0

我正在尝试使用 java 库通过 Quercus 中的 portlet 更新密码。这是我正在使用的一些代码:

import javax.naming.Context;
import javax.naming.InitialContext;
import javax.naming.directory.DirContext;
import javax.naming.directory.InitialDirContext;
import javax.naming.directory.BasicAttributes;
import javax.naming.directory.BasicAttribute;
import javax.naming.directory.SearchControls;
import javax.sql.DataSource;
import java.util.Hashtable;

$uname = isset($_POST['uname'])?$_POST['uname']:'';
$pass1 = isset($_POST['pass1'])?$_POST['pass1']:'';

//connecto to LDAP
$ldapADURL = "ldaps://poplar.example.edu:636";
$ldapEnv = new HashTable();
$ldapEnv->put("java.naming.factory.initial","com.sun.jndi.ldap.LdapCtxFactory");
$ldapEnv->put("java.naming.provider.url", $ldapADURL);
$ldapEnv->put("java.naming.security.protocal", "ssl");
$ldapEnv->put("java.naming.referral", "follow");
$ldapEnv->put("java.naming.security.authentication", "simple");
$ldapEnv->put("java.naming.security.principal", "ADUser");
$ldapEnv->put("java.naming.security.credentials", "P@ssw0rd");
$ADCtx = new InitialDirContext($ldapEnv);

//query the vault for our user
$ctlsAD = new SearchControls();
$attribsAD = array("sAMAccountName","DN","title","extensionAttribute14","extensionAttribute8","cn");
$ctlsAD->setReturningAttributes($attribsAD);
$ctlsAD->setSearchScope(2);
$filter="(sAMAccountName=" . $uname . ")";
$resultAD=$ADCtx->search("DC=conncoll,DC=edu",$filter,$ctlsAD);

if ($resultAD->hasMore()) {
    $item = $resultAD->next();
    $resultADAttribs = $item->getAttributes();
    $rsTitle = str_replace("title: ","",$resultADAttribs->get("title"));
    $rsAttrib14 = str_replace("extensionAttribute14: ","",$resultADAttribs->get("extensionAttribute14"));
    $rsAttrib8 = str_replace("extensionAttribute8: ","",$resultADAttribs->get("extensionAttribute8"));
    $rsUname = str_replace("sAMAccountName: ","",$resultADAttribs->get("sAMAccountName"));
    $rsDN = str_replace("dn: ","",$resultADAttribs->get("DN"));
}

echo ( '<br />' . $rsTitle . '<br />' . $rsAttrib14 . '<br />' . $rsAttrib8 . '<br />' . $rsUname . '<br />' . $rsDN . '<br />');

if (isset($rsUname)/*ccLDAPCheckUser($uname)*/){
    $ADCtx->addToEnvironment("java.naming.security.principal","OtherADUser");
    $ADCtx->addToEnvironment("java.naming.security.credentials","0therP@ssw0rd");
    //$resultAD2 = $ADCtx->search("DC=conncoll,DC=edu",$filter,$ctlsAD);
    $pass2 = "\"" . $pass1 . "\"";
    $newPass = mb_convert_encoding($pass2, "UTF-16LE");
    $ADNewPass = new BasicAttribute("userpassword",$newPass);
    $ADNewAttrib8 = new BasicAttribute("extensionAttribute8",$rsAttrib8);
    $ADAttributes = new BasicAttributes();
    $ADAttributes->put($ADNewPass);
    $ADAttributes->put($ADNewAttrib8);
    $ADCtx->modifyAttributes("sAMAccountName=" . $rsUname,2,$ADAttributes);
}

运行此代码后,我从 LDAP 服务器收到以下错误:javax.naming.directory.InitialDirContext.modifyAttributes: [LDAP: error code 1 - 000020D6: SvcErr: DSID-031007DB, issue 5012 (DIR_ERROR), data 0]

所以我想知道几件事。首先是如果我的 modifyAttributes 函数调用的语法正确。我已经尝试将 dc=example,dc=edu 附加到查询字符串上,但没有成功。第一个查询正确返回结果,因此我确定我已连接到 AD 服务器,并且有人验证执行代码的 JVM 在其存储中具有有效的最新证书。

该错误使我相信我需要为我尝试更新的对象指定的确切位置,而我没有。

感谢您对这个问题的想法!

4

1 回答 1

0

因此,我找到了获取 DN 并使用它而不是 sAMAccountName 来发出密码重置的部分答案。

我将 $rsDN 设置如下:

$rsDN = $item->getNameInNamespace();

并发出更改密码的调用,如下所示:

$ADCtx->modifyAttributes($rsDN,2,$ADAttributes);

现在我当然会遇到 SSL 错误,但我至少在更新时遇到了正确的对象。

于 2014-05-13T14:52:02.027 回答