LDAP不返回任何结果

Question

I have a piece of Java code that does a simple search of an Active Directory. The code functions as expected when using out production AD but when using the same code on out test AD no results are returned (no exception or error is thrown either).

When using an AD browser on my machine I am able to browse and search the test AD and find the results I am looking for.

The AD allows read access to everyone so it isn't a permissions problem.

Does anyone know what could be causing it not to return any results to my java client but does to my browser?

Java code:

        Hashtable env = new Hashtable();
        env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
        env.put(Context.PROVIDER_URL, Constants.LDAPURL);
        env.put(Context.SECURITY_AUTHENTICATION, "simple");
        env.put(Context.REFERRAL, "follow");
        DirContext dctx = new InitialDirContext(env);

        String base = Constants.LDAPQUERYLOCATION;

        SearchControls sc = new SearchControls();
        String[] attributeFilter = {"cn", "sAMAccountName", "sn", "distinguishedName"};
        sc.setReturningAttributes(attributeFilter);
        sc.setSearchScope(SearchControls.SUBTREE_SCOPE);

        String filter = "(&(objectClass=User)(sn=smith))";
        NamingEnumeration results = dctx.search(base, filter, sc);
        if(!results.hasMore()){
            log.debug("No results found");
        }
        while (results.hasMore()) {
            SearchResult sr = (SearchResult) results.next();
            Attributes attrs = sr.getAttributes();
            Attribute attr = attrs.get("cn");
            log.debug("cn: "+attr.get());
            attr = attrs.get("sn");
            log.debug("sn: "+attr.get());
            attr = attrs.get("distinguishedName");
            log.debug("dn: "+attr.get());
        }
        dctx.close();

I don't have control of the AD so I can't really provide much information about its setup.

Answer 1

Just tried your code on my network, which is using OpenLDAP - which I know is not the same as AD, but :

I got no results either until I changed my filter string to this:

String filter = "(&(objectClass=inetOrgPerson)(sn=smith))";

I got that inetOrgPerson object class by snooping into the directory with an LDAP browser. It's a long-shot, but is it possible that your test AD isn't using the same object classes as your production server?

A quick Google shows me that Microsoft's implementation of the LDAP standard was lacking at first, but should now be (more) compliant with the use of inetOrgPerson - maybe your test AD is running an older version with the problems, while your prod box is on the latest-and-greatest? Or perhaps vice-versa?