前面的文件咱们分别介绍了,通过web方式重置domino邮箱用户的internet密码、web方式重置域密码等功能及重置域密码后台重置domino密码的internet,来保证域密码和邮箱密码统一性;
因为作为管理员来说重置密码是家常便饭,但是安全也是必需考虑的,怎么说呢,比如管理员故意找某些用户的问题,重置用户密码导致不能正常使用,甚至更严重的是,老板的密码被重置了,后果非常严重,老板会问我的密码前一段时间自己更改过,怎么密码突然就不对了,然后老板会问,帮忙查一下,到底是怎么回事,那作为IT部门的责任人会怎么做呢,无从查找,那今天主要介绍,为了防止上面的问题发生,需要做对用户的操作记录通过日志的形式登记,第二:就是通过权限设置对web方式重置页面进行权限控制;具体见下:
目的:
委派指定的用户通过web方式对用户进行密码重置,重置的过程中domino的internet密码也被修改,达到密码统一性,同时对委派的用户进行重置记录的log形式登记
操作步骤:
1.创建委派用户的用户组(restpwd),将权限委派给普通组内的用户,通过提取组内的用户进行验证登陆及重置工作;将重置密码的权限委派个user01、user02、同时将该用户添加到组即可。
2.创建登陆及验证页面及权限控制
3.对用户的重置记录做log形式的登记。
1. 创建用户组resetpwd
2.创建登陆界面借权限控制
首先呢,还是在原有的功能上进行修改(源代码本人博客的附件中,可以通过自己的真实环境下使用,通过修改自己需要的域名即可);、
首先在models下创建登陆界面试图;并且添加脚本内容;
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
|
using
System;
using
System.Collections.Generic;
using
System.Configuration;
using
System.IO;
using
System.Linq;
using
System.Web;
namespace
ChangePassword.Models
{
public
class
Logger
{
private
static
string LogFile = ConfigurationManager.AppSettings[
"LogFile"
].ToString();
public
static
void
CheckLog(string Log)
{
if
(File.Exists(LogFile))
{
WriteLog(Log);
}
else
{
CreateLog();
WriteLog(Log);
}
}
private
static
void
CreateLog()
{
StreamWriter SW;
SW = File.CreateText(LogFile);
SW.Close();
}
private
static
void
WriteLog(string Log)
{
using
(StreamWriter SW = File.AppendText(LogFile))
{
SW.WriteLine(Log);
SW.Close();
}
}
}
}
|
接下来添加配置文件,该文件需要在ADOperator.cs下添加:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
|
using
System;
using
System.Collections.Generic;
using
System.Linq;
using
System.Web;
using
System.DirectoryServices;
using
System.Runtime.InteropServices;
using
System.Security.Principal;
using
System.Configuration;
using
System.Collections;
namespace
ChangePassword.Models
{
public
class
ADOperator
{
///
///域名
///
private
static
string DomainName = ConfigurationManager.AppSettings[
"DomainName"
].ToString();
///
/// LDAP 地址
///
private
static
string LDAPDomain = ConfigurationManager.AppSettings[
"LDAPDomain"
].ToString();
///
/// LDAP绑定路径
///
private
static
string ADPath = ConfigurationManager.AppSettings[
"ConnectionLDAP"
].ToString();
///
///管理员登录帐号
///
private
static
string ADUser = ConfigurationManager.AppSettings[
"LDAPAdminUser"
].ToString();
///
///管理员登录密码
///
private
static
string ADPassword = ConfigurationManager.AppSettings[
"LDAPAdminPwd"
].ToString();
private
static
string ADGroupName = ConfigurationManager.AppSettings[
"ADGroupName"
].ToString();
public
static
ArrayList adminlist = null;
private
static
DirectoryEntry root = null;
//private static DirectorySearcher searcher = null;
//private static SearchResultCollection results = null;
public
ADOperator()
{
root =
new
DirectoryEntry(ADPath, ADUser, ADPassword, AuthenticationTypes.Secure);
//searcher = new DirectorySearcher(root);
//searcher.PropertiesToLoad.Add("cn");
//searcher.PropertiesToLoad.Add("DisplayName");
//searcher.PropertiesToLoad.Add("mail");
//searcher.PropertiesToLoad.Add("SAMAccountName");
