无法从 Java 获取与 AD 的连接 [英] Can't get connection with AD from Java

问题描述

我正在尝试从 MS AD 检索一些信息:特定分支的成员、部门名称、职位、等.

我使用了很多示例，包括 Apache Directory LDAP API 和 UnboundID，但是我无法与AD建立连接.

RDN:

C:UsersAleksey>whoami/fqdnCN=我这里的通用名，OU=这里是我的组织单位，OU=此处的组织单元 2，OU=此处的组织单元 1，OU=这里的主要组织单位，DC=.my 域在这里，此处 DC=域 2，DC=这里的主域

对于搜索，我使用以下过滤器:

public class LdapRetriever {公共静态无效主(字符串 [] args){Hashtable env = new Hashtable();env.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");env.put(Context.PROVIDER_URL, "ldap://" +"这里是域控制器的ip" + ":389");env.put(Context.SECURITY_AUTHENTICATION, "简单");//我也尝试使用以下 SECURITY_PRINCIPAL://只有我的登录名，我的域我的登录名env.put(Context.SECURITY_PRINCIPAL, "我的登录名" + "@" +这里是我的域.这里是域 2.这里是主域");env.put(Context.SECURITY_CREDENTIALS, 我的密码在这里");尝试 {DirContext ctx = new InitialLdapContext(env,null);String ReturnedAtts[]={"sn","title","department","givenName"};SearchControls searchCtls = new SearchControls();searchCtls.setReturningAttributes(returnedAtts);searchCtls.setSearchScope(SearchControls.SUBTREE_SCOPE);String searchFilter = "(&(objectClass=user)(cn=*))";字符串搜索基础 =这里DC=我的域，这里DC=域2，这里DC=主域"；NamingEnumeration 答案 = ctx.search(searchBase,searchFilter, searchCtls);...

当我使用来自 env 的数据创建目录上下文时，出现异常:

线程main"中的异常javax.naming.AuthenticationException:[LDAP:错误代码 49 - 80090308:LdapErr:DSID-0C090334，注释:AcceptSecurityContext 错误，数据 531，vece

如果未指定密码，则会出现以下异常:

问题搜索目录:javax.naming.NamingException:[LDAP: 错误代码 1 - 00000000:LdapErr:DSID-0C090627，评论:为了执行此操作，必须成功完成绑定在连接上., 数据 0, vece];余名'DC=我的域，DC=域2，DC=主域'

我已经确认我的帐户没有被锁定.

根据常见活动目录LDAP绑定错误列表:

<块引用>

525 未找到用户52e 无效凭据530此时不允许登录531 不允许在此工作站登录532 密码已过期533账号被禁用701 帐号已过期773 用户必须重设密码775 用户帐号被锁定

就我而言，这意味着:不允许在此工作站上登录"，但使用相同的凭据我可以登录到域.

可能是什么原因?

解决方案

错误代码 531 很可能与 AD 的配置有关.在某些情况下，用户只能从一台工作站登录，例如您的工作电脑.
这是在用户的userWorkstations 字段中配置的.
当您无法使用 RDP 登录到您的 AD 时，您需要您的 AD 管理员检查您的帐户是否有此字段，以及 AD 服务器是否包含在您的 userWorkstations 中或该字段已完全删除.

I'm trying retrieve some information from MS AD: members of the specific branch, department names, positions, etc.

I used a lot of examples, including Apache Directory LDAP API and UnboundID, but I can't get the connection with AD.

RDNs:

C:UsersAleksey> whoami /fqdn
       CN=my common name here,
       OU=my organization unit here,
       OU=organization unit 2 here,
       OU=organization unit 1 here,
       OU=main organization unit here,
       DC=.my domain here,
       DC=domain 2 here,
       DC=main domain here

For searching, I use the following filter:

public class LdapRetriever {
    public static void main (String[] args) {
        Hashtable env = new Hashtable();

        env.put(Context.INITIAL_CONTEXT_FACTORY, 
            "com.sun.jndi.ldap.LdapCtxFactory");
        env.put(Context.PROVIDER_URL, "ldap://" + 
            "ip of domain controller here" + ":389");
        env.put(Context.SECURITY_AUTHENTICATION, "simple");
        // Also I try to use the following SECURITY_PRINCIPAL: 
        // my login only, my domain my login
        env.put(Context.SECURITY_PRINCIPAL, "my login here" + "@" + 
            "my domain here.domain 2 here.main domain here");
        env.put(Context.SECURITY_CREDENTIALS, "my password here");

        try {           
            DirContext ctx = new InitialLdapContext(env,null);
            String returnedAtts[]={"sn","title","department","givenName"};

            SearchControls searchCtls = new SearchControls();  
            searchCtls.setReturningAttributes(returnedAtts);  
            searchCtls.setSearchScope(SearchControls.SUBTREE_SCOPE);

            String searchFilter = "(&(objectClass=user)(cn=*))";
            String searchBase = 
                "DC=my domain here,DC=domain 2 here,DC=main domain here";

            NamingEnumeration answer = ctx.search(searchBase, 
                searchFilter, searchCtls);
            ...

When I create the directory context by using data from the env I get an exception:

Exception in thread "main" javax.naming.AuthenticationException: 
[LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment:
AcceptSecurityContext error, data 531, vece

If the password is not specified, I get the following exception:

Problem searching directory: 
javax.naming.NamingException:[LDAP:error code 1 - 00000000: 
LdapErr: DSID-0C090627, comment: 
In order to perform this operation a successful bind must be completed 
on the connection., data 0, vece]; remaining name 
'DC=my domain here,DC=domain 2 here,DC=main domain here'

I have verified that my account is not locked.

According the list of common active directory LDAP bind errors:

525​  user not found ​
52e​  invalid credentials ​
530​  not permitted to logon at this time​
531​  not permitted to logon at this workstation​
532​  password expired ​
533​  account disabled ​
701​  account expired ​
773​  user must reset password ​
775​  user account locked

In my case it means: "not permitted to logon at this workstation​", but with the same credentials I can logon to the domain.

What could be the reason?

解决方案

The Error Code 531 is most likely related to a configuration of the AD. In some cases a user is restricted to login from only one workstation for example your working pc.
This is configured in the userWorkstations field of the user.
When you can't login to your AD using RDP you need your AD admin to check your account for this field and that the AD Server is included in your userWorkstations or the field is removed completly.

这篇关于无法从 Java 获取与 AD 的连接的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！