java - 无法通过专有名称获取活动目录组详细信息

Question

我正在尝试按组 dn 获取活动目录组详细信息，如下所示：

1-连接到ldap：

public static LdapContext connectToLdap(String host,
            String userDN, String userPassword,
            boolean ssl) throws Exception {

        System.out.println("connectToLdap");

        String hostPrefix = "ldap";
        String ldapPort = "389";
        if (ssl) {
            hostPrefix = "ldaps";
            ldapPort = "636";
        }
        String providerUrl = hostPrefix + "://" + host + ":" + ldapPort;
        //System.out.println("####### LDAP URL: " + providerUrl);
        LdapContext ldapContext;
        Hashtable<String, String> ldapEnv = new Hashtable<String, String>(11);
        ldapEnv.put(Context.INITIAL_CONTEXT_FACTORY,
                "com.sun.jndi.ldap.LdapCtxFactory");
        ldapEnv.put(Context.PROVIDER_URL, providerUrl);
        ldapEnv.put(Context.SECURITY_AUTHENTICATION, "simple");
        ldapEnv.put(Context.SECURITY_PRINCIPAL, userDN);
        ldapEnv.put(Context.SECURITY_CREDENTIALS, userPassword);
        ldapEnv.put("com.sun.jndi.ldap.read.timeout", 1000 * 10 + "");
        if (ssl) {
            ldapEnv.put(Context.SECURITY_PROTOCOL, "ssl");
        }
        ldapEnv.put(Context.REFERRAL, "ignore");
        try {
            ldapContext = new InitialLdapContext(ldapEnv, null);           
            System.out.println("success connection to ldap");
            return ldapContext;
        } catch (Exception e) {
            System.out.println("failure connection to ldap");
            e.printStackTrace();
            return null;
        }
    }

2-查找组方法：

public static boolean isGroupExist(LdapContext ldapContext,
            String domain, String groupDN) {

        boolean exist = false;

        try {


            SearchControls searchCtls = new SearchControls();
            searchCtls.setTimeLimit(1000 * 10);

            String returnedAttrs[] = {"distinguishedName","cn"};
            searchCtls.setReturningAttributes(returnedAttrs);

            searchCtls.setSearchScope(SearchControls.SUBTREE_SCOPE);

            String searchFilter = "(&(objectClass=group)(distinguishedName=" + groupDN + "))";

            NamingEnumeration<SearchResult> results = ldapContext.search(
                    domain, searchFilter, searchCtls);

            while (results.hasMoreElements()) {
                System.out.println("Success to retrieve active directory group with dn: " + groupDN);
                SearchResult sr = (SearchResult) results.next();
                Attributes attrs = sr.getAttributes();
                String cn=attrs.get("cn").toString();
                System.out.println(cn);
                exist=true;
            }

        } catch (Exception e) {
            System.out.println("Fail to search in active directory groups");
            e.printStackTrace();
            return false;
        }

        return exist;
}

但是当我尝试使用 isGroupExist 方法时，出现以下异常：

javax.naming.OperationNotSupportedException: [LDAP: error code 12 - 0000217A: SvcErr: DSID-0314020F, problem 5010 (UNAVAIL_EXTENSION), data 0

请告知我为什么会收到此异常以及如何修复它。

Answer 1

删除以下两行后它工作正常：

String sortKey = LDAPAttributes.DISTINGUISHED_NAME;
            ldapContext.setRequestControls(new Control[]{new SortControl(
                        sortKey, Control.CRITICAL)});

Answer 2

如果您使用的是 LDAP v3 并且您的搜索是 OU 的 DN 属性的一部分，则可以使用可扩展匹配搜索来实现这一点。喜欢http://www.novell.com/documentation/edir873/?page=/documentation/edir873/edir873/data/agazepd.html