JNDI 连接Windows Active Directory 教程(转）

个人收藏，来源：http://www.matrix.org.cn/resource/article/2007-03-05/JNDI+AD_ea943628-cab3-11db-b4f4-dd5a5e123c5c.html

 

http://www.javaworld.com.tw/jute/post/view?bid=7&id=164710&sty=1&tpg=1&age=0
http://forum.java.sun.com/thread.jspa?threadID=716240&tstart=0

 

 

java 代码

/***************************** LDAPFastBind.java *****************/
package test.ldap;

import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.util.Hashtable;

import javax.naming.AuthenticationException;
import javax.naming.Context;
import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.directory.Attribute;
import javax.naming.directory.Attributes;
import javax.naming.directory.BasicAttribute;
import javax.naming.directory.BasicAttributes;
import javax.naming.directory.DirContext;
import javax.naming.directory.ModificationItem;
import javax.naming.directory.SearchControls;
import javax.naming.directory.SearchResult;
import javax.naming.ldap.Control;
import javax.naming.ldap.InitialLdapContext;
import javax.naming.ldap.LdapContext;
import javax.naming.ldap.StartTlsRequest;
import javax.naming.ldap.StartTlsResponse;

class FastBindConnectionControl implements Control {
    public byte[] getEncodedValue() {
        return null;
    }

    public String getID() {
        return "1.2.840.113556.1.4.1781";
    }

    public boolean isCritical() {
        return true;
    }
}

public class LDAPFastBind {
    public Hashtable env = null;

    public LdapContext ctx = null;

    public Control[] connCtls = null;

    public LDAPFastBind(String ldapurl) {
        env = new Hashtable();
        env.put(Context.INITIAL_CONTEXT_FACTORY,
                "com.sun.jndi.ldap.LdapCtxFactory");
        env.put(Context.SECURITY_AUTHENTICATION, "simple");
        env.put(Context.PROVIDER_URL, ldapurl);

        env.put(Context.SECURITY_PROTOCOL,"ssl");

        String keystore = "/jdk1.5.0_09/jre/lib/security/cacerts";
        System.setProperty("javax.net.ssl.trustStore",keystore);

        connCtls = new Control[] { new FastBindConnectionControl() };

        // first time we initialize the context, no credentials are supplied
        // therefore it is an anonymous bind.

        try {
            ctx = new InitialLdapContext(env, connCtls);

        } catch (NamingException e) {
            System.out.println("Naming exception " + e);
        }
    }

    public boolean Authenticate(String username, String password) {
        try {
            ctx.addToEnvironment(Context.SECURITY_PRINCIPAL, username);
            ctx.addToEnvironment(Context.SECURITY_CREDENTIALS, password);
            ctx.reconnect(connCtls);
            System.out.println(username + " is authenticated");
            return true;
        }

        catch (AuthenticationException e) {
            System.out.println(username + " is not authenticated");
            System.out.println(e);
            return false;
        } catch (NamingException e) {
            System.out.println(username + " is not authenticated");
            System.out.println(e);
            return false;
        }
    }

    public void finito() {
        try {
            ctx.close();
            System.out.println("Context is closed");
        } catch (NamingException e) {
            System.out.println("Context close failure " + e);
        }
    }

    public void printUserAccountControl() {
        try {

            // Create the search controls
            SearchControls searchCtls = new SearchControls();

            // Specify the search scope
            searchCtls.setSearchScope(SearchControls.SUBTREE_SCOPE);

            // specify the LDAP search filter
            //String searchFilter = "(&(objectClass=user)(CN=test))";
            //String searchFilter = "(&(objectClass=group))";
            String searchFilter = "(&(objectClass=user)(CN=peter lee))";

            // Specify the Base for the search
            String searchBase = "DC=joeyta,DC=local";

            // initialize counter to total the group members
            int totalResults = 0;

            // Specify the attributes to return
            String returnedAtts[] = { "givenName", "mail" };
            searchCtls.setReturningAttributes(returnedAtts);

            // Search for objects using the filter
            NamingEnumeration answer = ctx.search(searchBase, searchFilter,
                    searchCtls);

            // Loop through the search results
            while (answer.hasMoreElements()) {
                SearchResult sr = (SearchResult) answer.next();

                System.out.println(">>>" + sr.getName());

                // Print out the groups

                Attributes attrs = sr.getAttributes();
                if (attrs != null) {

                    try {
                        for (NamingEnumeration ae = attrs.getAll(); ae
                                .hasMore();) {
                            Attribute attr = (Attribute) ae.next();
                            System.out.println("Attribute: " + attr.getID());
                            for (NamingEnumeration e = attr.getAll(); e
                                    .hasMore(); totalResults++) {

                                System.out.println(" " + totalResults + ". "
                                        + e.next());
                            }

                        }

                    } catch (NamingException e) {
                        System.err.println("Problem listing membership: " + e);
                    }

                }
            }

            System.out.println("Total attrs: " + totalResults);

        }

        catch (NamingException e) {
            System.err.println("Problem searching directory: " + e);
        }

    }

    public boolean adminChangePassword(String sUserName, String sNewPassword){
        try {

