使用 Java 和 LDAP 将用户添加到 AD LDS (ADAM)
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/9740426/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Adding a user to AD LDS (ADAM) with Java and LDAP
提问by Andreas
EDIT4: Got my application to write the user to the active directory, but the active directory complains when I try to enable the user
EDIT4:让我的应用程序将用户写入活动目录,但是当我尝试启用用户时活动目录会抱怨
Previous messages
以前的消息
I'm trying to add a user to my local Active Directory (with AD LDS) by using Java (1.4) and LDAP. However, I keep getting the following error:
我正在尝试使用 Java (1.4) 和 LDAP 将用户添加到我的本地 Active Directory(使用 AD LDS)。但是,我不断收到以下错误:
javax.naming.directory.SchemaViolationException: [LDAP: error code 65 - 0000207B : UpdErr: DSID-030511CF, problem 6002 (OBJ_CLASS_VIOLATION), data 0 ]; remaining > name 'CN=Test user,OU=Accounts,DC=PORTAL,DC=COMPANY,DC=BE'
javax.naming.directory.SchemaViolationException: [LDAP: 错误代码 65 - 0000207B : UpdErr: DSID-030511CF, 问题 6002 (OBJ_CLASS_VIOLATION), 数据 0 ]; 剩余 > name 'CN=Test user,OU=Accounts,DC=PORTAL,DC=COMPANY,DC=BE'
My code:
我的代码:
public static void main(String[] args) {
try {
DirContext ctx = new InitialDirContext(X_Ldap.getEnvironment());
user usr = new user("Test user", "FALSE");
ctx.bind(
"CN=Test user,OU=Accounts,DC=PORTAL,DC=COMPANY,DC=BE", usr);
// X_Ldap.checkIfUserExists("Test User");
ctx.close();
} catch (NamingException e) {
e.printStackTrace();
}
}
public class user implements DirContext {
String type;
/**
*
* @param isDisabled
* TRUE or FALSE (literally)
*/
public user(String username, String isDisabled) {
String type = username;
Attributes attr = new BasicAttributes(true);
Attribute oc = new BasicAttribute("objectclass");
oc.add("top");
oc.add("person");
oc.add("organizationalPerson");
oc.add("user");
Attribute memberOf = new BasicAttribute("memberOf");
memberOf.add("CN=Users,CN=Roles,DC=PORTAL,DC=COMPANY,DC=BE");
attr.put(oc);
attr.put("msDS-UserAccountDisabled", isDisabled);
attr.put(memberOf);
attr.put("comment", username);
}
public String toString() {
return type;
}
}
editI checked one of my user objects for mandatory attributes, but I'm not sure what i should fill in for all of them:
编辑我检查了我的用户对象之一的强制属性,但我不确定我应该为所有这些填写什么:
cn: Jane Doe -- Unicode string
instanceType: 0x4 = (WRITE) -- Integer
objectCategory: CN=Person,CN=Schema,CN=Configuration,CN={EDBEACA1-6F60-413C-80F2-6C5CE265F22F} -- Distinguished Name
objectClass: top; person; organizationalPerson; user -- Object Identifier
objectSid: S-1-372665300-2234744891-519896106-1336725265-1748609191-3385095770 -- SID
cn: Jane Doe -- Unicode string
instanceType: 0x4 = (WRITE) -- Integer
objectCategory: CN=Person,CN=Schema,CN=Configuration,CN={EDBEACA1-6F60-413C-80F2-6C5CE265F22F} -- Distinguished Name
objectClass : 顶部; 人; 组织人;user -- 对象标识符
objectSid: S-1-372665300-2234744891-519896106-1336725265-1748609191-3385095770 -- SID
EDIT2: My current code:
EDIT2:我当前的代码:
public class newuser {
public static void main(String[] args) {
String userName = "cn=Albert Einstein,ou=Accounts,DC=PORTAL,DC=COMPANY,DC=BE";
// String groupName =
// "cn=Users,cn=Roles,DC=PORTAL,DC=COMPANY,DC=BE";
try {
// Create the initial directory context
System.out.println("Creating initial directory context...");
LdapContext ctx = new InitialLdapContext(X_Ldap.getEnvironment(),
null);
// Create attributes to be associated with the new user
Attributes attrs = new BasicAttributes(true);
// some useful constants from lmaccess.h
int UF_ACCOUNTDISABLE = 0x0002;
int UF_PASSWD_NOTREQD = 0x0020;
int UF_PASSWD_CANT_CHANGE = 0x0040;
int UF_NORMAL_ACCOUNT = 0x0200;
int UF_DONT_EXPIRE_PASSWD = 0x10000;
int UF_PASSWORD_EXPIRED = 0x800000;
attrs.put("objectClass", "user");
attrs.put("cn", "Albert Einstein");
