No Environ("password") for Active Directory User Binding?
I want to reuse the Windo开发者_运维技巧ws authentication to bind to the Active Directory user and check group membership.
I can get the Windows username with Environ("username")
, but how do I get the password? I don't want to have to require the user to reenter their password, but there is no Environ("password")
.
How do I make this code work?
Thanks!
Private Sub ADsAuthenticate()
Dim objConnection As New ADODB.Connection
Dim objRecordset As ADODB.Recordset
Dim objADsUser As IADsUser
Dim objADsGroup As IADsGroup
Dim strUsername As String
Dim strPassword As String
strUsername = Environ("username")
strPassword = Environ("password")
With objConnection
.Provider = "ADsDSOObject"
.Properties("User ID") = strUsername
.Properties("Password") = strPassword
.Properties("Encrypt Password") = True
.Open "ADs Provider"
Set objRecordset = .Execute("<LDAP://<server>/dc=<domain>,dc=com>;" _
& "(sAMAccountName=" & strUsername & ");ADsPath;Subtree")
End With
With objRecordset
If Not .EOF Then
Set objADsUser = GetObject("LDAP:").OpenDSObject(.Fields("ADsPath").Value, strUsername, strPassword, ADS_SECURE_AUTHENTICATION)
Debug.Print objADsUser.ADsPath
For Each objADsGroup In objADsUser.Groups
Debug.Print objADsGroup.Name
Next
End If
End With
objConnection.Close
End Sub
What makes you so sure the password is anywhere to read in the first place?
The accepted way to keep passwords is to only store a one-way hash of password (typically using the BCrypt hashing algorithm plus a salt/nonce), and when someone logs in use the same hashing technique on the attempted password to see if it matches your stored value. Instead of storing something readable like password1
(warning: bad password example!) you end up storing something more like 23e598ac098da42==
that's much less useful to crackers.
This is why if you lose a password most systems require you to reset it rather than recover the old one for you — they don't even have a real copy of the old one to give you.
精彩评论