//searcher.PropertiesToLoad.Add("Department");
//searcher.PropertiesToLoad.Add("userPassword");
//searcher.Filter = "(objectcategory=user)";
//searcher.SearchScope = SearchScope.Subtree;
//searcher.SizeLimit = Int32.MaxValue;
//searcher.PageSize = 1000;
//searcher.Sort = new SortOption("SAMAccountName", System.DirectoryServices.SortDirection.Ascending);
//results = searcher.FindAll();
}
/// <summary>
/// 释放占用资源
/// </summary>
public
void
dispose()
{
root.Dispose();
root = null;
//searcher.Dispose();
//searcher = null;
//results.Dispose();
//results = null;
GC.Collect();
GC.WaitForPendingFinalizers();
}
public
int
Login(string itcode, string pwd)
{
// 这个地方改一下。。 域名
itcode =
"iiosoft\\"
+ itcode;
DirectoryEntry rootUser =
new
DirectoryEntry(ADPath, itcode, pwd, AuthenticationTypes.None);
DirectorySearcher deSearch =
new
DirectorySearcher(rootUser);
deSearch.Filter =
"(&(&(objectCategory=person)(objectClass=user))(sAMAccountName="
+ itcode +
"))"
;
try
{
SearchResult rs = deSearch.FindOne();
rootUser.Dispose();
rootUser = null;
deSearch.Dispose();
deSearch = null;
rs = null;
return
1;
}
catch
{
rootUser.Dispose();
rootUser = null;
deSearch.Dispose();
deSearch = null;
return
0;
}
}
public
int
IsUserExistsByAccount(string itcode)
{
DirectorySearcher de =
new
DirectorySearcher(root);
de.Filter =
"(&(&(objectCategory=person)(objectClass=user))(sAMAccountName="
+ itcode +
"))"
;
de.SearchScope = SearchScope.Subtree;
SearchResultCollection sr = de.FindAll();
if
(sr.Count > 0)
{
return
1;
}
else
{
return
0;
}
//foreach (SearchResult result in results)
//{
// DirectoryEntry entry = result.GetDirectoryEntry();
// if (result.Properties["SAMAccountName"][0].ToString().ToUpper() == itcode.ToString().ToUpper())
// {
// return 1;
// }
//}
//return 0;
}
public
int
ChangeUserPassword(string itcode, string opwd, string npwd)
{
DirectorySearcher de =
new
DirectorySearcher(root);
de.Filter =
"(&(&(objectCategory=person)(objectClass=user))(sAMAccountName="
+ itcode +
"))"
;
de.SearchScope = SearchScope.Subtree;
SearchResult sr = de.FindOne();
DirectoryEntry user = sr.GetDirectoryEntry();
try
{
user.Invoke(
"ChangePassword"
,
new
object[] { opwd, npwd });
root.CommitChanges();
root.Close();
return
1;
}
catch
{
return
0;
}
}
///设置帐号密码,管理员可以通过它来修改指定帐号的密码。
///
///用户帐号
///用户新密码
public
int
SetPasswordByAccount(DirectoryEntry de,string sAMAccountName, string newPassword)
{
//try
//{
// DirectoryEntry de = GetDirectoryEntryByAccount(sAMAccountName);
// // 模拟超级管理员,以达到有权限修改用户密码
// IdentityImpersonation impersonate = new IdentityImpersonation(ADUser, ADPassword, DomainName);
// impersonate.BeginImpersonate();
// de.AuthenticationType = AuthenticationTypes.Secure;
// //de.Properties["userPassword"].Value = newPassword;
// de.Invoke("SetPassword", new object[] { newPassword });
// de.CommitChanges();
// impersonate.StopImpersonate();
// de.Close();
//}
//catch (Exception ex)
//{
// throw;
//}
int
flag = 0;
try
{
// DirectoryEntry de = new DirectoryEntry();
