java 在 ssl (ldaps) 的支持下连接活动目录
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/10613767/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Connect active directory with the support of ssl (ldaps)
提问by Mohan
am trying to connect with active directory with the support of ssl.
我正在尝试在 ssl 的支持下与活动目录连接。
i tried the steps from following web site.
我尝试了以下网站的步骤。
when i try to connect active directory from the java code it gives following error.
当我尝试从 java 代码连接活动目录时,它出现以下错误。
Exception in thread "main" javax.naming.CommunicationException: simple bind fail
ed: 172.16.12.4:636 [Root exception is java.net.SocketException: Connection rese
t]
at com.sun.jndi.ldap.LdapClient.authenticate(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.connect(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.<init>(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(Unknown Source)
at javax.naming.spi.NamingManager.getInitialContext(Unknown Source)
at javax.naming.InitialContext.getDefaultInitCtx(Unknown Source)
at javax.naming.InitialContext.init(Unknown Source)
at javax.naming.InitialContext.<init>(Unknown Source)
at javax.naming.directory.InitialDirContext.<init>(Unknown Source)
at ConnectActiveDirectory.main(ConnectActiveDirectory.java:39)
Caused by: java.net.SocketException: Connection reset
at java.net.SocketInputStream.read(Unknown Source)
at com.sun.net.ssl.internal.ssl.InputRecord.readFully(Unknown Source)
at com.sun.net.ssl.internal.ssl.InputRecord.read(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.waitForClose(Unknown Sourc
e)
at com.sun.net.ssl.internal.ssl.HandshakeOutStream.flush(Unknown Source)
at com.sun.net.ssl.internal.ssl.Handshaker.kickstart(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.kickstartHandshake(Unknown
Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Un
known Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(Unknown Source
)
at com.sun.net.ssl.internal.ssl.AppOutputStream.write(Unknown Source)
at java.io.BufferedOutputStream.flushBuffer(Unknown Source)
at java.io.BufferedOutputStream.flush(Unknown Source)
at com.sun.jndi.ldap.Connection.writeRequest(Unknown Source)
at com.sun.jndi.ldap.Connection.writeRequest(Unknown Source)
at com.sun.jndi.ldap.LdapClient.ldapBind(Unknown Source)
... 13 more
Code that am using is
我使用的代码是
import java.util.Hashtable;
import javax.naming.*;
import javax.naming.directory.*;
public class ConnectActiveDirectory {
public static void main(String[] args) throws NamingException {
Hashtable env = new Hashtable();
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.SECURITY_PRINCIPAL,"[email protected]");
env.put(Context.SECURITY_CREDENTIALS, "password");
env.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, "ldaps://172.16.12.4:636/cn=Users,dc=mysite,dc=com");
try{
java.io.InputStream in = new java.io.FileInputStream("C:\client.crt");
java.security.cert.Certificate c = java.security.cert.CertificateFactory.getInstance("X.509").generateCertificate(in);
java.security.KeyStore ks = java.security.KeyStore.getInstance("JKS");
ks.load(null);
if (!ks.containsAlias("alias ldap")) {
ks.setCertificateEntry("alias ldap", c);
}
java.io.OutputStream out = new java.io.FileOutputStream("C:\keystorefile.jks");
char[] kspass = "changeit".toCharArray();
ks.store(out, kspass);
out.close();
}catch(Exception e){
e.printStackTrace();
}
System.setProperty("javax.net.ssl.trustStore", "C:\keystorefile.jks");
DirContext ctx = new InitialDirContext(env);
NamingEnumeration enm = ctx.list("");
while (enm.hasMore()) {
System.out.println(enm.next());
}
ctx.close();
}
}
does am doing any mistake?
做错了吗?
where can i get good tutorial to do ssl connection with active directory ?
我在哪里可以获得很好的教程来与活动目录进行 ssl 连接?
does http://confluence.atlassian.com/display/CROWD/Configuring+an+SSL+Certificate+for+Microsoft+Active+Directorysite has correct steps to create and connect active directory with ssl?
确实http://confluence.atlassian.com/display/CROWD/Configuring+an+SSL+Certificate+for+Microsoft+Active+Directory网站有正确的步骤来创建和连接活动目录使用SSL?
could any on please help me.
任何人都可以帮助我。
回答by Dustin
I had a similar issue after my AD domain was renamed. After reinstalling certificate services, you need to delete and re-issue the certificate issued to your Domain Controller. Steps:
重命名 AD 域后,我遇到了类似的问题。重新安装证书服务后,您需要删除并重新颁发颁发给您的域控制器的证书。脚步:
- Open MMC
- Add Snap In > Certificates > Computer > Local Computer
- Navigate to Personal > Certificates
- Delete any old certificates issued to this machine (in my case, these were issued by the old CA)
- Right click on Certificates folder, click Request New Certificate.
- Follow the steps to issue the new certificate to your domain controller.
- Restart (not sure if this is necessary, but I restarted before it worked)
- 打开 MMC
- 添加管理单元 > 证书 > 计算机 > 本地计算机
- 导航到个人 > 证书
- 删除颁发给这台机器的所有旧证书(就我而言,这些证书是由旧 CA 颁发的)
- 右键单击证书文件夹,单击请求新证书。
- 按照步骤将新证书颁发给您的域控制器。
- 重新启动(不确定是否有必要,但我在它起作用之前重新启动了)
回答by user1965929
I had the same error message using Atlassian Crowd and Active Directory over SSL. It is not applicable to this specific question, but when I tried to find out what was happening this thread was the first Google search hit, so I will write it down here.
我在通过 SSL 使用 Atlassian Crowd 和 Active Directory 时遇到了相同的错误消息。它不适用于这个特定问题,但是当我试图找出发生了什么时,这个线程是第一个谷歌搜索命中,所以我会在这里写下来。
In my case I first tested without SSL and then changed to SSL. Turns out I forgot to change the protocol used in the Crowd Connector settings.
就我而言,我首先在没有 SSL 的情况下进行了测试,然后更改为 SSL。结果我忘记更改 Crowd Connector 设置中使用的协议。
Before: ldap://:389 After: ldaps://:636
之前:ldap://:389 之后:ldaps://:636
Accidentally using ldap://:636 gave me the "Connection reset" error.
不小心使用 ldap://:636 给了我“连接重置”错误。
