问题描述
我正在尝试通过 Active Directory 递归地获取用户的所有直接报告.所以给定一个用户,我最终会得到一个所有用户的列表,这些用户有这个人作为经理,或者有一个人作为经理,有一个人作为经理......最终将输入用户作为经理.
I'm trying to get all the direct reports of a User through Active Directory, recursively. So given a user, i will end up with a list of all users who have this person as manager or who have a person as manager who has a person as manager ... who eventually has the input user as manager.
我目前的尝试相当缓慢:
My current attempt is rather slow:
private static Collection<string> GetDirectReportsInternal(string userDN, out long elapsedTime) { Collection<string> result = new Collection<string>(); Collection<string> reports = new Collection<string>(); Stopwatch sw = new Stopwatch(); sw.Start(); long allSubElapsed = 0; string principalname = string.Empty; using (DirectoryEntry directoryEntry = new DirectoryEntry(string.Format("LDAP://{0}",userDN))) { using (DirectorySearcher ds = new DirectorySearcher(directoryEntry)) { ds.SearchScope = SearchScope.Subtree; ds.PropertiesToLoad.Clear(); ds.PropertiesToLoad.Add("directReports"); ds.PropertiesToLoad.Add("userPrincipalName"); ds.PageSize = 10; ds.ServerPageTimeLimit = TimeSpan.FromSeconds(2); SearchResult sr = ds.FindOne(); if (sr != null) { principalname = (string)sr.Properties["userPrincipalName"][0]; foreach (string s in sr.Properties["directReports"]) { reports.Add(s); } } } } if (!string.IsNullOrEmpty(principalname)) { result.Add(principalname); } foreach (string s in reports) { long subElapsed = 0; Collection<string> subResult = GetDirectReportsInternal(s, out subElapsed); allSubElapsed += subElapsed; foreach (string s2 in subResult) { result.Add(s2); } } sw.Stop(); elapsedTime = sw.ElapsedMilliseconds + allSubElapsed; return result; }
本质上,这个函数将一个可分辨的名称作为输入(CN=Michael Stum,OU=test,DC=sub,DC=domain,DC=com),因此,对 ds.FindOne() 的调用很慢.
Essentially, this function takes a distinguished Name as input (CN=Michael Stum, OU=test, DC=sub, DC=domain, DC=com), and with that, the call to ds.FindOne() is slow.
我发现搜索 userPrincipalName 的速度要快得多.我的问题:sr.Properties["directReports"] 只是一个字符串列表,也就是distinguishedName,搜索起来似乎很慢.
I found that it is a lot faster to search for the userPrincipalName. My Problem: sr.Properties["directReports"] is just a list of strings, and that is the distinguishedName, which seems slow to search for.
我想知道,有没有一种快速的方法可以在 distinctName 和 userPrincipalName 之间进行转换?或者,如果我只有可使用的专有名称,是否有更快的方法来搜索用户?
I wonder, is there a fast way to convert between distinguishedName and userPrincipalName? Or is there a faster way to search for a user if I only have the distinguishedName to work with?
感谢您的回答!搜索经理字段将功能从 90 秒改进为 4 秒.这是新的和改进的代码,它更快、更易读(请注意,elapsedTime 功能中很可能存在错误,但该函数的实际核心是有效的):
Thanks to the answer! Searching the Manager-Field improved the function from 90 Seconds to 4 Seconds. Here is the new and improved code, which is faster and more readable (note that there is most likely a bug in the elapsedTime functionality, but the actual core of the function works):
private static Collection<string> GetDirectReportsInternal(string ldapBase, string userDN, out long elapsedTime) { Collection<string> result = new Collection<string>(); Stopwatch sw = new Stopwatch(); sw.Start(); string principalname = string.Empty; using (DirectoryEntry directoryEntry = new DirectoryEntry(ldapBase)) { using (DirectorySearcher ds = new DirectorySearcher(directoryEntry)) { ds.SearchScope = SearchScope.Subtree; ds.PropertiesToLoad.Clear(); ds.PropertiesToLoad.Add("userPrincipalName"); ds.PropertiesToLoad.Add("distinguishedName"); ds.PageSize = 10; ds.ServerPageTimeLimit = TimeSpan.FromSeconds(2); ds.Filter = string.Format("(&(objectCategory=user)(manager={0}))",userDN); using (SearchResultCollection src = ds.FindAll()) { Collection<string> tmp = null; long subElapsed = 0; foreach (SearchResult sr in src) { result.Add((string)sr.Properties["userPrincipalName"][0]); tmp = GetDirectReportsInternal(ldapBase, (string)sr.Properties["distinguishedName"][0], out subElapsed); foreach (string s in tmp) { result.Add(s); } } } } } sw.Stop(); elapsedTime = sw.ElapsedMilliseconds; return result; }
推荐答案
首先,当您已经拥有要查找的 DN 时,不需要将 Scope 设置为subtree".
First off, setting Scope to "subtree" is unnecessary when you already have the DN you are looking for.
此外,如何查找manager"属性是您要查找的人的所有对象,然后迭代它们.这通常应该比其他方式更快.?/p>
Also, how about finding all objects whose "manager" property is the person you look for, then iterating them. This should generally be faster than the other way around.
(&(objectCategory=user)(manager=<user-dn-here>))
以下内容很重要,但到目前为止仅在对此答案的评论中提及:
当过滤器字符串按上述方式构建时,存在用对 DN 有效但在过滤器中具有特殊含义的字符破坏它的风险.这些必须转义:
When the filter string is built as indicated above, there is the risk of breaking it with characters that are valid for a DN, but have special meaning in a filter. These must be escaped:
* as 2a ( as 28 ) as 29 as 5c NUL as 0 / as 2f // Arbitrary binary data can be represented using the same scheme.
将 SearchRoot 设置为对象的 DN,将 SearchScope 设置为 Base 也是一种快速提取单个对象的方法对象脱离 AD.
Setting the SearchRoot to the DN of an object, and the SearchScope to Base also is a fast way to pull a single object out of AD.