我试着通过使用LDAP的Windows Active Directory来autenticate。我有一个设置的了上下文LdapContext的类。而一个autenticate方法应该发现,在公元电子邮件。
Im trying to autenticate via Windows Active Directory using LDAP. I have a LDAPContext class that set's up the context. And a autenticate method that should found the email in the AD.
这是我LdapContext的类:
This is my LDAPContext class:
public class LDAPContext extends InitialDirContext {
Hashtable<String, String> env = new Hashtable<String, String>();
public LDAPContext(String email, String password) throws NamingException
{
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, "ldap://myintranet.com");
env.put(Context.SECURITY_AUTHENTICATION,"simple");
env.put(Context.SECURITY_PRINCIPAL,"mail="+email+"""); // specify the username
env.put(Context.SECURITY_CREDENTIALS,password);
DirContext ctx = new InitialDirContext(env);
}
}
这是我的身份验证方法:
And this is my authenticate method:
public static User authenticate(final String email, final String password){
try {
LDAPContext adContext = new LDAPContext(email, password);
Attributes matchAttrs = new BasicAttributes(true);
matchAttrs.put(new BasicAttribute("mail", email));
NamingEnumeration<SearchResult> en = adContext.search("", matchAttrs);
while(en.hasMore()) {
System.out.println("Found email!!!");
}
} catch(NamingException e) {
System.out.println("NamingException");
}
...
我不断地得到NamingException的错误。我是舒尔的电子邮件是在AD和电子邮件的指定名称为邮件。我做了什么错?
I continuously get "NamingException" error. I'm shure the email is in the AD and the specified name of email is "mail". What have I done wrong?
编辑: 更指定的错误是
a more specified error is
javax.naming.AuthenticationException:[LDAP:错误code 49 - 80090308: LdapErr:DSID-0C0903A9,注释:AcceptSecurityContext错误,数据 52E,v1db1]
javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1 ]
和表示该凭证是错误的。我已经尝试到c很难$ C $,但它仍然没有工作。
and means that the credentials is wrong. I've tried to hard code it, but it still not works.
推荐答案
问题是 SECURITY_PRINCIPAL 值你想用的是不是一个有效的值,你可以结合上。它的唯一可能的结合与用户名,而不是与用户相关联的属性。
The issue is the SECURITY_PRINCIPAL value you're trying to use is not a valid value that you can bind on. It's only possible to bind with a username, not the attributes associated with a user.
Active Directory允许你绑定在任用户名@域或用户帐户完全区分名称。 DN值往往是类似...
Active directory allows you to bind on either username@domain or the user accounts full Distinguishing Name. The DN value is often something like...
cn=username,cn=Users,dc=abc,dc=mycompany,dc=com
但实际值取决于您的广告配置。
but the actual value depends on your AD configuration.
如果你想找到他们的电子邮件地址的用户,你需要绑定使用管理员ID(或ID,有搜索的能力),搜索与特定电子邮件地址的用户,然后重新绑定使用自己的用户名进行身份验证。
If you want to find a user by their email address, you'll need to bind using an administrator ID (or some ID that has the ability to search), search for the user with that specific email address, then rebind with their username to authenticate.
此外,不在于它改变任何东西,但在绑定的域名(邮件=+电子邮件+)你有一个结束但不是开放的。
Also, not that it changes anything, but in the bind name ("mail="+email+""") you have a closing " but not an opening one.
相关推荐
最新文章