//DirectoryEntry de = GetDirectoryObject();
//de.Path = "";
//de.AuthenticationType = AuthenticationTypes.Secure;
DirectorySearcher deSearch =
new
DirectorySearcher(de);
deSearch.Filter =
"(&(objectClass=user) (SAMAccountName="
+ sAMAccountName +
"))"
;
//类型Type为user
SearchResultCollection results = deSearch.FindAll();
if
(results.Count == 1)
{
foreach (SearchResult OneSearchResult in results)
{
DirectoryEntry AlterUser = OneSearchResult.GetDirectoryEntry();
AlterUser.AuthenticationType = AuthenticationTypes.Secure;
AlterUser.Invoke(
"SetPassword"
, newPassword);
AlterUser.CommitChanges();
AlterUser.Close();
}
flag = 1;
}
}
catch
(Exception ex)
{
flag = 0;
}
return
flag;
}
///
///根据用户帐号称取得用户的 对象
///
///用户帐号名
///如果找到该用户,则返回用户的 对象;否则返回 null
public
static
DirectoryEntry GetDirectoryEntryByAccount(string sAMAccountName)
{
DirectoryEntry de = GetDirectoryObject();
DirectorySearcher deSearch =
new
DirectorySearcher(de);
deSearch.Filter =
"(&(&(objectCategory=person)(objectClass=user))(sAMAccountName="
+ sAMAccountName +
"))"
;
deSearch.SearchScope = SearchScope.Subtree;
try
{
SearchResult result = deSearch.FindOne();
de =
new
DirectoryEntry(result.Path);
return
de;
}
catch
{
return
null;
}
}
///
///获得DirectoryEntry对象实例,以管理员登陆AD
///
///
private
static
DirectoryEntry GetDirectoryObject()
{
DirectoryEntry entry =
new
DirectoryEntry(ADPath, ADUser, ADPassword, AuthenticationTypes.Secure);
return
entry;
}
public
static
DirectoryEntry GetDirectoryObject(string userName, string password)
{
// userName = DomainName + "\\" + userName;
DirectoryEntry entry =
new
DirectoryEntry(ADPath, userName, password, AuthenticationTypes.Secure);
return
entry;
}
public
static
void
GetGroupUserList()
{
adminlist =
new
ArrayList();
DirectoryEntry entry =
new
DirectoryEntry(ADPath);
DirectorySearcher mySearcher =
new
DirectorySearcher(entry);
mySearcher.Filter =
"(&(&(objectCategory=group)(objectClass=group))(CN="
+ ADGroupName +
"))"
;
//("(objectClass=organizationalUnit)");
SearchResult results = mySearcher.FindOne();
string grouppath =
""
;
if
(results != null)
{
grouppath = results.Path;
DirectoryEntry dirEntry =
new
DirectoryEntry(grouppath);
PropertyCollection propertyCollection = dirEntry.Properties;
int
count = propertyCollection[
"member"
].Count;
for
(
int
i = 0; i < count; i++)
{
string respath = results.Path;
string[] pathnavigate = respath.Split(
"CN"
.ToCharArray());
respath = pathnavigate[0];
string objpath = propertyCollection[
"member"
][i].ToString();
string cnuser = objpath.Split(
','
)[0].Split(
'='
)[1];
if
(cnuser!=null)
{
adminlist.Add(cnuser);
}
//string path = respath + objpath;
//DirectoryEntry user = new DirectoryEntry(path, LDAPUser, LDAPPassword);
}
}
//return adminlist;
}
public
static
ArrayList GetGroupUserList(string groupname)
{
ArrayList adminlist =
new
ArrayList();
DirectoryEntry entry =
new
DirectoryEntry(ADPath);
DirectorySearcher mySearcher =
new
DirectorySearcher(entry);
mySearcher.Filter =
"(&(&(objectCategory=group)(objectClass=group))(CN="