// These are some optional (but useful) attributes
attrs.put("givenName", "Albert");
attrs.put("sn", "Einstein");
attrs.put("displayName", "Albert Einstein");
attrs.put("description", "Research Scientist");
attrs.put("userPrincipalName", "[email protected]");
attrs.put("mail", "[email protected]");
attrs.put("telephoneNumber", "999 123 4567");
String newQuotedPassword = "\"Pass123\"";
byte[] newUnicodePassword = newQuotedPassword.getBytes("UTF-16");
attrs.put("unicodePwd", newUnicodePassword);
attrs.put("msDS-User-Account-Control-Computed",
Integer.toString(UF_NORMAL_ACCOUNT + UF_DONT_EXPIRE_PASSWD));
// Create the context
System.out.println("Creating context...");
Context result = ctx.createSubcontext(userName, attrs);
System.out.println("Created disabled account for: " + userName);
ctx.close();
System.out.println("Successfully created User: " + userName);
} catch (NamingException e) {
System.err.println("Problem creating object: " + e);
}
catch (IOException e) {
System.err.println("Problem creating object: " + e);
}
}
}
Still have following problem:
仍然存在以下问题:
String newQuotedPassword = "\"Pass123\"";
byte[] newUnicodePassword = newQuotedPassword.getBytes("UTF-16");
attrs.put("unicodePwd", newUnicodePassword);
gives me the following exception:
给了我以下异常:
Creating initial directory context... Problem creating object: java.io.UnsupportedEncodingException: UTF16LE
创建初始目录上下文...创建对象时出现问题:java.io.UnsupportedEncodingException:UTF16LE
note: I disabled the requirement for SSL to change the password
注意:我禁用了 SSL 更改密码的要求
EDIT 3: apparently the "User Account control" is not supported by AD LDS and is split up in a number of different attributes.
编辑 3:显然 AD LDS 不支持“用户帐户控制”,并且分为许多不同的属性。
采纳答案by JPBlanc
You perhaps can have a look to Using JAVA code with Active Directoryespecialy Creating new users & demystifying userAccountControl
您也许可以看看在Active Directory 中使用 JAVA 代码,特别是创建新用户和揭开 userAccountControl 的神秘面纱
For me you forgot the "CN" attribute.
对我来说,你忘记了“ CN”属性。
回答by Terry Gardner
Check your schema documentation which which attributes are allowed and required for person, user, and organizationalPersonobject classes. Ensure that the entry the code is trying to add has all the attributes that are required, and only attributes that are allowed or required.
检查哪些哪些属性是允许的,需要为您的架构文档person,user以及organizationalPerson对象类。确保代码尝试添加的条目具有所有必需的属性,并且仅具有允许或必需的属性。
回答by Craig Wohlfeil
An object class schema violation means that there is one or more required attribute that is missing from the object that you are trying to create. So you need to look at the schemas for top, person, organizationalPerson, and user and ensure that you are setting all of the attributes that are required.
对象类架构违规意味着您尝试创建的对象缺少一个或多个必需属性。因此,您需要查看 top、person、organizationalPerson 和 user 的模式,并确保设置了所有必需的属性。
回答by rkosegi
Here are some know how which I learned during development of user account management application (ASP. NET) for Active Directory 2008:
以下是我在为 Active Directory 2008 开发用户帐户管理应用程序 (ASP.NET) 期间学到的一些知识:
You should fill sAMAccountName or userPrincipalName
Account remain disabled until you set password for it according to domain password policies
Any password related operations need to be done using secure connection
When creating account, open context of OU when you want to create user object.Then call method for add it
您应该填写 sAMAccountName 或 userPrincipalName
帐户保持禁用状态,直到您根据域密码策略为其设置密码
任何与密码相关的操作都需要使用安全连接来完成
创建帐户时,要创建用户对象时打开OU的上下文。然后调用添加它的方法
Read this document : http://msdn.microsoft.com/en-us/magazine/cc135979.aspx
阅读此文档:http: //msdn.microsoft.com/en-us/magazine/cc135979.aspx
(I know, is for .NET, but is it very very similar to Java LDAP api)
(我知道,适用于 .NET,但它与 Java LDAP api 非常相似)
Hope this helps you
希望这对你有帮助
