如何使用Java管理AD ACL [英] How to manage AD ACLs using Java

问题描述

我当前正在使用Java应用程序，该应用程序需要连接到Active Directory（AD）并修改用户无法更改密码权限。

I'm currently working with a Java application that needs to connect to an Active Directory (AD) and modify the 'User Cannot Change Password' permission.

Microsoft已经足够好心地介绍如何使用C ++或VB进行逐步操作：
http://msdn.microsoft.com/zh-CN/library/windows/desktop/aa746398（v = vs.85）.aspx

Microsoft has been kind enough to provide a step by step of how to do this using C++ or VB: http://msdn.microsoft.com/en-us/library/windows/desktop/aa746398(v=vs.85).aspx

问题确实是我需要使用Java来完成。

The problem is really that I need to do this using Java. Is this possible?

主要问题是通过查询/解析ntSecurityDescriptor属性来使用ACL。

The main issue is working with ACLs by querying/parsing the ntSecurityDescriptor attribute.

I我目前正在使用Unboundid Ldap SDK来建立连接并搜索AD属性，但如有必要，我可以更改API。

I'm currently using the Unboundid Ldap SDK to establish the connection and search for AD attributes, but I can change APIs if necessary.

任何帮助将不胜感激。

谢谢您的时间。

推荐答案

授予授权在任何LDAP RFC中都不是必需的。这部分是专有的。

Granting authorization is not discrib in any LDAP RFC. This part is proprietary.

在OpenLDAP中，访问控制列表（ACL）是通过一种过滤器建立的。

In OpenLDAP Access Control List (ACL) is established by a kind of filter.

在SUN目录（现为Oracle）中，ACL是通过属性建立的。

In SUN Directory (Nowdays Oracle one) ACLs are established by attributes.

在Active Directory中，授权使用内部专有名称来完成。

In Active Directory granting authorization is done using internal in the same proprietary maner as in the NFTS file system.

您可以做的是执行一个像 DSACLS.EXE 参见示例示例

The thing you can do is to execute an external program like DSACLS.EXE see Dsacls Examples

另一种解决方案应该是将COM ADSI对象映射到Java 此可能会对您有所帮助。

Another solution should be to map COM ADSI objects into Java this may help you (or not).

这篇关于如何使用Java管理AD ACL的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！