1

如果使用 ldapsearch 在特定 LDAP 服务器中搜索基本级别的命名上下文,则搜索工作正常。

$ ldapsearch -h myhealthisp.com -p 10389 -x -s base -b "" namingContexts
# extended LDIF
#
# LDAPv3
# base <> (default) with scope baseObject
# filter: (objectclass=*)
# requesting: namingContexts
#

#
dn:
namingContexts: dc=myhealthisp,dc=com

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1`

然而,使用 JNDI,我们得到以下响应:

No Results for: myhealthisp.com. Problem: [LDAP: error code 32 - No Such Object] null

这是我们的代码:

private Attribute getCertFromLdap(SRVRecord srvRec, CertificateInfo certInfo) throws CertLookUpException{
    env.put(DirContext.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
    sc1 = new SearchControls();
    sc1.setSearchScope(SearchControls.ONELEVEL_SCOPE);

try {
        env.put(DirContext.PROVIDER_URL, "ldap://" + targetDomain + ":" + srvRec.getPort());        
        System.out.println("ldap://" + targetDomain + ":" + srvRec.getPort());

        DirContext dc = new InitialDirContext(env);
        NamingEnumeration directoryNE = null;

        System.out.println("Got HERE!");
        directoryNE= dc.search("", "objectClass=*", sc1);

        System.out.println("SC1 :" + sc1);
        while (directoryNE.hasMore()){
                        SearchResult result1 = (SearchResult) directoryNE.next();

            // print DN of entry
            System.out.println("Result.getNameInNamespace: " + result1.getName());
            Attribute foundMail = findMailAttribute(result1.getNameInNamespace()); 

            if(foundMail != null){
                return foundMail;
            }
        }       
        dc.close(); 
} catch (NamingException e) {
    System.out.println("No Results for: " + targetDomain + "\nProblem: " +     e.getLocalizedMessage() + "  " + e.getCause());
} return null;

}

我们能够返回 myhealthisp.com 的基本目录的唯一方法是将目录名称 (dc=myhealthisp,dc=com) 硬编码到基本目录搜索过滤器中(请参阅此内容了解我们的代码基于:http ://directory.apache.org/apacheds/manuals/basic-user-guide-1.5.8-SNAPSHOT/html/ch03s03.html#LDAP操作搜索)

当我们的代码搜索 onctest.org LDAP 服务器时,我们会返回每个命名上下文。

以下是 onctest.org 服务器和 myhealthisp.com 服务器的 Eclipse 控制台输出:

ldap://onctest.org.:10389
Got HERE!
SC1 :javax.naming.directory.SearchControls@4c408bfc
Result.getNameInNamespace: ou=config
Result.getNameInNamespace: dc=example,dc=com
Result.getNameInNamespace: ou=system
Search Result: cn=dts556: null:null:{mail=mail: dts556@onctest.org,     usercertificate=userCertificate: [B@35e06ba6, objectclass=objectClass: organizationalPerson,     person, inetOrgPerson, top, o=o: onctest, sn=sn: Test Case, cn=cn: dts556}

Service Record: _ldap._tcp.onctEst.org. 86400   IN  SRV 0 0 10389 onctest.org.
ldap://myhealthisp.com.:10389
Got HERE!
No Results for: myhealthisp.com.
Problem: [LDAP: error code 32 - No Such Object]  null
Unable to find certificate at LDAP for: steve.tripp@myhealthisp.com
_ldap._tcp.myhealthisp.com. 3600    IN  SRV 0 0 10389 myhealthisp.com.

我们认为导致问题的原因如下:

  • JDNI 无法对 OpenLDAProotDSE objectClass 目录进行基本搜索。
4

2 回答 2

2

通常匿名绑定没有权限在根目录上进行 ldap 搜索。每个目录都具有匿名绑定和搜索根目录的 OOTB 权限。在 apache DS 的情况下,可以通过 ldap 查询来搜索命名上下文

ldapsearch -h localhost -p 10389 -s base -b "" "(objectclass=*)" 命名上下文

但是,子树搜索的一级搜索,例如

ldapsearch -h localhost -p 10389 -s one -b "" -D "uid=admin,ou=system" -w secret "(objectclass=*)"

给出以下结果:这是您在 jndi 程序中所做的:ldap_search:没有这样的对象 ldap_search:附加信息:NO_SUCH_OBJECT:SearchRequest baseDn 失败:''过滤器:'(2.5.4.0 = *)'范围:单级typesOnly:false 大小限制:无限制时间限制:无限制 Deref Aliases:从不 Deref Aliases 属性::null

第一个 ldapsearch 命令的 JNDI 代码:

import java.util.Hashtable;
import javax.naming.Context;
import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.directory.Attribute;
import javax.naming.directory.Attributes;
import javax.naming.directory.DirContext;
import javax.naming.directory.InitialDirContext;
import javax.naming.directory.SearchControls;
import javax.naming.directory.SearchResult;

public class SampleLDAPSearch {

  private Attribute getCertFromLdap() {
      String targetDomain = "localhost";
      String port = "10389";

      Hashtable env = new Hashtable();
      env.put(DirContext.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
      SearchControls sc1 = new SearchControls();
      sc1.setSearchScope(SearchControls.OBJECT_SCOPE);
      sc1.setReturningAttributes(new String[] { "namingContexts" });

      try {
          env.put(DirContext.PROVIDER_URL, "ldap://" + targetDomain + ":" + port);

          System.out.println("ldap://" + targetDomain + ":" + port);

          DirContext dc = new InitialDirContext(env);
          NamingEnumeration directoryNE = null;

          System.out.println("Got HERE!");
          directoryNE = dc.search("", "objectclass=*", sc1);

          System.out.println("SC1 :" + sc1);
          while (directoryNE.hasMore()) {
              SearchResult result1 = (SearchResult) directoryNE.next();

              // print DN of entry
              System.out.println("Result.getNameInNamespace: " + result1.getName());
              Attributes attrs = result1.getAttributes();
              Attribute attr = attrs.get("namingContexts");
              System.out.println(attr);

          }
          dc.close();
      } catch (NamingException e) {
          System.out.println("No Results for: " + targetDomain + "\nProblem: " + e.getLocalizedMessage() + "  "
                  + e.getCause());
      }
      return null;

  }

  public static void main(String[] args) {
      SampleLDAPSearch sls = new SampleLDAPSearch();
      sls.getCertFromLdap();
  }
}
于 2012-11-19T23:14:52.673 回答
0

当搜索级别不是时,Root DSE 不能出现base。此外,LDAP 客户端不能依赖根 DSE 中包含的信息,因为这些属性可能受到访问控制的保护。来自RFC4512

These attributes are retrievable, subject to access control and other
restrictions, if a client performs a Search operation [RFC4511] with
an empty baseObject, scope of baseObject, the filter
"(objectClass=*)" [RFC4515], and the attributes field listing the
names of the desired attributes.  It is noted that root DSE
attributes are operational and, like other operational attributes,
are not returned in search requests unless requested by name.

将搜索范围更改为base。更好的是,不要编写依赖于从根 DSE 检索的对象的代码。

也可以看看

于 2012-11-20T08:29:11.743 回答