryEntry user = sr.GetDirectoryEntry();
try
{
user.Invoke("ChangePassword", new object[] { opwd, npwd });
root.CommitChanges();
root.Close();
return 1;
}
catch
{
return 0;
}
}
///设置帐号密码,管理员可以通过它来修改指定帐号的密码。
///
///用户帐号
///用户新密码
public int SetPasswordByAccount(DirectoryEntry de,string sAMAccountName, string newPassword)
{
//try
//{
// DirectoryEntry de = GetDirectoryEntryByAccount(sAMAccountName);
// // 模拟超级管理员,以达到有权限修改用户密码
// IdentityImpersonation impersonate = new IdentityImpersonation(ADUser, ADPassword, DomainName);
// impersonate.BeginImpersonate();
// de.AuthenticationType = AuthenticationTypes.Secure;
// //de.Properties["userPassword"].Value = newPassword;
// de.Invoke("SetPassword", new object[] { newPassword });
// de.CommitChanges();
// impersonate.StopImpersonate();
// de.Close();
//}
//catch (Exception ex)
//{
// throw;
//}
int flag = 0;
try
{
// DirectoryEntry de = new DirectoryEntry();
//DirectoryEntry de = GetDirectoryObject();
//de.Path = "";
//de.AuthenticationType = AuthenticationTypes.Secure;
DirectorySearcher deSearch = new DirectorySearcher(de);
deSearch.Filter = "(&(objectClass=user) (SAMAccountName=" + sAMAccountName + "))";//类型Type为user
SearchResultCollection results = deSearch.FindAll();
if (results.Count == 1)
{
foreach (SearchResult OneSearchResult in results)
{
DirectoryEntry AlterUser = OneSearchResult.GetDirectoryEntry();
AlterUser.AuthenticationType = AuthenticationTypes.Secure;
AlterUser.Invoke("SetPassword", newPassword);
AlterUser.CommitChanges();
AlterUser.Close();
}
flag = 1;
}
}
catch (Exception ex)
{
flag = 0;
}
return flag;
}
///
///根据用户帐号称取得用户的 对象
///
///用户帐号名
///如果找到该用户,则返回用户的 对象;否则返回 null
public static DirectoryEntry GetDirectoryEntryByAccount(string sAMAccountName)
{
DirectoryEntry de = GetDirectoryObject();
DirectorySearcher deSearch = new DirectorySearcher(de);
deSearch.Filter = "(&(&(objectCategory=person)(objectClass=user))(sAMAccountName=" + sAMAccountName + "))";
deSearch.SearchScope = SearchScope.Subtree;
try
{
SearchResult result = deSearch.FindOne();
de = new DirectoryEntry(result.Path);
return de;
}
catch
{
return null;
}
}
///
///获得DirectoryEntry对象实例,以管理员登陆AD
///
///
private static DirectoryEntry GetDirectoryObject()
{
DirectoryEntry entry = new DirectoryEntry(ADPath, ADUser, ADPassword, AuthenticationTypes.Secure);
return entry;
}
public static DirectoryEntry GetDirectoryObject(string userName, string password)
{
// userName = DomainName + "\\" + userName;
DirectoryEntry entry = new DirectoryEntry(ADPath, userName, password, AuthenticationTypes.Secure);
return entry;
}
public static void GetGroupUserList()
{
adminlist = new ArrayList();
DirectoryEntry entry = new DirectoryEntry(ADPath);
DirectorySearcher mySearcher = new DirectorySearcher(entry);
mySearcher.Filter = "(&(&(objectCategory=group)(objectClass=group))(CN=" + ADGroupName + "))"; //("(objectClass=organizationalUnit)");
SearchResult results = mySearcher.FindOne();
string grouppath = "";
if (results != null)
{
grouppath = results.Path;
DirectoryEntry dirEntry = new DirectoryEntry(grouppath);
PropertyCollection propertyCollection = dirEntry.Properties;
