无法从Java获得与AD的连接 [英] Can't get connection with AD from Java
问题描述
我正在尝试从MS AD中检索一些信息:特定分支的成员,部门名称,职位,等。
I'm trying retrieve some information from MS AD: members of the specific branch, department names, positions, etc.
我使用了很多例子,包括 Apache Directory LDAP API 和 UnboundID ,但我无法与AD建立连接。
I used a lot of examples, including Apache Directory LDAP API and UnboundID, but I can't get the connection with AD.
RDN:
C:\Users\Aleksey> whoami /fqdn
CN=my common name here,
OU=my organization unit here,
OU=organization unit 2 here,
OU=organization unit 1 here,
OU=main organization unit here,
DC=.my domain here,
DC=domain 2 here,
DC=main domain here
对于搜索,我使用以下过滤器:
For searching, I use the following filter:
public class LdapRetriever {
public static void main (String[] args) {
Hashtable env = new Hashtable();
env.put(Context.INITIAL_CONTEXT_FACTORY,
"com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, "ldap://" +
"ip of domain controller here" + ":389");
env.put(Context.SECURITY_AUTHENTICATION, "simple");
// Also I try to use the following SECURITY_PRINCIPAL:
// my login only, my domain\ my login
env.put(Context.SECURITY_PRINCIPAL, "my login here" + "@" +
"my domain here.domain 2 here.main domain here");
env.put(Context.SECURITY_CREDENTIALS, "my password here");
try {
DirContext ctx = new InitialLdapContext(env,null);
String returnedAtts[]={"sn","title","department","givenName"};
SearchControls searchCtls = new SearchControls();
searchCtls.setReturningAttributes(returnedAtts);
searchCtls.setSearchScope(SearchControls.SUBTREE_SCOPE);
String searchFilter = "(&(objectClass=user)(cn=*))";
String searchBase =
"DC=my domain here,DC=domain 2 here,DC=main domain here";
NamingEnumeration answer = ctx.search(searchBase,
searchFilter, searchCtls);
...
当我使用<$ c中的数据创建目录上下文时$ c> env 我得到一个例外:
When I create the directory context by using data from the env
I get an exception:
Exception in thread "main" javax.naming.AuthenticationException:
[LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment:
AcceptSecurityContext error, data 531, vece
如果未指定密码,我会收到以下异常:
If the password is not specified, I get the following exception:
Problem searching directory:
javax.naming.NamingException:[LDAP:error code 1 - 00000000:
LdapErr: DSID-0C090627, comment:
In order to perform this operation a successful bind must be completed
on the connection., data 0, vece]; remaining name
'DC=my domain here,DC=domain 2 here,DC=main domain here'
我已经确认我的帐户未被锁定。
I have verified that my account is not locked.
525 user not found
52e invalid credentials
530 not permitted to logon at this time
531 not permitted to logon at this workstation
532 password expired
533 account disabled
701 account expired
773 user must reset password
775 user account locked
在我的情况下,它意味着:不允许在此工作站登录,但凭借相同的凭据,我可以登录到域。
In my case it means: "not permitted to logon at this workstation", but with the same credentials I can logon to the domain.
可能是什么原因?
我会非常感激很多信息。谢谢大家。
I would be very grateful for the information. Thanks to all.
推荐答案
错误代码531很可能与AD的配置有关。
在某些情况下,用户只能从一个工作站登录,例如您的工作电脑。
这是在用户的 userWorkstations 字段中配置的。
当您无法使用RDP登录AD时,您需要AD管理员检查您的帐户以查找此字段,并且AD服务器包含在 userWorkstations 或字段中完全删除。
The Error Code 531 is most likely related to a configuration of the AD.
In some cases a user is restricted to login from only one workstation for example your working pc.
This is configured in the userWorkstations field of the user.
When you can't login to your AD using RDP you need your AD admin to check your account for this field and that the AD Server is included in your userWorkstations or the field is removed completly.
这篇关于无法从Java获得与AD的连接的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!