我在哪里工作,我们有两种身份验证方式:
Where I work, we have two modes of authentication:
在CAS( http://www.jasig.org/cas ) LDAPCAS是主要方法,但它往往是不可靠的流量峰值的时候,所以我们一直在使用LDAP作为备用模式时,我们注意到,CAS是下来。 previously,我们使用PHP做我们的LDAP回落,并获得合理的性能。有没有登录以外的预期网络滞后时间期间明显的延迟。一个登录了大概〜250-500ms使用LDAP来完成。
CAS is the primary method, but it is often unreliable at peak traffic times and so we have been using LDAP as a fallback mode for when we notice that CAS is down. Previously, we were using PHP for doing our LDAP fallback and got reasonable performance. There wasn't a noticeable delay during login other than the expected network lag times. A login took probably ~250-500ms to complete using LDAP.
现在,我们正在做一个新的系统,并选择ASP.NET MVC4为平台,而不是PHP的,我负责试图让这个后备再次合作。我一直在拉我的头发大约6小时,现在尝试不同的事情一遍又一遍,得到了同样的结果(也许我是疯了)。我终于成功地连接到LDAP,验证用户的身份,并从LDAP获取其属性。但是,查询始终需要4.5秒完成无论用什么方法我试试。
Now, we are making a new system and have chosen ASP.NET MVC4 as the platform rather than PHP and I am tasked with trying to get this fallback working again. I have been pulling my hair out for about 6 hours now trying different things over and over again, getting the same result (perhaps I am insane). I have finally managed to connect to LDAP, authenticate the user, and get their attributes from LDAP. However, the query consistently takes 4.5 seconds to complete no matter what method I try.
这是的非常令人惊讶的给我看的PHP版本能够做几乎同样的事情在1/8的时间,它似乎是在.NET框架为LDAP出色的支持/活动目录。 我做得令人难以置信的可怕的错误?
This is very surprising to me seeing as the PHP version was able to do nearly the same thing in 1/8th the time and it would seem that the .NET framework has excellent support for LDAP/ActiveDirectory. Am I doing something incredibly horribly wrong?
下面是我的函数的胆量,因为它代表现在(这个是管理要尽力而为4.5秒查询最新的迭代):
Here are the guts of my function as it stands now (this one is the latest iteration that manages to do everything in one 4.5 second query):
public Models.CASAttributes Authenticate(string username, string pwd)
{
string uid = string.Format("uid={0},ou=People,o=byu.edu", username);
LdapDirectoryIdentifier identifier = new LdapDirectoryIdentifier("ldap.byu.edu", 636, false, false);
try
{
using (LdapConnection connection = new LdapConnection(identifier))
{
connection.Credential = new NetworkCredential(uid, pwd);
connection.AuthType = AuthType.Basic;
connection.SessionOptions.SecureSocketLayer = true;
connection.SessionOptions.ProtocolVersion = 3;
string filter = "(uid=" + username + ")";
SearchRequest request = new SearchRequest("ou=People,o=byu.edu", filter, SearchScope.Subtree);
Stopwatch sw = Stopwatch.StartNew();
SearchResponse response = connection.SendRequest(request) as SearchResponse;
sw.Stop();
Debug.WriteLine(sw.ElapsedMilliseconds);
foreach (SearchResultEntry entry in response.Entries)
{
Debug.WriteLine(entry.DistinguishedName);
foreach (System.Collections.DictionaryEntry attribute in entry.Attributes)
{
Debug.WriteLine(attribute.Key + " " + attribute.Value.GetType().ToString());
}
Debug.WriteLine("");
}
}
}
catch
{
Debugger.Break();
}
Debugger.Break();
return null; //debug
}
这样做的PHP版本,遵循以下顺序:
The PHP version of this follows this sequence:
匿名绑定和查询使用BaseDN中的用户信息和cn 使用用户的用户名和密码再次绑定,看看他们是正宗的它在1/8所花费的.NET版,做了两个时间绑定(连接?)!它这样的事情,这让我我失去了一些东西的事情。
It does two binds (connects?) in 1/8th the time it takes the .NET version to do one! Its this sort of thing that makes me thing I am missing something.
我曾尝试基于以下网站的方法:
I have tried methods based on the following sites:
http://roadha.us/2013/04/ldap -Authentication-与-C-锐/ - 2需要查询做什么,我想要的是太慢了。我通过大概6个不同的尝试不同的做(不同的身份验证和放大器;连接设置,等等)去了。 http://web.byu.edu/docs/ldap-authentication-0 - 一个PHP版本,但有关.NET底部的小片段。我需要得到的资料,以及他们是不完全的描述。 System.DirectoryServices慢 - 当前版本 http://roadha.us/2013/04/ldap-authentication-with-c-sharp/ - Required 2 queries to do what I wanted and was too slow. I went through probably 6 different tries of doing it differently (varying the authentication & connection settings, etc). http://web.byu.edu/docs/ldap-authentication-0 - One PHP version, but has a small snippet about .NET at the bottom. I needed to get the profile as well and they weren't exactly descriptive. System.DirectoryServices is slow? - Current version编辑:
使用Wireshark的,我看到下面提出请求:
Using wireshark, I saw that the following requests are made:
bindRequest传递沿着我的UID(增量为0.7ms) bindResponse成功(增量为2ms) searchRequestOU =人,O = byu.eduwholdSubtree(增量为0.2ms) searchResEntry的uid = 我的uid 的,OU =人,O = byu.edu| searchResDone成功1结果(增量10.8ms) unbindRequest(增量55.7ms) bindRequest passing along my uid (delta 0.7ms) bindResponse success (delta 2ms) searchRequest "ou=People,o=byu.edu" wholdSubtree (delta 0.2ms) searchResEntry "uid=my uid,ou=People,o=byu.edu" | searchResDone success 1 result (delta 10.8ms) unbindRequest (delta 55.7ms)显然,开销从.NET而不是来自所述请求。这些加起来也不到了4.5秒以任何方式,形状或形式。
Clearly, the overhead is coming from .NET and not from the requests. These don't add up to 4.5 seconds in any way, shape, or form.
推荐答案
ldap.byu.edu
肯定看起来像一个完全合格的DNS主机名。你应该改变你的LdapDirectoryIdentifier构造新LdapDirectoryIdentifier(ldap.byu.edu,636,真,假)
。
ldap.byu.edu
sure looks like a fully qualified DNS host name. You should change your LdapDirectoryIdentifier constructor to new LdapDirectoryIdentifier("ldap.byu.edu", 636, true, false)
.
相关推荐
最新文章