链接服务器 - LDAP - 消息 7321
下面是我尝试使用链接服务器对 LDAP 执行的简短查询:
select * from openquery(ADSI,'')
查询运行良好,除非我将“域控制器:LDAP 服务器签名要求”安全设置更改为“ LDAP 服务器上需要签名”。当我这样做时,我收到以下错误:
消息 7321,级别 16,状态 2,第 1 行
准备查询“”以针对链接服务器“ADSI”的 OLE DB 提供程序“ADSDSOObject”执行时发生错误。
链接服务器 ADSI 是使用域帐户创建的。另外,如果可以的话,我们宁愿不使用 OPENROWSET。
Below is an abbreviated query I am trying to execute against LDAP using a linked server:
select * from openquery(ADSI,'')
The query runs fine, except when I change the "Domain controller: LDAP server signing requirements" security setting to "Require signing" on the LDAP server. When I do that, I get the following error:
Msg 7321, Level 16, State 2, Line 1
An error occurred while preparing the query "" for execution against OLE DB provider "ADSDSOObject" for linked server "ADSI".
The linked server ADSI is created using a domain account. Also, we would prefer not to use OPENROWSET if we can help it.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
您使用的是 TLS/SSL 吗?
如果您“需要签名”,则必须协商 LDAP 数据签名选项,除非使用传输层安全性/安全套接字层 (TLS/SSL)。
有关详细信息,请参阅 http://support.microsoft.com/kb/823659。
可能不相关,但我注意到没有明确的
'从“LDAP://DC=MyDC,DC=MyOtherDC”中选择*'
在 OPENQUERY 的查询部分
祝你好运
Are you using TLS/SSL?
If you "Require signing", then the LDAP data-signing option must be negotiated unless Transport Layer Security/Secure Socket Layer (TLS/SSL) is being used.
See http://support.microsoft.com/kb/823659 for more information.
May be unrelated, but I noticed there is no explicit
'SELECT * FROM "LDAP://DC=MyDC,DC=MyOtherDC"'
in the query portion of OPENQUERY
Good luck
我遇到了这个问题,解决方案是在 SQL 服务器和域控制器之间建立 kerberos 信任,这样它将允许用户凭据传递(也称为双跳)。
我使用“Active Directory 用户和机器”来查找我的 SQL 服务器并添加 SPN,以允许将凭据从 SQL 服务器传递到 LDAP/DC 服务器。
在 SQL Server 中,我的查询看起来与上面显示的查询有些不同:
我能够使用另一个名为 Softerra LDAP Administrator 的工具构建 LDAP 查询。您展开(深度)直到看到类似 ServerName\DC=Corporation01\OU=Office01\CN=Users\CN=Department 的内容。如果它包含您想要的用户列表,请检查该文件夹的属性,您的 LDAP 查询将出现在标题中。它还可以很好地显示您可以选择或过滤哪些属性。
I had this problem and the solution was to set up a kerberos trust between the SQL server and the domain controller, so it would allow user credentials to be passed-through (aka double-hop).
I used "Active Directory Users & Machines" to find my SQL server and add a SPN allowing credentials to be passed from the SQL server to the LDAP/DC server.
In SQL server, my query looked a little different from the ones shown above:
I was able to construct the LDAP query using another tool called Softerra LDAP Administrator. You expand (depthwise) util you get to something like ServerName\DC=Corporation01\OU=Office01\CN=Users\CN=Department. If it has the list of users you want, check properties of that folder and your LDAP query will be in the title. It also does a decent job of showing which properties you can select or filter-on.