[英]Authenticate an Active Directory user with UnboundID using username
I'm building an application where I need to connect to Active Directory using UnboundID
. 我正在构建一个应用程序,我需要使用
UnboundID
连接到Active Directory。 Using an example , I managed to connect a user with their distinguishedName
and password
. 使用一个例子 ,我设法用一个用户的
distinguishedName
和password
。
However I would like to authenticate them using only the domain
and the username
, similar to how it's done in Windows. 但是,我想仅使用
domain
和username
对它们进行身份验证,类似于在Windows中完成的操作。 Browsing AD using a tool called JXplorer
it seems like the sAMAccountName
might be the property I need. 使用名为
JXplorer
的工具浏览AD,似乎sAMAccountName
可能是我需要的属性。 However replacing the distinguishedName
with the sAMAccountName resulted in an AcceptSecurityContext
error. 但是,使用sAMAccountName替换
distinguishedName
导致AcceptSecurityContext
错误。 Using the "uid=..."
syntax shown in the example also yielded the same error. 使用示例中显示的
"uid=..."
语法也会产生相同的错误。
Is there a way to logon using only the domain, username
/ sAMAccountName
and password
. 有没有办法只使用域名,
username
/ sAMAccountName
和password
。 or do I somehow need to search through AD and find the distinguishedName
of the user I wish to authenticate, and then bind the connection using their distinguishedName
and password
? 或者我是否需要搜索AD并找到我想要验证的用户的
distinguishedName
,然后使用他们的distinguishedName
和password
绑定连接?
As @ioplex said in his comment, AD accepts a bind using the username from the sAMAccountName with the domain name appended to it. 正如@ioplex在他的评论中所说,AD使用sAMAccountName中的用户名接受绑定,并附加了域名。 Just use it instead of the DN on the bind:
只需使用它而不是绑定上的DN:
String userId = username + "@" + domain;
SimpleBindRequest adminBindRequest = new SimpleBindRequest(userId, passsword);
The final userId will be something like 'eharris@contoso.local' 最终的userId将类似'eharris@contoso.local'
You will need to use an account with appropriate permissions to perform a search for samAccountName to locate the user and then bind as the found user using the Distinguished Name. 您需要使用具有适当权限的帐户执行搜索samAccountName以查找用户,然后使用专有名称绑定为找到的用户。
You need to be sure you only return one entry from the search. 您需要确保只从搜索中返回一个条目。
Sample For Demonstration Purposes ONLY! 仅用于演示目的的示例!
Parameters would be something like: 参数将类似于:
"adldap.example.com" "CN=bob,OU=Users,DC=example,DC=com" "connPwd" "OU=Users,DC=example,DC=com" "samAccountName" "findUserValue" "userPassword" “adldap.example.com”“CN = bob,OU = Users,DC = example,DC = com”“connPwd”“OU = Users,DC = example,DC = com”“samAccountName”“findUserValue”“userPassword”
/**
* @author jwilleke <br/>
* Use For Demonstration Purposes ONLY!
* @param args
*/
public static void main(String[] args)
{
String connHost = args[0];
String connID = args[1];
String connPwd = args[2];
String searchBase = args[3];
String findUserByAttribute = args[4];
String findUserValue = args[5];
String userPassword = args[6];
int connPort = 389;
// TODO Auto-generated method stub
String actualLDAPServer = null;
RootDSE rootDSE = null;
// If I were doing this for real, I would use a POOL for Connections
SSLUtil sslUtil = new SSLUtil(new TrustAllTrustManager()); // Use For Demonstration Purposes ONLY!
SSLSocketFactory sslSocketFactory = null;
try
{
sslSocketFactory = sslUtil.createSSLSocketFactory();
}
catch (GeneralSecurityException e1)
{
// TODO Auto-generated catch block
e1.printStackTrace();
}
SimpleBindRequest adminBindRequest = new SimpleBindRequest(connID, connPwd);
LDAPConnection adminConnection = new LDAPConnection(sslSocketFactory);
try
{
adminConnection = new LDAPConnection(connHost, connPort);
log.debug("Successful LDAP adminConnection to:" + connHost + ":" + connPort);
adminConnection.bind(adminBindRequest);
log.debug("Successful Bind as:" + connID);
}
catch (LDAPException e)
{
// TODO Auto-generated catch block
e.printStackTrace();
}
LDAPConnection userConnection = new LDAPConnection(sslSocketFactory);
try
{
userConnection = new LDAPConnection(connHost, connPort);
log.debug("Successful LDAP userConnection to:" + connHost + ":" + connPort);
}
catch (LDAPException e)
{
// TODO Auto-generated catch block
e.printStackTrace();
}
// Construct Filter to find user
Filter findUserfilter = null;
findUserfilter = Filter.createEqualityFilter(findUserByAttribute, findUserValue);
// Create Search Request
SearchRequest searchRequest = new SearchRequest(searchBase, SearchScope.SUB, findUserfilter);
searchRequest.setSizeLimit(1); // We will error if we get more than one hit
SearchResult searchResult = null;
try
{
searchResult = adminConnection.search(searchRequest);
}
catch (LDAPSearchException e)
{
// TODO Auto-generated catch block
e.printStackTrace();
}
String userDN = null;
if (searchResult.getEntryCount() > 1)
{
log.error("We got more than one Entry for:" + searchRequest.getFilter());
}
if (searchResult.getEntryCount() == 0)
{
log.error("We got No Entries for:" + searchRequest.getFilter());
}
for (SearchResultEntry entry : searchResult.getSearchEntries())
{
userDN = entry.getDN();
log.debug("Found an Entry: " + userDN);
}
SimpleBindRequest userBindRequest = new SimpleBindRequest(userDN, userPassword);
if (userBindRequest.getBindDN() == null)
{
log.warn("We got a null for the userBindRequest UserDN and therefore the bind is anonymous !");
}
if (userBindRequest.getPassword() == null)
{
log.warn("We got a null for the userBindRequest Password and therefore the bind is anonymous !");
}
try
{
userConnection.bind(userDN, userPassword);
log.debug("Successful userConnection Bind as:" + userDN);
}
catch (LDAPException e)
{
// TODO Auto-generated catch block
e.printStackTrace();
}
}
-jim -Jim
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.