using System.DirectoryServices.AccountManagement;
public static void Main()
VerifyCredential("test)=x", "test"); public class LdapIdentity
public string Name { get; set; } public IdentityType Type { get; set; } case IdentityType.DistinguishedName:
return "distinguishedName";
case IdentityType.SamAccountName:
case IdentityType.UserPrincipalName:
return "userPrincipalName";
public static LdapIdentity ParseUser(string name)
return Parse(name, true);
public static LdapIdentity ParseGroup(string name)
return Parse(name, false);
public static LdapIdentity FqdnToDn(string name)
if (string.IsNullOrEmpty(name))
throw new ArgumentNullException(nameof(name));
var portIndex = name.IndexOf(":"); name = name.Substring(0, portIndex);
var domains = name.Split(new[]{'.'}, StringSplitOptions.RemoveEmptyEntries); var dn = domains.Select(p => $"DC={p}").ToArray(); return new LdapIdentity{Name = string.Join(",", dn), Type = IdentityType.DistinguishedName}; public static LdapIdentity BaseDn(string dn)
var ncs = dn.Split(new[]{','}, StringSplitOptions.RemoveEmptyEntries); var baseDn = ncs.Where(nc => nc.ToLower().StartsWith("dc=")); return new LdapIdentity{Type = IdentityType.DistinguishedName, Name = string.Join(",", baseDn)}; private static LdapIdentity Parse(string name, bool isUser)
if (string.IsNullOrEmpty(name))
throw new ArgumentNullException(nameof(name));
var identity = name.ToLower();
var index = identity.IndexOf("\\"); identity = identity.Substring(index + 1);
var type = isUser ? IdentityType.SamAccountName : IdentityType.Name;
if (identity.Contains("=")) type = IdentityType.DistinguishedName;
else if (identity.Contains("@")) type = IdentityType.UserPrincipalName;
return new LdapIdentity{Name = identity, Type = type}; var ncs = Name.Split(new[]{","}, StringSplitOptions.RemoveEmptyEntries); var fqdn = ncs.Select(nc => nc.Split(new[]{'='}, StringSplitOptions.RemoveEmptyEntries)[1].TrimEnd(',')); return string.Join(".", fqdn); public bool IsChildOf(LdapIdentity parent)
return Name != parent.Name && Name.EndsWith(parent.Name);
public string UpnToSuffix()
if (Type != IdentityType.UserPrincipalName)
throw new InvalidOperationException($"Invalid username format: {Name}. Expected UPN"); var index = Name.IndexOf("@"); return Name.Substring(index + 1).ToLower();
public class Configuration
public bool IsPermittedDomain(String domain)
public bool RequiresUpn = false;
public string Domain = "rdleas";
static Configuration _configuration = new Configuration();
static void VerifyCredential(string userName, string password)
if (string.IsNullOrEmpty(userName))
throw new ArgumentNullException(nameof(userName));
if (string.IsNullOrEmpty(password))
Console.WriteLine("Invalid credentials"); var user = LdapIdentity.ParseUser(userName);
if (user.Type == IdentityType.UserPrincipalName)
var suffix = user.UpnToSuffix();
if (!_configuration.IsPermittedDomain(suffix))
Console.WriteLine("Domain not permitted"); if (_configuration.RequiresUpn)
Console.WriteLine("Invalid username format"); var domain = LdapIdentity.FqdnToDn(_configuration.Domain);
var attributes = new[] { "DistinguishedName", "displayName", "mail", "telephoneNumber", "mobile", "userPrincipalName" }; var searchFilter = $"(&(objectClass=user)({user.TypeName}={user.Name}))"; Console.WriteLine(searchFilter);
