从Linux到2012r2 Active Directory的LDAPS Java查询的最低要求是什么
[英]What are the Minimum requirements for a LDAPS Java Query from Linux to 2012r2 Active Directory
问题描述
So, we have a mixed system - Windows 2012r2 AD, with AD CA installed, a self signed cert, I can connect and search AD on 636 from ldp.exe, and now I can connect and search ldaps:636 from a Linux host (with a full .pem file imported into my ca trust store on the Linux side). 
因此,我们有一个混合系统-Windows 2012r2 AD,安装了AD CA,具有自签名证书,我可以从ldp.exe在636上连接并搜索AD,现在我可以从Linux主机上从ldaps:636连接和搜索(并将完整的.pem文件导入到Linux端的我的ca信任存储中)。
So, I know I am partially there - I think. 所以,我知道我部分在那儿-我想。 With the Linux host with the java code, I have exported the public key into my javastore, and am trying the search with that...I get a 49 and 52e...every single time. 使用带有Java代码的Linux主机,我已经将公钥导出到我的javastore中,并尝试使用它进行搜索...每次获得49和52e...。
My question is this - do I absolutely have to use a full .pem to do an ldaps search? 我的问题是-我绝对必须使用完整的.pem进行ldaps搜索吗? or is there a smaller set of required Certs and search mechanisms to do this? 还是有少量所需的证书和搜索机制来做到这一点?
Here's my code: 这是我的代码:
<jaas:module className="org.apache.karaf.jaas.modules.ldap.LDAPLoginModule"
flags="required">
initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory
connection.username=uid=ddf
connection.password=password!
connection.url=ldaps://abc-ad1.house.thatguy.com:636
user.base.dn=cn=users,cn=accounts,dc=house,dc=thatguy,dc=com
user.filter=(uid=%u)
user.search.subtree=true
role.base.dn=CN=NPE,CN=Users,dc=house,dc=thatguy,dc=com
role.name.attribute=cn
role.filter=(member=uid=%u,cn=groups,cn=compat,dc=house,dc=thatguy,dc=com)
role.search.subtree=true
role.mapping=admin=group,admin,manager,viewer,webconsole
authentication=simple
ssl.protocol=SSL
ssl.truststore=truststore
ssl.algorithm=PKIX
</jaas:module>
What the heck am I missing? 我到底想念什么?
1 个解决方案
解决方案1
0 2016-08-30 15:44:12
So. 所以。 My issue was in my script. 我的问题在我的剧本中。 The public key is needed to do the ldaps lookup, but the script requires specific ldaps features for Active Directory. 需要公用密钥来进行ldaps查找,但是脚本需要Active Directory的特定ldaps功能。
where I had UID - it MUST be CN. 我有UID的地方-必须是CN。 So, the LDAP search was CN=username,CN=ou,dc=blah,dc=blah,dc=blah. 因此,LDAP搜索为CN =用户名,CN = ou,dc = blah,dc = blah,dc = blah。 the ldaps search was cn=svcldaps,cn=users,dc=house,dc=thatguy,dc=com. ldaps搜索为cn = svcldaps,cn = users,dc = house,dc = thatguy,dc = com。
I changed the user.filter=(uid=%u) to user.filter=(cn=%u) and corrected the role.filter=(member=uid=%u,cn=users,dc=house,dc=thatguy,dc=com) to role.filter=(member=cn=%u,cn=users,dc=house,dc=thatguy,dc=com) 我将user.filter =(uid =%u)更改为user.filter =(cn =%u)并更正了角色.filter =(member = uid =%u,cn = users,dc = house,dc = thatguy ,dc = com)角色(filter =(member = cn =%u,cn = users,dc = house,dc = thatguy,dc = com)
As soon as I made the change to the script, it was able to log in correctly. 我对脚本进行更改后,就可以正确登录。
Closing the question for myself is ever so sweet. 为我自己解决问题真是太好了。 Now my skull will go back to normal, and I can fill that dent in on the wall. 现在,我的头骨将恢复正常,并且我可以在墙上填补该凹痕。 And the table. 和桌子。 and replace the keyboards and the monitors. 并更换键盘和显示器。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.