春季安全与Active Directory LDAP 错误 32 问题 2001 (NO_OBJECT)
我正在尝试使用 Spring 框架和 Spring Security 3.0 再次对用户进行身份验证 AD LDS\ADAM。我不断收到以下错误,希望这里的人可以解释问题所在。
[LDAP: error code 32 - 0000208D: NameErr: DSID-0315258B, problem 2001 (NO_OBJECT), data 0, best match of: 'CN=Users,DC=Domain,DC=local' ]; nested exception is javax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-0315258B, problem 2001 (NO_OBJECT), data 0, best match of: 'CN=Users,DC=Domain,DC=local' ]; remaining name 'cn=Mo Logan,cn=Users,dc=Domain,dc=local'
谁能解释一下最佳匹配和剩余名称位的含义 - 这真的让我感到困惑?这种类型的搜索区分大小写吗?服务器和客户端之间的时差等问题会产生影响吗?
根据我在网上阅读的内容,错误代码 32 意味着无法找到该对象 - 非常有帮助,我相信您会同意。这是我正在使用的配置信息:
<authentication-manager alias="ldapAuthenicationManager">
<ldap-authentication-provider
user-search-base="cn=Users,dc=Domain,dc=local"
user-search-filter="(uid={0})"
role-prefix="Users"
/>
</authentication-manager>
<ldap-server url="ldap://server:50006/" manager-dn="CN=Admin,CN=Users,DC=Domain,DC=local" manager-password="Password101" />
我正在按 uid 搜索(LDS 中没有 SAMAccountName),当我在服务器上使用 ldap.exe 按相同条件搜索时,我可以正确找到用户,例如:
ldap_search_s(ld, "CN=Users,DC=Domain,DC=local", 2, "(uid=mologan)", attrList, 0, &msg)
***Searching...
ldap_search_s(ld, "CN=Users,DC=Domain,DC=local", 2, "(uid=mologan)", attrList, 0, &msg)
Getting 1 entries:
Dn: CN=Mo Logan,CN=Users,DC=Domain,DC=local
badPasswordTime: 9/20/2011 1:19:51 PM GMT Standard Time;
badPwdCount: 0;
cn: Mo Logan;
distinguishedName: CN=Mo Logan,CN=Users,DC=Domain,DC=local;
dSCorePropagationData: 0x0 = ( );
instanceType: 0x4 = ( WRITE );
lastLogonTimestamp: 9/20/2011 9:10:32 AM GMT Standard Time;
lockoutTime: 0;
memberOf (2): CN=DMSUsers,CN=Users,DC=Domain,DC=local; CN=Users,CN=Roles,CN=Users,DC=Domain,DC=local;
msDS-UserAccountDisabled: FALSE;
name: Mo Logan;
objectCategory: CN=Person,CN=Schema,CN=Configuration,CN={BD500A33-CE7C-492F-9007-BF1B17F972EE};
objectClass (4): top; person; organizationalPerson; user;
objectGUID: 40f74ed4-6cf3-495e-a28c-6aa080a0333b;
objectSid: S-1-514506224-2209559093-2723712157-1234827279-3369888698-2052446679;
pwdLastSet: 9/20/2011 8:19:06 AM GMT Standard Time;
uid: mologan;
uSNChanged: 13994;
uSNCreated: 13985;
whenChanged: 9/20/2011 9:10:32 AM GMT Standard Time;
whenCreated: 9/20/2011 8:16:54 AM GMT Standard Time;
我绑定到 AD LDS作为管理员帐户,属于角色下的读者组。该用户与我尝试验证的用户名处于同一级别。
正如您可能会说的那样,我对为什么会出现此错误一无所知,希望有人能够帮助我或为我指出正确的方向,
干杯&提前致谢
I am trying to authenticate a user again AD LDS\ADAM using the Spring framework and Spring Security 3.0. I keep getting the following error and hopefully someone from here can explain where the problem lies.
[LDAP: error code 32 - 0000208D: NameErr: DSID-0315258B, problem 2001 (NO_OBJECT), data 0, best match of: 'CN=Users,DC=Domain,DC=local' ]; nested exception is javax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-0315258B, problem 2001 (NO_OBJECT), data 0, best match of: 'CN=Users,DC=Domain,DC=local' ]; remaining name 'cn=Mo Logan,cn=Users,dc=Domain,dc=local'
Can anyone explain what the best match of and remaining name bits mean - this is really confusing me? Is this type of search case sensitive? And would problems like time differences between the server and client make a difference?
