java-Active Directory-使用基本dn进行身份验证
[英]java - Active Directory - authentication using base dn
问题描述
I have writeen a test code for authenticating user through Active Directory server. 
我已经编写了用于通过Active Directory服务器验证用户身份的测试代码。 I am able to authenticate using bind dn using code below. 我可以使用下面的代码使用绑定dn进行身份验证。
public static void main(String[] args) {
LdapContext ldapContext = null;
Hashtable<String, String> env = new Hashtable<String, String>();
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, "ldaps://10.121.85.24:636");
env.put(Context.SECURITY_PROTOCOL, "ssl");
env.put(Context.SECURITY_PRINCIPAL, "EXTLDAPTEST\batty"); // line 1
env.put(Context.SECURITY_CREDENTIALS, "mypassword");
env.put("com.sun.jndi.ldap.read.timeout", Integer.toString(8000));
env.put("java.naming.ldap.factory.socket", "com.auth.server.TrustAllSSLSocketFactory" );
try {
ldapContext = new InitialLdapContext(env, null);
} catch (Exception e) {
e.printStackTrace();
}
if (ldapContext != null)
{
System.out.println("Authenticatied");
}
}
But when I replace line 1 with 但是当我将第1行替换为
env.put(Context.SECURITY_PRINCIPAL, "CN=batty,OU=Unsorted,OU=EDN Users,OU=User accounts,DC=extLDAPTest,DC=local"); // line 1
it throws exception as 它引发异常
javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1
AD's tree structure is : AD的树结构为:
Am I doing something wrong when trying to use full dn for authentication? 尝试使用完整dn进行身份验证时,我做错什么了吗?
EDIT 1 : When I use service account to get full dn using 编辑1 :当我使用服务帐户获取完整的dn使用
NamingEnumeration<?> aa = context.list("OU=Unsorted,OU=EDN Users,OU=User accounts,DC=extLDAPTest,DC=local");
I get following result: 我得到以下结果:
CN=batty,OU=Unsorted,OU=EDN Users,OU=User accounts,DC=extLDAPTest,DC=local
Which is same as I passed for authentication. 这与我通过的身份验证相同。
EDIT 2 : the reason I am using full dn is, I will be given service account and dn of an sub-tree. 编辑2 :我使用完整dn的原因是,我将获得服务帐户和子树的dn。 Now, same user can exists in different subtrees. 现在,同一用户可以存在于不同的子树中。 So I want to authenticate it from a specific sub tree. 因此,我想从特定的子树进行身份验证。
2 个解决方案
解决方案1
0 2015-10-06 12:14:29
The error code 49 related to LDAP is caused by the invalid credentials. 与LDAP相关的错误代码49是由无效凭据引起的。
but you can use applications like ADSI Edit or AD Explorer to get the DN for an object. 但是您可以使用ADSI Edit或AD Explorer之类的应用程序获取对象的DN。 You can either just use them to view the "distinguishedName" attribute of the object in question, or use other methods that are specific to each application. 您可以只使用它们来查看有关对象的“ distinguishedName”属性,也可以使用特定于每个应用程序的其他方法。
or user LDAPExplorerTool 2. and find out the CN you wabt to get dn of. 或使用LDAPExplorerTool2。并找出您想要获取dn的CN。 you can get its value in secDN attribute: 您可以在secDN属性中获取其值:
解决方案2
0 2015-10-06 18:24:34
I was wondering why do you need to use a full DN to specify user name ? 我想知道为什么您需要使用完整的DN来指定用户名? You can use either DOMAIN\\USER or USER@DOMAIN format to authenticate against AD. 您可以使用DOMAIN \\ USER或USER @ DOMAIN格式对AD进行身份验证。
I personally never used any other format but RFC 2829 specifies the following DN based authentication identity format: dn: DN . 我个人从未使用过任何其他格式,但是RFC 2829指定了以下基于DN的身份验证标识格式: dn:DN 。 In your case, SECURITY.PRINCIPAL would look dn: CN=batty,OU=Unsorted,OU=EDN Users,OU=User accounts,DC=extLDAPTest,DC=local . 在您的情况下,SECURITY.PRINCIPAL看起来为dn:CN = batty,OU =未排序,OU = EDN用户,OU =用户帐户,DC = extLDAPTest,DC = local 。 Once again, I never used DN format but try it out and see if the proposed solution works. 再一次,我从未使用过DN格式,而是尝试一下,看看所提出的解决方案是否有效。
Hope this helps. 希望这可以帮助。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.