+ groupname +
"))"
;
//("(objectClass=organizationalUnit)");
SearchResult results = mySearcher.FindOne();
string grouppath =
""
;
if
(results != null)
{
grouppath = results.Path;
DirectoryEntry dirEntry =
new
DirectoryEntry(grouppath);
PropertyCollection propertyCollection = dirEntry.Properties;
int
count = propertyCollection[
"member"
].Count;
for
(
int
i = 0; i < count; i++)
{
string respath = results.Path;
string[] pathnavigate = respath.Split(
"CN"
.ToCharArray());
respath = pathnavigate[0];
string objpath = propertyCollection[
"member"
][i].ToString();
string cnuser = objpath.Split(
','
)[0].Split(
'='
)[1];
adminlist.Add(cnuser);
string path = respath + objpath;
//DirectoryEntry user = new DirectoryEntry(path, LDAPUser, LDAPPassword);
}
}
return
adminlist;
}
public
int
ChangeUserPassword_error(string itcode, string opwd, string npwd)
{
//itcode = "iiosoft\\" + itcode;
DirectoryEntry rootUser =
new
DirectoryEntry(ADPath, ADUser, ADPassword, AuthenticationTypes.None);
try
{
//rootUser.Invoke("ChangePassword", new Object[] { opwd, npwd });
rootUser.Properties[
"userPassword"
].Value = npwd;
rootUser.CommitChanges();
rootUser.Close();
rootUser.Dispose();
rootUser = null;
return
1;
}
catch
{
rootUser.Close();
rootUser.Dispose();
rootUser = null;
return
0;
}
}
}
}
|
主要添加了以下代码:
|
1
2
3
4
5
6
|
public
static
DirectoryEntry GetDirectoryObject(string userName, string password)
{
// userName = DomainName + "\\" + userName;
DirectoryEntry entry =
new
DirectoryEntry(ADPath, userName, password, AuthenticationTypes.Secure);
return
entry;
}
|
同时添加以下参数;实现用户的权限分配;
该功能通过提取groupname内的用户进行验证,并且gourpname内的用户有权限对用户的密码有重置权限。
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
|
public
static
ArrayList GetGroupUserList(string groupname)
{
ArrayList adminlist =
new
ArrayList();
DirectoryEntry entry =
new
DirectoryEntry(ADPath);
DirectorySearcher mySearcher =
new
DirectorySearcher(entry);
mySearcher.Filter =
"(&(&(objectCategory=group)(objectClass=group))(CN="
+ groupname +
"))"
;
//("(objectClass=organizationalUnit)");
SearchResult results = mySearcher.FindOne();
string grouppath =
""
;
if
(results !=
null
)
{
grouppath = results.Path;
DirectoryEntry dirEntry =
new
DirectoryEntry(grouppath);
PropertyCollection propertyCollection = dirEntry.Properties;
int
count = propertyCollection[
"member"
].Count;
for
(
int
i =
0
; i < count; i++)
{
string respath = results.Path;
string[] pathnavigate = respath.Split(
"CN"
.ToCharArray());
respath = pathnavigate[
0
];
string objpath = propertyCollection[
"member"
][i].ToString();
string cnuser = objpath.Split(
','
)[
0
].Split(
'='
)[
1
];
adminlist.Add(cnuser);
string path = respath + objpath;
//DirectoryEntry user = new DirectoryEntry(path, LDAPUser, LDAPPassword);
}
}
|
·再次通过变量来完成用户组的指定,方便操作。
用户组的变量在web.config配置文件中应用:
|
1
2
|
ADgroup=respwd这个用户组:
<add key=
"ADGroupName"
value=
"resetpwd"
/>
|
并且对用户的操作通过log进行登记,log日志文件将放在d:\iis\changepwd\resetlog.txt下
|
1
|
<add key=
"LogFile"
value=
