无法访问已创建的用户到活动目录中。

huangapple go评论88阅读模式
英文:

Unable to access created user INTO AD

问题

以下是你要翻译的内容:

我正在尝试使用Spring Boot在Active Directory中创建用户,用户已经被创建,但我无法访问该创建的用户。用户创建的代码如下:

protected void createUsersAD(String userName, String orgName){
    Name dn = buildUserDnn(userName);
    DirContextAdapter context = new DirContextAdapter(dn);

    context.setAttributeValues("objectclass",
            new String[] { "top", "person", "organizationalPerson", "inetOrgPerson" });
    context.setAttributeValue("cn", userName);
    if (orgName != "")
        context.setAttributeValue("ou", orgName);
    context.setAttributeValue("givenName", userName);
    context.setAttributeValue("displayName", userName);
    context.setAttributeValue("name", userName);        
    context.setAttributeValue("userPrincipalName", userName + "@" + config.getDomainName());
    String newQuotedPassword = "\"" + password + "\"";
    byte[] newUnicodePassword = newQuotedPassword.getBytes("UTF-16LE");
    context.setAttributeValue("unicodePwd", newUnicodePassword);
    //context.setAttributeValue("userAccountControl", Integer.toString(512));
    //context.setAttributeValue("sAMAccountName", userName);
    ldapTemplate.bind(context);
    LOGGER.debug("User created successfully INTO AD.");
}

使用相同的代码,我能够将用户创建到LDAP中并且能够访问该用户。

当我比较用户时,我注意到userAccessControl被设置为546,这意味着(值为546(十进制)是0x222(十六进制),表示:普通账户,已禁用,不需要密码)。

我尝试设置userAccountControl的值,但是出现了一个错误:

EXCEPTION======org.springframework.ldap.OperationNotSupportedException: [LDAP: error code 53 - 0000052D: SvcErr: DSID-031A1236, problem 5003 (WILL_NOT_PERFORM), data 0

出现了错误:

2020-10-05 19:10:26.167 DEBUG 12304 --- [o-auto-1-exec-4] c.a.c.security.JwtAuthenticationFilter   : JwtAuthenticationFilter attemptAuthentication authenticationToken com.atos.config.security.SelfServiceUserPasswordAuthToken@e3ac519c: Principal: cucumber_customer_admin_multi; Credentials: [PROTECTED]; Authenticated: false; Details: null; Not granted any authorities
2020-10-05 19:10:26.167 DEBUG 12304 --- [o-auto-1-exec-4] c.a.c.security.JwtAuthenticationFilter   : JwtAuthenticationFilter authenticationManager used class com.atos.config.security.SelfServiceAuthenticationManager
2020-10-05 19:10:26.168 INFO 12304 --- [o-auto-1-exec-4] c.a.c.s.SelfServiceAuthenticationManager : authenticate called 
2020-10-05 19:10:26.169 DEBUG 12304 --- [o-auto-1-exec-4] ctiveDirectoryLdapAuthenticationProvider : Processing authentication request for user: cucumber_customer_admin_multi
2020-10-05 19:10:26.450 DEBUG 12304 --- [o-auto-1-exec-4] ctiveDirectoryLdapAuthenticationProvider : Authentication for cucumber_customer_admin_multi@amosonline.io failed: javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090436, comment: AcceptSecurityContext error, data 52e, v4563
英文:

I am trying to create user into Active directory using spring boot, user is gettting created but I am unable to access that created user. User creation code is as below:

protected void createUsersAD(String userName, String orgName){
		Name dn = buildUserDnn(userName);
		DirContextAdapter context = new DirContextAdapter(dn);

		context.setAttributeValues("objectclass",
				new String[] { "top", "person", "organizationalPerson", "inetOrgPerson" });
		context.setAttributeValue("cn", userName);
		if (orgName != "")
			context.setAttributeValue("ou", orgName);
		context.setAttributeValue("givenName",userName);
		context.setAttributeValue("displayName", userName);
		context.setAttributeValue("name", userName);		
		context.setAttributeValue("userPrincipalName",userName+"@"+config.getDomainName());
		String newQuotedPassword = "\"" + password + "\"";
		byte[] newUnicodePassword = newQuotedPassword.getBytes("UTF-16LE");
		context.setAttributeValue("unicodePwd",newUnicodePassword);
		//context.setAttributeValue("userAccountControl", Integer.toString(512));
		//context.setAttributeValue("sAMAccountName", userName);
		ldapTemplate.bind(context);
		LOGGER.debug("User created successfully INTO AD.");
	}

With the same code i am able to create user into LDAP and able to access that user as well.

