[英]Easy way to test an LDAP User's Credentials
Is there an easy way to test the credentials of a user against an LDAP instance?是否有一种简单的方法可以针对 LDAP 实例测试用户的凭据? I know how to write a Java program that would take the 'User DN' and password, and check it against the LDAP instance.
我知道如何编写一个 Java 程序,该程序将采用“用户 DN”和密码,并根据 LDAP 实例检查它。 However is there any easier way?
但是有没有更简单的方法? Specially a method that not only authenticates the user, but also lists all the user's roles.
特别是一种不仅对用户进行身份验证,而且列出所有用户角色的方法。
ldapwhoami -vvv -h <hostname> -p <port> -D <binddn> -x -w <passwd>
, where binddn
is the DN of the person whose credentials you are authenticating. ldapwhoami -vvv -h <hostname> -p <port> -D <binddn> -x -w <passwd>
,其中binddn
是要验证其凭据的人员的DN。
On success (ie, valid credentials), you get Result: Success (0)
. 成功后(即有效的凭据),您将得到
Result: Success (0)
。 On failure, you get ldap_bind: Invalid credentials (49)
. 失败时,您将得到
ldap_bind: Invalid credentials (49)
。
Use ldapsearch
to authenticate. 使用
ldapsearch
进行身份验证。 The opends
version might be used as follows: opends
版本的用法如下:
ldapsearch --hostname hostname --port port \
--bindDN userdn --bindPassword password \
--baseDN '' --searchScope base 'objectClass=*' 1.1
You should check out Softerra's LDAP Browser ( the free version of LDAP Administrator), which can be downloaded here : 您应该检出Softerra的LDAP浏览器(LDAP Administrator 的免费版本 ),可以在此处下载:
http://www.ldapbrowser.com/download.htm http://www.ldapbrowser.com/download.htm
I've used this application extensively for all my Active Directory, OpenLDAP, and Novell eDirectory development, and it has been absolutely invaluable. 我已经在我的所有Active Directory,OpenLDAP和Novell eDirectory开发中广泛使用了该应用程序,它绝对是无价之宝。
If you just want to check and see if a username\\password combination works, all you need to do is create a "Profile" for the LDAP server, and then enter the credentials during Step 3 of the creation process : 如果您只想查看用户名/密码组合是否有效,您要做的就是为LDAP服务器创建一个“配置文件”,然后在创建过程的第3步中输入凭据:
By clicking "Finish", you'll effectively issue a bind to the server using the credentials, auth mechanism, and password you've specified. 通过单击“完成”,您将使用您指定的凭据,身份验证机制和密码来有效地向服务器发出绑定。 You'll be prompted if the bind does not work.
如果绑定不起作用,则会提示您。
请注意,如果您不知道完整的绑定DN,也可以只使用普通用户名或带-U
电子邮件
ldapsearch -v -h contoso.com -U turiya.gouw@contoso.com -w 'MY_PASSWORD' -b 'DC=contoso,DC=com' '(objectClass=computer)'
Authentication is done via a simple ldap_bind command that takes the users DN and the password. 验证通过一个简单的ldap_bind命令完成,该命令获取用户DN和密码。 The user is authenticated when the bind is successfull.
绑定成功后,将对用户进行身份验证。 Usually you would get the users DN via an ldap_search based on the users uid or email-address.
通常,您将根据用户uid或电子邮件地址通过ldap_search获取用户DN。
Getting the users roles is something different as it is an ldap_search and depends on where and how the roles are stored in the ldap. 获取用户角色与ldap_search有所不同,它取决于角色在ldap中的存储位置和方式。 But you might be able to retrieve the roles during the lap_search used to find the users DN.
但是您可能能够在用于查找用户DN的lap_search期间检索角色。
For some reason, the accepted answer does not work, the arguments are not exactly the same (at least in Linux Alpine ).由于某种原因,接受的答案不起作用, arguments 并不完全相同(至少在Linux Alpine中)。 This command should work:
该命令应该可以工作:
ldapsearch -v -H ldap://dc1.MYDOMAIN.com -D "cn=Administrator,cn=Users,dc=MYDOMAIN,dc=com" -x -w SomeP@ssWord -Z -d 4
This is very helpful for debugging LDAP, as it outputs exactly the issue if there is any.这对于调试 LDAP 非常有帮助,因为它会准确输出问题(如果有)。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.