无法从 Java 获得与 AD 的连接

2022-01-17 00:00:00 ldap active-directory java

我正在尝试从 MS AD 中检索一些信息:特定分支的成员、部门名称、职位、等.

我使用了很多示例,包括 Apache Directory LDAP API 和 UnboundID,但我无法与 AD 建立连接.

RDN:

C:UsersAleksey>哇/fqdnCN=我这里的通用名,OU=我这里的组织单位,OU=此处的组织单元 2,OU=此处的组织单元 1,OU=这里的主要组织单位,DC=.my 域在这里,DC=这里的域 2,DC=这里的主域

对于搜索,我使用以下过滤器:

公共类 LdapRetriever {公共静态无效主要(字符串[]参数){哈希表环境 = 新哈希表();env.put(上下文.INITIAL_CONTEXT_FACTORY,com.sun.jndi.ldap.LdapCtxFactory");env.put(Context.PROVIDER_URL, "ldap://" +这里是域控制器的ip"+:389");env.put(Context.SECURITY_AUTHENTICATION, "简单");//我也尝试使用以下 SECURITY_PRINCIPAL://我的登录名,我的域我的登录名env.put(Context.SECURITY_PRINCIPAL, "我在这里登录" + "@" +我的域here.domain 2 here.main domain here");env.put(Context.SECURITY_CREDENTIALS, "我的密码在这里");尝试 {DirContext ctx = new InitialLdapContext(env,null);字符串返回Atts[]={"sn","title","department","givenName"};SearchControls searchCtls = new SearchControls();searchCtls.setReturningAttributes(returnedAtts);searchCtls.setSearchScope(SearchControls.SUBTREE_SCOPE);String searchFilter = "(&(objectClass=user)(cn=*))";字符串搜索基础 =这里 DC=我的域,这里 DC=域 2,这里 DC=主域";NamingEnumeration 答案 = ctx.search(searchBase,searchFilter, searchCtls);...

当我使用 env 中的数据创建目录上下文时,出现异常:

线程主"javax.naming.AuthenticationException 中的异常:[LDAP:错误代码 49 - 80090308:LdapErr:DSID-0C090334,注释:AcceptSecurityContext 错误,数据 531,vece

如果没有指定密码,我会得到以下异常:

问题搜索目录:javax.naming.NamingException:[LDAP:错误代码 1 - 00000000:LdapErr:DSID-0C090627,评论:为了执行此操作,必须完成成功的绑定在连接上.,数据0,vece];剩下的名字'这里的 DC=我的域,这里的 DC=域 2,这里的 DC=主域'

我已确认我的帐户没有被锁定.

根据常见活动目录LDAP绑定错误列表:

<块引用>

525 找不到用户52e 无效凭证530 此时不允许登录531 不允许在此工作站登录532 密码过期533 账号被禁用701账号已过期773 用户必须重设密码775 用户帐号被锁定

就我而言,这意味着:不允许在此工作站登录",但我可以使用相同的凭据登录到域.

可能是什么原因?

解决方案

错误代码 531 很可能与 AD 的配置有关.在某些情况下,用户只能从一个工作站登录,例如您的工作电脑.
这是在用户的 userWorkstations 字段中配置的.
当您无法使用 RDP 登录您的 AD 时,您需要您的 AD 管理员检查您的帐户是否有此字段,以及 AD 服务器是否包含在您的 userWorkstations 中,或者该字段已被完全删除.

I'm trying retrieve some information from MS AD: members of the specific branch, department names, positions, etc.

I used a lot of examples, including Apache Directory LDAP API and UnboundID, but I can't get the connection with AD.

RDNs:

C:UsersAleksey> whoami /fqdn
       CN=my common name here,
       OU=my organization unit here,
       OU=organization unit 2 here,
       OU=organization unit 1 here,
       OU=main organization unit here,
       DC=.my domain here,
       DC=domain 2 here,
       DC=main domain here

For searching, I use the following filter:

public class LdapRetriever {
    public static void main (String[] args) {
        Hashtable env = new Hashtable();

        env.put(Context.INITIAL_CONTEXT_FACTORY, 
            "com.sun.jndi.ldap.LdapCtxFactory");
        env.put(Context.PROVIDER_URL, "ldap://" + 
            "ip of domain controller here" + ":389");
        env.put(Context.SECURITY_AUTHENTICATION, "simple");
        // Also I try to use the following SECURITY_PRINCIPAL: 
        // my login only, my domain my login
        env.put(Context.SECURITY_PRINCIPAL, "my login here" + "@" + 
            "my domain here.domain 2 here.main domain here");
        env.put(Context.SECURITY_CREDENTIALS, "my password here");

        try {           
            DirContext ctx = new InitialLdapContext(env,null);
            String returnedAtts[]={"sn","title","department","givenName"};

            SearchControls searchCtls = new SearchControls();  
            searchCtls.setReturningAttributes(returnedAtts);  
            searchCtls.setSearchScope(SearchControls.SUBTREE_SCOPE);

            String searchFilter = "(&(objectClass=user)(cn=*))";
            String searchBase = 
                "DC=my domain here,DC=domain 2 here,DC=main domain here";

            NamingEnumeration answer = ctx.search(searchBase, 
                searchFilter, searchCtls);
            ...

When I create the directory context by using data from the env I get an exception:

Exception in thread "main" javax.naming.AuthenticationException: 
[LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment:
AcceptSecurityContext error, data 531, vece

If the password is not specified, I get the following exception:

Problem searching directory: 
javax.naming.NamingException:[LDAP:error code 1 - 00000000: 
LdapErr: DSID-0C090627, comment: 
In order to perform this operation a successful bind must be completed 
on the connection., data 0, vece]; remaining name 
'DC=my domain here,DC=domain 2 here,DC=main domain here'

I have verified that my account is not locked.

According the list of common active directory LDAP bind errors:

525​  user not found ​
52e​  invalid credentials ​
530​  not permitted to logon at this time​
531​  not permitted to logon at this workstation​
532​  password expired ​
533​  account disabled ​
701​  account expired ​
773​  user must reset password ​
775​  user account locked

In my case it means: "not permitted to logon at this workstation​", but with the same credentials I can logon to the domain.

What could be the reason?

解决方案

The Error Code 531 is most likely related to a configuration of the AD. In some cases a user is restricted to login from only one workstation for example your working pc.
This is configured in the userWorkstations field of the user.
When you can't login to your AD using RDP you need your AD admin to check your account for this field and that the AD Server is included in your userWorkstations or the field is removed completly.

相关文章