int count = propertyCollection["member"].Count;
for (int i = 0; i < count; i++)
{
string respath = results.Path;
string[] pathnavigate = respath.Split("CN".ToCharArray());
respath = pathnavigate[0];
string objpath = propertyCollection["member"][i].ToString();
string cnuser = objpath.Split(',')[0].Split('=')[1];
if (cnuser!=null)
{
adminlist.Add(cnuser);
}
//string path = respath + objpath;
//DirectoryEntry user = new DirectoryEntry(path, LDAPUser, LDAPPassword);
}
}
//return adminlist;
}
public static ArrayList GetGroupUserList(string groupname)
{
ArrayList adminlist = new ArrayList();
DirectoryEntry entry = new DirectoryEntry(ADPath);
DirectorySearcher mySearcher = new DirectorySearcher(entry);
mySearcher.Filter = "(&(&(objectCategory=group)(objectClass=group))(CN=" + groupname + "))"; //("(objectClass=organizationalUnit)");
SearchResult results = mySearcher.FindOne();
string grouppath = "";
if (results != null)
{
grouppath = results.Path;
DirectoryEntry dirEntry = new DirectoryEntry(grouppath);
PropertyCollection propertyCollection = dirEntry.Properties;
int count = propertyCollection["member"].Count;
for (int i = 0; i < count; i++)
{
string respath = results.Path;
string[] pathnavigate = respath.Split("CN".ToCharArray());
respath = pathnavigate[0];
string objpath = propertyCollection["member"][i].ToString();
string cnuser = objpath.Split(',')[0].Split('=')[1];
adminlist.Add(cnuser);
string path = respath + objpath;
//DirectoryEntry user = new DirectoryEntry(path, LDAPUser, LDAPPassword);
}
}
return adminlist;
}
public int ChangeUserPassword_error(string itcode, string opwd, string npwd)
{
//itcode = "iiosoft\\" + itcode;
DirectoryEntry rootUser = new DirectoryEntry(ADPath, ADUser, ADPassword, AuthenticationTypes.None);
try
{
//rootUser.Invoke("ChangePassword", new Object[] { opwd, npwd });
rootUser.Properties["userPassword"].Value = npwd;
rootUser.CommitChanges();
rootUser.Close();
rootUser.Dispose();
rootUser = null;
return 1;
}
catch
{
rootUser.Close();
rootUser.Dispose();
rootUser = null;
return 0;
}
}
}
}主要添加了以下代码:
public static DirectoryEntry GetDirectoryObject(string userName, string password)
{
// userName = DomainName + "\\" + userName;
DirectoryEntry entry = new DirectoryEntry(ADPath, userName, password, AuthenticationTypes.Secure);
return entry;
}
同时添加以下参数;实现用户的权限分配;
该功能通过提取groupname内的用户进行验证,并且gourpname内的用户有权限对用户的密码有重置权限。
public static ArrayList GetGroupUserList(string groupname)
{
ArrayList adminlist = new ArrayList();
DirectoryEntry entry = new DirectoryEntry(ADPath);
DirectorySearcher mySearcher = new DirectorySearcher(entry);
mySearcher.Filter = "(&(&(objectCategory=group)(objectClass=group))(CN=" + groupname + "))"; //("(objectClass=organizationalUnit)");
SearchResult results = mySearcher.FindOne();
string grouppath = "";
if (results != null)
{
grouppath = results.Path;
DirectoryEntry dirEntry = new DirectoryEntry(grouppath);
PropertyCollection propertyCollection = dirEntry.Properties;
int count = propertyCollection["member"].Count;
for (int i = 0; i < count; i++)
{
string respath = results.Path;
string[] pathnavigate = respath.Split("CN".ToCharArray());
respath = pathnavigate[0];
