[英]Search in an AD using a user from another AD with java
我在兩個域中有兩個Active Directory:domain1.xx和domain2.xx我有一個屬於domain1.xx的用戶,名為user1。 我可以使用user1在domain1上進行LDAP查詢。 user1具有對domain2.xx的讀取權限,我已經使用AD Explorer測試了該權限,並且它可以正常工作。 問題是當我使用Java時,它向我返回此異常:錯誤:[LDAP:錯誤代碼49-80090308:LdapErr:DSID-0C090334,注釋:AcceptSecurityContext錯誤,數據525,vece
這是在domain1中連接查詢的代碼,它的工作原理是:
package ad;
import java.util.Enumeration;
import java.util.Hashtable;
import javax.naming.AuthenticationException;
import javax.naming.Context;
import javax.naming.NamingEnumeration;
import javax.naming.directory.Attribute;
import javax.naming.directory.DirContext;
import javax.naming.directory.SearchControls;
import javax.naming.directory.SearchResult;
public class AD {
static DirContext ldapAuthenticate(String password, String userdn) throws Exception {
Hashtable env = new Hashtable();
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
//set security credentials, note using simple cleartext authentication
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.SECURITY_PRINCIPAL, userdn);
env.put(Context.SECURITY_CREDENTIALS, password);
//connect to my domain controller
env.put(Context.PROVIDER_URL, "ldap://domain1.xx");
//Create the initial directory context
DirContext ctx = null;
try {
ctx = new javax.naming.directory.InitialDirContext(env);
} catch (AuthenticationException e) {
System.out.println("ERROR: "+e.getMessage());
} catch (Exception e) {
System.out.println("ERROR: "+e.getMessage());
//something went wrong
///handle in some way
}
return ctx;
}
public static void main(String[] args) throws Exception {
DirContext context = ldapAuthenticate("xxxxxx","user01@domain1.xx");
String userdn = "dc=domain1,dc=xx";
SearchControls searchCtrls = new SearchControls();
searchCtrls.setSearchScope(SearchControls.SUBTREE_SCOPE);
String[] attributes = {"member"};
searchCtrls.setReturningAttributes(attributes);
//Change the NameOfGroup for the group name you would like to retrieve the members of.
String filter ="objectclass=*";
NamingEnumeration values = context.search(userdn, filter, null);
//Loop through the search results
while (values.hasMoreElements()) {
SearchResult sr = (SearchResult) values.next();
System.out.println(">>>" + sr.getName());
javax.naming.directory.Attributes attrs = sr.getAttributes();
if (null != attrs) {
for (NamingEnumeration ae = attrs.getAll(); ae.hasMoreElements();) {
Attribute atr = (Attribute) ae.next();
String attributeID = atr.getID();
Enumeration vals = atr.getAll();
if (vals.hasMoreElements()) {
String username = (String) vals.nextElement();
System.out.println("Username: " + username);
}
}
} else {
System.out.println("No members for groups found");
}
}
}
}
當我想查詢domain2.xx時,我有一個例外:
package ad;
import java.util.Enumeration;
import java.util.Hashtable;
import javax.naming.AuthenticationException;
import javax.naming.Context;
import javax.naming.NamingEnumeration;
import javax.naming.directory.Attribute;
import javax.naming.directory.DirContext;
import javax.naming.directory.SearchControls;
import javax.naming.directory.SearchResult;
public class AD {
static DirContext ldapAuthenticate(String password, String userdn) throws Exception {
Hashtable env = new Hashtable();
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
//set security credentials, note using simple cleartext authentication
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.SECURITY_PRINCIPAL, userdn);
env.put(Context.SECURITY_CREDENTIALS, password);
//connect to my domain controller
env.put(Context.PROVIDER_URL, "ldap://domain2.xx");
//Create the initial directory context
DirContext ctx = null;
try {
ctx = new javax.naming.directory.InitialDirContext(env);
} catch (AuthenticationException e) {
System.out.println("ERROR: "+e.getMessage());
} catch (Exception e) {
System.out.println("ERROR: "+e.getMessage());
//something went wrong
///handle in some way
}
return ctx;
}
public static void main(String[] args) throws Exception {
DirContext context = ldapAuthenticate("xxxxxx","user01@domain1.xx");
String userdn = "dc=domain2,dc=xx";
SearchControls searchCtrls = new SearchControls();
searchCtrls.setSearchScope(SearchControls.SUBTREE_SCOPE);
String[] attributes = {"member"};
searchCtrls.setReturningAttributes(attributes);
//Change the NameOfGroup for the group name you would like to retrieve the members of.
String filter ="objectclass=*";
NamingEnumeration values = context.search(userdn, filter, null);
//Loop through the search results
while (values.hasMoreElements()) {
SearchResult sr = (SearchResult) values.next();
System.out.println(">>>" + sr.getName());
javax.naming.directory.Attributes attrs = sr.getAttributes();
if (null != attrs) {
for (NamingEnumeration ae = attrs.getAll(); ae.hasMoreElements();) {
Attribute atr = (Attribute) ae.next();
String attributeID = atr.getID();
Enumeration vals = atr.getAll();
if (vals.hasMoreElements()) {
String username = (String) vals.nextElement();
System.out.println("Username: " + username);
}
}
} else {
System.out.println("No members for groups found");
}
}
}
}
任何人都可以幫助解決這種情況。 user01@domain1.xx可以讀取domain2.xx中的所有OU,我已經使用AD Explorer進行了嘗試。
您發布的身份驗證錯誤包含可能有用的特殊代碼。 在您的情況下,代碼為525( AcceptSecurityContext錯誤,數據525 )。 代碼525的意思是“找不到用戶”。 根據您的代碼判斷,您正在重用相同的用戶-user1 @ domain1 。 該用戶僅存在於域1中。域2不知道該用戶,因此AD域控制器拒絕身份驗證嘗試。
問題附帶的代碼示例針對特定的域控制器而不是全局目錄。 嘗試執行以下操作:
請注意,端口3268不安全。
希望這可以幫助。
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.