使用用户名使用 UnboundID 对 Active Directory 用户进行身份验证

Authenticate an Active Directory user with UnboundID using username

我正在构建一个应用程序,我需要使用 UnboundID 连接到 Active Directory。使用 example,我设法将用户与其 distinguishedNamepassword.

联系起来

但是我想仅使用 domainusername 来验证它们,类似于 Windows 中的做法。使用名为 JXplorer 的工具浏览 AD,似乎 sAMAccountName 可能是我需要的 属性。但是,将 distinguishedName 替换为 sAMAccountName 会导致 AcceptSecurityContext 错误。使用示例中显示的 "uid=..." 语法也会产生相同的错误。

有没有办法只使用域 username/sAMAccountNamepassword 登录。或者我是否需要以某种方式搜索 AD 并找到我希望验证的用户的 distinguishedName,然后使用他们的 distinguishedNamepassword 绑定连接?

您将需要使用具有适当权限的帐户来搜索 samAccountName 以找到用户,然后使用可分辨名称绑定为找到的用户。

您需要确保只从搜索中 return 一个条目。

示例仅供演示!

参数类似于:

"adldap.example.com" "CN=bob,OU=Users,DC=example,DC=com" "connPwd" "OU=Users,DC=example,DC=com" "samAccountName" "findUserValue" "userPassword"

    /**
 * @author jwilleke <br/>
 *         Use For Demonstration Purposes ONLY!
 * @param args
 */
public static void main(String[] args)
{
String connHost = args[0];
String connID = args[1];
String connPwd = args[2];
String searchBase = args[3];
String findUserByAttribute = args[4];
String findUserValue = args[5];
String userPassword = args[6];
int connPort = 389;

// TODO Auto-generated method stub
String actualLDAPServer = null;
RootDSE rootDSE = null;
// If I were doing this for real, I would use a POOL for Connections

SSLUtil sslUtil = new SSLUtil(new TrustAllTrustManager()); // Use For Demonstration Purposes ONLY!
SSLSocketFactory sslSocketFactory = null;
try
{
    sslSocketFactory = sslUtil.createSSLSocketFactory();
}
catch (GeneralSecurityException e1)
{
    // TODO Auto-generated catch block
    e1.printStackTrace();
}
SimpleBindRequest adminBindRequest = new SimpleBindRequest(connID, connPwd);
LDAPConnection adminConnection = new LDAPConnection(sslSocketFactory);
try
{
    adminConnection = new LDAPConnection(connHost, connPort);
    log.debug("Successful LDAP adminConnection to:" + connHost + ":" + connPort);
    adminConnection.bind(adminBindRequest);
    log.debug("Successful Bind as:" + connID);
}
catch (LDAPException e)
{
    // TODO Auto-generated catch block
    e.printStackTrace();
}

LDAPConnection userConnection = new LDAPConnection(sslSocketFactory);
try
{
    userConnection = new LDAPConnection(connHost, connPort);
    log.debug("Successful LDAP userConnection to:" + connHost + ":" + connPort);
}
catch (LDAPException e)
{
    // TODO Auto-generated catch block
    e.printStackTrace();
}
// Construct Filter to find user
Filter findUserfilter = null;
findUserfilter = Filter.createEqualityFilter(findUserByAttribute, findUserValue);
// Create Search Request
SearchRequest searchRequest = new SearchRequest(searchBase, SearchScope.SUB, findUserfilter);
searchRequest.setSizeLimit(1); // We will error if we get more than one hit
SearchResult searchResult = null;
try
{
    searchResult = adminConnection.search(searchRequest);
}
catch (LDAPSearchException e)
{
    // TODO Auto-generated catch block
    e.printStackTrace();
}
String userDN = null;
if (searchResult.getEntryCount() > 1)
{
    log.error("We got more than one Entry for:" + searchRequest.getFilter());
}
if (searchResult.getEntryCount() == 0)
{
    log.error("We got No Entries for:" + searchRequest.getFilter());
}
for (SearchResultEntry entry : searchResult.getSearchEntries())
{
    userDN = entry.getDN();
    log.debug("Found an Entry: " + userDN);
}
SimpleBindRequest userBindRequest = new SimpleBindRequest(userDN, userPassword);
if (userBindRequest.getBindDN() == null)
{
    log.warn("We got a null for the userBindRequest UserDN and therefore the bind is anonymous !");
}
if (userBindRequest.getPassword() == null)
{
    log.warn("We got a null for the userBindRequest Password and therefore the bind is anonymous !");
}
try
{
    userConnection.bind(userDN, userPassword);
    log.debug("Successful userConnection Bind as:" + userDN);
}
catch (LDAPException e)
{
    // TODO Auto-generated catch block
    e.printStackTrace();
}
}

-吉姆

正如@ioplex 在他的评论中所说,AD 接受使用来自 sAMAccountName 的用户名并附加域名的绑定。只需使用它而不是绑定上的 DN:

String userId = username + "@" + domain;
SimpleBindRequest adminBindRequest = new SimpleBindRequest(userId, passsword);

最终的用户 ID 类似于 'eharris@contoso.local'