From what I have read online error code 32 means that object cant be found - very helpful I'm sure you'll agree. Here is the configuration information which I am using:
<authentication-manager alias="ldapAuthenicationManager">
<ldap-authentication-provider
user-search-base="cn=Users,dc=Domain,dc=local"
user-search-filter="(uid={0})"
role-prefix="Users"
/>
</authentication-manager>
<ldap-server url="ldap://server:50006/" manager-dn="CN=Admin,CN=Users,DC=Domain,DC=local" manager-password="Password101" />
I am searching by uid (no SAMAccountName in LDS) and when I search by the same criteria using ldap.exe on the server I can find the user correctly e.g:
ldap_search_s(ld, "CN=Users,DC=Domain,DC=local", 2, "(uid=mologan)", attrList, 0, &msg)
***Searching...
ldap_search_s(ld, "CN=Users,DC=Domain,DC=local", 2, "(uid=mologan)", attrList, 0, &msg)
Getting 1 entries:
Dn: CN=Mo Logan,CN=Users,DC=Domain,DC=local
badPasswordTime: 9/20/2011 1:19:51 PM GMT Standard Time;
badPwdCount: 0;
cn: Mo Logan;
distinguishedName: CN=Mo Logan,CN=Users,DC=Domain,DC=local;
dSCorePropagationData: 0x0 = ( );
instanceType: 0x4 = ( WRITE );
lastLogonTimestamp: 9/20/2011 9:10:32 AM GMT Standard Time;
lockoutTime: 0;
memberOf (2): CN=DMSUsers,CN=Users,DC=Domain,DC=local; CN=Users,CN=Roles,CN=Users,DC=Domain,DC=local;
msDS-UserAccountDisabled: FALSE;
name: Mo Logan;
objectCategory: CN=Person,CN=Schema,CN=Configuration,CN={BD500A33-CE7C-492F-9007-BF1B17F972EE};
objectClass (4): top; person; organizationalPerson; user;
objectGUID: 40f74ed4-6cf3-495e-a28c-6aa080a0333b;
objectSid: S-1-514506224-2209559093-2723712157-1234827279-3369888698-2052446679;
pwdLastSet: 9/20/2011 8:19:06 AM GMT Standard Time;
uid: mologan;
uSNChanged: 13994;
uSNCreated: 13985;
whenChanged: 9/20/2011 9:10:32 AM GMT Standard Time;
whenCreated: 9/20/2011 8:16:54 AM GMT Standard Time;
I am binding to AD LDS as an administrator account which belongs to the reader group under roles. This user sits at the same level as the username I am trying to verify.
As you can probably tell I am flat out of ideas as to why I am getting this error and hopefully someone will be able to help me out or point me in the right direction,
Cheers & thanks in advance
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
我想我终于弄清楚了这一点,希望这对其他人有帮助。下面是我的安全配置:
我必须在 LDS 中创建一个名为 admin 的用户,并将其分配给 LDS 中的读者角色(如果没有此用户,请从为 LDS 提供的 ldf 文件导入它)。现在创建一个用户,然后创建一个组,将用户添加到在 AD 中创建的组
此时我收到 Ldap 错误 32。通过 spring 安全代码进行调试并查看服务器的事件日志后,我猜测问题是与 AD LDS 的设置方式有关。经过大量的摆弄和猜测工作后,我偶然发现了这个问题。
为了解决这个问题,我最终将我想要登录的用户(不是 manager-dn)添加到读者组中以允许成功绑定。这样做解决了问题。
希望这有用吗?
I think I finally got to the bottom of this, hopefully this will help someone else. Below is the configuration for my security:
I had to create a user in LDS called admin and allocated it to the reader role in LDS (if you dont have this, import it from the ldf files provided for LDS). Now create a user and then a group, adding the user to the group created in AD
At this point I was getting Ldap error 32. After a debugging through the spring security code and looking at the event logs of the server I guessed that the problem was with how AD LDS was set up. After a lot of fiddling and guess work I stumbled upon the problem.
To resolve this I ended up adding the user I wanted to log in with (not the manager-dn) to the reader group to allow a successful bind. Doing that resolved the problem.
Hopefully this is of use?
我注意到你的问题中有一个奇怪的事情。您进行搜索:
使用
(uid=mologan)作为过滤器,结果返回uid: chweeks这是否只是另一个搜索结果的拼写错误复制/过去?您写的关于
LDAP.EXE的另一件事是您的意思是LDP.EXE----已编辑------
您可以尝试这种配置吗
I notice a strange thing in your question. your make a search :
with
(uid=mologan)as a filter and the result returnuid: chweeksis it just a typo copy/past from result of another search ?another thing you wrote about
LDAP.EXEyou meanLDP.EXE----EDITED------
Can you try this kind of configuration