string objpath = propertyCollection["member"][i].ToString();
string cnuser = objpath.Split(',')[0].Split('=')[1];
adminlist.Add(cnuser);
string path = respath + objpath;
//DirectoryEntry user = new DirectoryEntry(path, LDAPUser, LDAPPassword);
}
}
·再次通过变量来完成用户组的指定,方便操作。
用户组的变量在web.config配置文件中应用:
ADgroup=respwd这个用户组:
<add key="ADGroupName" value="resetpwd" />并且对用户的操作通过log进行登记,log日志文件将放在d:\iis\changepwd\resetlog.txt下
<add key="LogFile" value="d:\\IIS\\ChangPwd\\resetlog.txt" />
然后在,homecontroller.cs文件下添加登陆名称:
添加登陆认证桌面窗口
public void LoginAutheration()
{
string Rs = "";
string username = Request["username"];
string password = Request["password"];
if (ADOperator.adminlist!=null && ADOperator.adminlist.Contains(username))
{
try
{
DirectoryEntry de = ADOperator.GetDirectoryObject(@"iiosoft\" + username, password);
if ( != null)
{
// DirectoryEntry de = ADHelper.GetDirectoryObject(username, password);
//SetPasswordByAccount(de, "user01", "123456abc");
///changeDominoPwd("user01", "123456abc");
Session["admin"] = de;
Rs = "SU";
}
}
catch (Exception)
{
Rs = "CS";
}
}
登陆窗口设置;
@{
ViewBag.Title = "Login";
Layout = "~/Views/Shared/_LayoutView.cshtml";
}
@section head{
<script src="@Url.Content("~/Scripts/home.js")" type="text/javascript"></script>
}
<div id="contactArea">
</div>
<div class="pcontent">
<div class="pstep02">
<b>登陆</b></div>
<!--div class="pstep03">
Change your password</!--div>
<div class="pstep04">
A strong password helps prevent</div-->
<ul class="ulstep">
<li><b> Admin Account</b> </li>
<li>
<input name="" id="username" type="text" class="a01input" /></li>
<li class="liTOP" style="position: relative"><b> password</b> </li>
<li>
<input name="" id="password" type="text" class="a01input" />
</li>
</ul>
<div class="topw">
<input type="button" id="adminLogin" value="Login" class="btnSave" /> <input type="button" id="adminCancel" value="Cancel" class="btnCancel" /></div>
<!--div id="Loading3" style="display: none">
<img src="../img/grid-loading.gif" /><span id="sProcess3">更新密码中,请稍后...</span>
</div-->
</div>
然后最后修改控制配置文件:
将会在本地的IIS2路径下生成userlog.txt文件,通过记录认证用户的重置记录;
格式显示年-月-日—时间
public void SetPassword()
{
string Rs = "";
string sItCode = Request["sItCode"];
string sNewPwd = Request["sNewPwd"];
ADOperator ao = new ADOperator();
int y = ao.IsUserExistsByAccount(sItCode);
if (y == 1)
{
DirectoryEntry de = (DirectoryEntry)Session["admin"];
int z = ao.SetPasswordByAccount(de,sItCode, sNewPwd);
if (z == 1)
{
Rs = "CS";
//调用Domino密码修改
changeDominoPwd(sItCode, sNewPwd);
string log = DateTime.Now.ToString("yyyy-MM-dd HH:mm:ss")+" 管理员:" + de.Username.Split('\\')[1] + " 已重置用户密码: " + sItCode;
Logger.CheckLog(log);
// System.IO.File.AppendAllText("d:\\IIS2\\userlog.txt", log, Encoding.Default);
}
else
{
Rs = "FA";
}
}
现在开始测试,进行登陆测试;
重置密码前的管理员需要做验证。在此我通过user02验证。
验证成功后,管理员user02重置user01的密码:-----123456a
接下来就是测试域账户是否被重置,同时需要测试user02的domino的internet是否也被重置;通过远程桌面登陆是否重置成功
重置成功后,成功登陆
接下来测试user01的邮箱密码,再次通过telnet尝试登陆验证;
也通过验证,证明密码同时也被成功重置
接连下我们查看重置记录:
重置记录:2014-01-03 11:08:53 管理员:user02 已重置用户密码: user01
再次查看domino密码重置记录
如果需要源代码的可以联系我或者下载中心下载
本文章为转载内容,我们尊重原作者对文章享有的著作权。如有内容错误或侵权问题,欢迎原作者联系我们进行内容更正或删除文章。