"d:\\IIS\\ChangPwd\\resetlog.txt"
/>
|
然后在,homecontroller.cs文件下添加登陆名称:
添加登陆认证桌面窗口
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
|
public
void
LoginAutheration()
{
string Rs =
""
;
string username = Request[
"username"
];
string password = Request[
"password"
];
if
(ADOperator.adminlist!=
null
&& ADOperator.adminlist.Contains(username))
{
try
{
DirectoryEntry de = ADOperator.GetDirectoryObject(@"iiosoft\" + username, password);
if
(de.Name !=
null
)
{
// DirectoryEntry de = ADHelper.GetDirectoryObject(username, password);
//SetPasswordByAccount(de, "user01", "123456abc");
///changeDominoPwd("user01", "123456abc");
Session[
"admin"
] = de;
Rs =
"SU"
;
}
}
catch
(Exception)
{
Rs =
"CS"
;
}
}
|
登陆窗口设置;
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
|
@{
ViewBag.Title =
"Login"
;
Layout =
"~/Views/Shared/_LayoutView.cshtml"
;
}
@section head{
<script src=
"@Url.Content("
~/Scripts/home.js
")"
type=
"text/javascript"
></script>
}
<div id=
"contactArea"
>
</div>
<div
class
=
"pcontent"
>
<div
class
=
"pstep02"
>
<b>登陆</b></div>
<!--div
class
=
"pstep03"
>
Change your password</!--div>
<div
class
=
"pstep04"
>
A strong password helps prevent</div-->
<ul
class
=
"ulstep"
>
<li><b> Admin Account</b> </li>
<li>
<input name=
""
id=
"username"
type=
"text"
class
=
"a01input"
/></li>
<li
class
=
"liTOP"
style=
"position: relative"
><b> password</b> </li>
<li>
<input name=
""
id=
"password"
type=
"text"
class
=
"a01input"
/>
</li>
</ul>
<div
class
=
"topw"
>
<input type=
"button"
id=
"adminLogin"
value=
"Login"
class
=
"btnSave"
/> <input type=
"button"
id=
"adminCancel"
value=
"Cancel"
class
=
"btnCancel"
/></div>
<!--div id=
"Loading3"
style=
"display: none"
>
<img src=
"../img/grid-loading.gif"
/><span id=
"sProcess3"
>更新密码中,请稍后...</span>
</div-->
</div>
|
然后最后修改控制配置文件:
将会在本地的IIS2路径下生成userlog.txt文件,通过记录认证用户的重置记录;
格式显示年-月-日—时间
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
|
public
void
SetPassword()
{
string Rs =
""
;
string sItCode = Request[
"sItCode"
];
string sNewPwd = Request[
"sNewPwd"
];
ADOperator ao =
new
ADOperator();
int
y = ao.IsUserExistsByAccount(sItCode);
if
(y ==
1
)
{
DirectoryEntry de = (DirectoryEntry)Session[
"admin"
];
int
z = ao.SetPasswordByAccount(de,sItCode, sNewPwd);
if
(z ==
1
)
{
Rs =
"CS"
;
//调用Domino密码修改
changeDominoPwd(sItCode, sNewPwd);
string log = DateTime.Now.ToString(
"yyyy-MM-dd HH:mm:ss"
)+
" 管理员:"
+ de.Username.Split(
'\\'
)[
1
] +
" 已重置用户密码: "
+ sItCode;
Logger.CheckLog(log);
// System.IO.File.AppendAllText("d:\\IIS2\\userlog.txt", log, Encoding.Default);
}
else
{
Rs =
"FA"
;
}
}
|
现在开始测试,进行登陆测试;
重置密码前的管理员需要做验证。在此我通过user02验证。
验证成功后,管理员user02重置user01的密码:-----123456a
接下来就是测试域账户是否被重置,同时需要测试user02的domino的internet是否也被重置;通过远程桌面登陆是否重置成功
重置成功后,成功登陆
接下来测试user01的邮箱密码,再次通过telnet尝试登陆验证;
也通过验证,证明密码同时也被成功重置
接连下我们查看重置记录:
重置记录:2014-01-03 11:08:53 管理员:user02 已重置用户密码: user01
再次查看domino密码重置记录
如果需要源代码的可以联系我或者下载中心下载
本文转自 高文龙 51CTO博客,原文链接:http://blog.51cto.com/gaowenlong/1348071,如需转载请自行联系原作者
