java 针对 Active Directory 的 LDAP 身份验证可接受的 SECURITY_PRINCIPAL 格式是什么?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/15763708/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
What are the accepted SECURITY_PRINCIPAL formats for LDAP Authentication against Active Directory?
提问by Fung
I am trying to authenticate a user through LDAP against Active Directory. Following is the code snippet I use:
我正在尝试通过 LDAP 针对 Active Directory 对用户进行身份验证。以下是我使用的代码片段:
private DirContext bindAsUser(String bindPrincipal, String password) {
Hashtable<String,String> env = new Hashtable<String,String>();
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.SECURITY_PRINCIPAL, bindPrincipal);
env.put(Context.PROVIDER_URL, bindUrl);
env.put(Context.SECURITY_CREDENTIALS, password);
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.REFERRAL, "follow");
try {
return new InitialLdapContext(env, null);
} catch (NamingException e) {
e.printStackTrace()
}
}
The code for binding works if I provide:
如果我提供,则绑定代码有效:
- Down-Level Logon Name, i.e.
NetBIOSDomainName\sAMAccountName(e.g. domain\username), or userPrincipalName(e.g. [email protected]), ordistinguishedName(e.g. CN=username,OU=xxx,DC=abc,DC=com), orobjectSid(e.g. S-1-5-21-3623811015-3361044348-30300820-1013)
- 下级登录名,即
NetBIOSDomainName\sAMAccountName(例如域\用户名),或 userPrincipalName(例如 [email protected]),或distinguishedName(例如 CN=username,OU=xxx,DC=abc,DC=com),或objectSid(例如 S-1-5-21-3623811015-3361044348-30300820-1013)
as the SECURITY_PRINCIPAL, while it failed if sAMAccountName(e.g. username) was used (I guess only the names which are unique within the forest are valid).
作为SECURITY_PRINCIPAL,而如果使用sAMAccountName(例如用户名)则失败(我猜只有在森林中唯一的名称才有效)。
So what are the accepted patterns for SECURITY_PRINCIPAL? I searched a few similar questions, but none provide reference to official AD/LDAP documents. Or is it a configuration which I could lookup somewhere? Thanks!
那么可接受的模式是SECURITY_PRINCIPAL什么?我搜索了一些类似的问题,但没有提供对官方 AD/LDAP 文档的参考。或者它是我可以在某处查找的配置?谢谢!
采纳答案by baldpate
From [MS-ADTS: Active Directory Technical Specification], the official doc for AD I guess.
来自 [MS-ADTS: Active Directory Technical Specification],我猜是 AD 的官方文档。
http://msdn.microsoft.com/en-us/library/cc223499.aspx
http://msdn.microsoft.com/en-us/library/cc223499.aspx
Section "5.1.1.1.1 Simple Authentication" lists all the name forms supported by simple authentication.
“5.1.1.1.1 简单认证”部分列出了简单认证支持的所有名称形式。
回答by puma_yagu
I think you need check LDAP Principal Template. It specifies the principal authentication template required by your LDAP server. The principal authentication template is the format in which the authentication information for the security principal (the person who is logging in) must be passed to the LDAP server. The default value is ${email}, which is the format required by Microsoft Active Directory. Other LDAP servers require different authentication templates. Check with your network administrator to learn more about your LDAP server.
我认为您需要检查 LDAP 主体模板。它指定您的 LDAP 服务器所需的主体身份验证模板。主体身份验证模板是安全主体(正在登录的人)的身份验证信息必须传递到 LDAP 服务器的格式。默认值为 ${email},这是 Microsoft Active Directory 要求的格式。其他 LDAP 服务器需要不同的身份验证模板。请咨询您的网络管理员以了解有关 LDAP 服务器的更多信息。
