DNS命名和证书LDAP上下文问题 [英] Issue with DNS Naming and Certificates LDAP Context
问题描述
在Java 1.8.0_181的最新更新中,当我尝试创建与Active Directory的LDAPS连接时遇到问题.使用以下代码,直到版本1.8.0_171为止,我都可以毫无问题地创建它
With the last update of Java 1.8.0_181 I have an issue when I try to create a LDAPS connection to Active Directory. Up to version 1.8.0_171 using the following code I could create it without issues
Hashtable<String, Object> objEnvironment;
objEnvironment = new Hashtable<String, Object>(11);
objEnvironment.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
objEnvironment.put(Context.PROVIDER_URL, "LDAPS://domain:636");
objEnvironment.put(Context.SECURITY_AUTHENTICATION, "simple");
objEnvironment.put(Context.SECURITY_PRINCIPAL, <username>);
objEnvironment.put(Context.SECURITY_CREDENTIALS, <Password>);
objEnvironment.put("java.naming.ldap.attributes.binary", <attributes>);
System.setProperty("javax.net.ssl.trustStore", "certificates".concat(File.separator).concat("cacerts"));
this.objLDAPContext = new InitialLdapContext(objEnvironment, null);
但是在最新版本中,出现以下异常java.security.cert.CertificateException:找不到xxxx.xxxx.xxx的DNS名称查找时发现FDQN名称存在问题,如果我不使用与证书上显示的名称相同的名称,则无法建立连接.我想知道是否可以跳过此操作,并且可以像过去一样使用域名.
However with the last version I get the following exception java.security.cert.CertificateException: No DNS name found for xxxx.xxxx.xxx Looking it up I found it is an issue with the FDQN name, if I do not use the same name as it is displayed on the certificate, I can not establish a connection. I would like to know if there is a way to skip this and can use the domain name as I did in the past.
推荐答案
您遇到的问题可能是由于 Java 1.8.0_181 中引入的更改所致,以改善LDAP支持.请在此处参阅发行说明.
The issue you are experiencing may be due to the changes introduced in Java 1.8.0_181 for improved LDAP Support. Refer the release notes here.
➜改善LDAP支持端点标识已在上启用LDAPS连接.
➜ Improve LDAP support Endpoint identification has been enabled on LDAPS connections.
提高LDAPS的鲁棒性(基于TLS的安全LDAP)连接,端点识别算法已启用默认.
To improve the robustness of LDAPS (secure LDAP over TLS ) connections, endpoint identification algorithms have been enabled by default.
请注意,在某些情况下,以前能够成功连接到LDAPS服务器的设备可能没有不再能够这样做.如果他们认为这样的申请可以适当,使用新系统禁用端点标识属性:com.sun.jndi.ldap.object.disableEndpointIdentification.
Note that there may be situations where some applications that were previously able to successfully connect to an LDAPS server may no longer be able to do so. Such applications may, if they deem appropriate, disable endpoint identification using a new system property: com.sun.jndi.ldap.object.disableEndpointIdentification.
定义此系统属性(或将其设置为true)以禁用端点识别算法.
Define this system property (or set it to true) to disable endpoint identification algorithms.
您可以使用变通办法在运行代码时添加 -Dcom.sun.jndi.ldap.object.disableEndpointIdentification = true .
You may use the workaround to add -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true while running your code.
请注意,这不是推荐的方法,因为使用此方法,您的系统将继续受到攻击.
Note that this is not a recommended approach, as your system will continue to be vulnerable using this approach.
这篇关于DNS命名和证书LDAP上下文问题的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
