ldap_bind_s与错误的凭据回到LDAP_SUCCESS [英] ldap_bind_s returning LDAP_SUCCESS with wrong credentials

问题描述

我这个小问题。我想对认证LDAP用户（Windows活动目录），一切工作正常，但组合（良好的用户，好的密码，错域）。

I have this little problem. I want to authenticate user against LDAP (Windows Active Directory), everything works OK, but the combination (good user, good password, wrong domain).

LDAP* ldap = ldap_init(L"myserver", 389);
ULONG ldap_version = 3;

ULONG ret = LDAP_SUCCESS;

ret = ldap_set_option(ldap, LDAP_OPT_PROTOCOL_VERSION, (void*)&ldap_version);
ret = ldap_connect(ldap, NULL);

SEC_WINNT_AUTH_IDENTITY ai;
ai.Domain = (unsigned short*)BAD_DOMAIN;
ai.DomainLength = wcslen(BAD_DOMAIN);
ai.User = (unsigned short*)OK_USER;
ai.UserLength = wcslen(OK_USER);
ai.Password = (unsigned short*)OK_PASS;
ai.PasswordLength = wcslen(OK_PASS);
ai.Flags = SEC_WINNT_AUTH_IDENTITY_UNICODE;

ret = ldap_bind_s(ldap, NULL, (PWCHAR) &ai, LDAP_AUTH_NTLM); // !!! HERE !!!
ret = ldap_unbind_s(ldap);

在该行坊间！这里 ！！！'我期望为0x31或返回的任何其他错误。相反，我得到LDAP_SUCCESS：（

On the line marke '!!! HERE !!!' I'd expect 0x31 or any other error returned. Instead I get LDAP_SUCCESS :(

有什么建议？ THX，米兰

Any suggestions? Thx, Milan

推荐答案

绑定是全成，因为这对夫妻的用户名/密码，有效期为你的ldap_init通话过程中连接到域。在这种情况下，在凭证提供的域被简单地忽略。

Binding is successfull because the couple username/password is valid for the domain you're connected to during the ldap_init call. In this case, the domain supplied in the credentials is simply ignored.

要确认这一点说明书，你可以尝试使用从该服务器的可信域的一些凭证。由于该用户未在您连接到域存在，使用无效域名将导致与INVALID_CREDENTIALS绑定失败。

To confirm this statment, you could try using some credentials from a trusted domain of this server. Because the user does not exist in the domain you're connected to, supplying an invalid domain name will result in a binding failure with INVALID_CREDENTIALS.

希望有所帮助。

这篇关于ldap_bind_s与错误的凭据回到LDAP_SUCCESS的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！