When I compaired user, I observed that userAccessControl is getting set as 546 which means (a value of 546 (decimal) is 0x222 hex and means: normal account, disabled, password not required.)

I tried to set value of userAccountControl but getting an error:

> EXCEPTION======org.springframework.ldap.OperationNotSupportedException: [LDAP: error code 53 - 0000052D: SvcErr: DSID-031A1236, problem 5003 (WILL_NOT_PERFORM), data 0

Getting an error:

2020-10-05 19:10:26.167 DEBUG 12304 --- [o-auto-1-exec-4] c.a.c.security.JwtAuthenticationFilter   :  JwtAuthenticationFilter  attemptAuthentication authenticationToken com.atos.config.security.SelfServiceUserPasswordAuthToken@e3ac519c: Principal: cucumber_customer_admin_multi; Credentials: [PROTECTED]; Authenticated: false; Details: null; Not granted any authorities
2020-10-05 19:10:26.167 DEBUG 12304 --- [o-auto-1-exec-4] c.a.c.security.JwtAuthenticationFilter   :  JwtAuthenticationFilter  authenticationManager used class com.atos.config.security.SelfServiceAuthenticationManager
2020-10-05 19:10:26.168  INFO 12304 --- [o-auto-1-exec-4] c.a.c.s.SelfServiceAuthenticationManager : authenticate called 
2020-10-05 19:10:26.169 DEBUG 12304 --- [o-auto-1-exec-4] ctiveDirectoryLdapAuthenticationProvider : Processing authentication request for user: cucumber_customer_admin_multi
2020-10-05 19:10:26.450 DEBUG 12304 --- [o-auto-1-exec-4] ctiveDirectoryLdapAuthenticationProvider : Authentication for cucumber_customer_admin_multi@amosonline.io failed:javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090436, comment: AcceptSecurityContext error, data 52e, v4563

答案1

得分: 1

根据我(简短的)通过LDAP与Active Directory的经验,"DSID-031A1236"代码意味着您的LDAPS(LDAP over SSL / TLS)配置存在问题。通过LDAP更改AD密码 需要 LDAPS。

LDAP错误消息没有什么用("DSID-031A1236"???),可能会令人困惑("问题5003"指的是密码策略约束,但并非如此),甚至有些刁钻("WILL_NOT_PERFORM",NO NO NO!)。但在我遇到这个特定错误的几次情况中,解决方案总是与SSL有关:无效的证书,充当SSL但重新路由到普通LDAP端口的网络负载均衡器等。

如果您需要对AD服务器进行更改,关于可能有用的一些文档可以在https://social.technet.microsoft.com/wiki/contents/articles/2980.ldap-over-ssl-ldaps-certificate.aspx找到。

英文:

In my (short) experience with Active Directory via LDAP, the "DSID-031A1236" code means that there is a problem with your LDAPS (LDAP over SSL / TLS) configuration. Changing AD passwords via LDAP requires LDAPS.

The LDAP error message is not useful ("DSID-031A1236"???), can be confusing ("problem 5003" refers to password policy constraints, which is not the case) and even bratty ("WILL_NOT_PERFORM", NO NO NO!), but the couple of times that I've met this specific error the solution always was related to SSL: an invalid certificate, a network load balancer "posing" as SSL but rerouting to plain LDAP ports, etc.

If you need to make changes to the AD server, there is some documentation about may be useful at https://social.technet.microsoft.com/wiki/contents/articles/2980.ldap-over-ssl-ldaps-certificate.aspx

huangapple
  • 本文由 发表于 2020年10月5日 22:03:59
  • 转载请务必保留本文链接:https://go.coder-hub.com/64210220.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定