            //set password is a ldap modfy operation
            ModificationItem[] mods = new ModificationItem[1];

            //Replace the "unicdodePwd" attribute with a new value
            //Password must be both Unicode and a quoted string
            String newQuotedPassword = "\"" + sNewPassword + "\"";
            byte[] newUnicodePassword = newQuotedPassword.getBytes("UTF-16LE");

            mods[0] = new ModificationItem(DirContext.REPLACE_ATTRIBUTE, new BasicAttribute("unicodePwd", newUnicodePassword));

            // Perform the update
            ctx.modifyAttributes(sUserName, mods);

            System.out.println("Reset Password for: " + sUserName);

            return true;
        }
        catch (NamingException e) {
            System.out.println("Problem resetting password: " + e);
        }
        catch (UnsupportedEncodingException e) {
            System.out.println("Problem encoding password: " + e);
        }
        return false;
    }

    public boolean userChangePassword(String sUserName, String sOldPassword, String sNewPassword){
        try {
            //StartTlsResponse tls = (StartTlsResponse)ctx.extendedOperation(new StartTlsRequest());
            //tls.negotiate();

            //change password is a single ldap modify operation
            //that deletes the old password and adds the new password
            ModificationItem[] mods = new ModificationItem[2];

            //Firstly delete the "unicdodePwd" attribute, using the old password
            //Then add the new password,Passwords must be both Unicode and a quoted string
            String oldQuotedPassword = "\"" + sOldPassword + "\"";
            byte[] oldUnicodePassword = oldQuotedPassword.getBytes("UTF-16LE");
            String newQuotedPassword = "\"" + sNewPassword + "\"";
            byte[] newUnicodePassword = newQuotedPassword.getBytes("UTF-16LE");

            mods[0] = new ModificationItem(DirContext.REMOVE_ATTRIBUTE, new BasicAttribute("unicodePwd", oldUnicodePassword));
            mods[1] = new ModificationItem(DirContext.ADD_ATTRIBUTE, new BasicAttribute("unicodePwd", newUnicodePassword));

            // Perform the update
            ctx.modifyAttributes(sUserName, mods);

            System.out.println("Changed Password for: " + sUserName);
            //tls.close();
            return true;

        }
        catch (NamingException e) {
            System.err.println("Problem changing password: " + e);
        }
        catch (UnsupportedEncodingException e) {
            System.err.println("Problem encoding password: " + e);
        } catch ( Exception e){
            System.err.println("Problem: " + e);
        }
        return false;
    }

    public boolean createNewUser(String sGroupName, String sUserName){
        try {
            // Create attributes to be associated with the new user
            Attributes attrs = new BasicAttributes(true);

            //These are the mandatory attributes for a user object
            //Note that Win2K3 will automagically create a random
            //samAccountName if it is not present. (Win2K does not)
            attrs.put("objectClass","user");
            attrs.put("sAMAccountName","AlanT");
            attrs.put("cn","Alan Tang");

            //These are some optional (but useful) attributes
            attrs.put("givenName","Alan");
            attrs.put("sn","Tang");
            attrs.put("displayName","Alan Tang");
            attrs.put("description","Engineer");
            attrs.put("userPrincipalName","alan-AT-joeyta.local");
            attrs.put("mail","alang-AT-mail.joeyta-DOT-local");
            attrs.put("telephoneNumber","123 456 789");

            //some useful constants from lmaccess.h
            int UF_ACCOUNTDISABLE = 0x0002;
            int UF_PASSWD_NOTREQD = 0x0020;
            int UF_PASSWD_CANT_CHANGE = 0x0040;
            int UF_NORMAL_ACCOUNT = 0x0200;
            int UF_DONT_EXPIRE_PASSWD = 0x10000;
            int UF_PASSWORD_EXPIRED = 0x800000;

            //Note that you need to create the user object before you can
            //set the password. Therefore as the user is created with no
            //password, user AccountControl must be set to the following
            //otherwise the Win2K3 password filter will return error 53
            //unwilling to perform.

            attrs.put("userAccountControl",Integer.toString(UF_NORMAL_ACCOUNT + UF_PASSWD_NOTREQD + UF_PASSWORD_EXPIRED+ UF_ACCOUNTDISABLE));

            // Create the context
            Context result = ctx.createSubcontext(sUserName, attrs);
            System.out.println("Created disabled account for: " + sUserName);

            //now that we've created the user object, we can set the
            //password and change the userAccountControl
            //and because password can only be set using SSL/TLS
            //lets use StartTLS

            //StartTlsResponse tls = (StartTlsResponse)ctx.extendedOperation(new StartTlsRequest());
            //tls.negotiate();

            //set password is a ldap modfy operation
            //and we'll update the userAccountControl
            //enabling the acount and force the user to update ther password
            //the first time they login
            ModificationItem[] mods = new ModificationItem[2];

            //Replace the "unicdodePwd" attribute with a new value
            //Password must be both Unicode and a quoted string
            String newQuotedPassword = "\"P-AT-ssw0rd\"";
            byte[] newUnicodePassword = newQuotedPassword.getBytes("UTF-16LE");

            mods[0] = new ModificationItem(DirContext.REPLACE_ATTRIBUTE, new BasicAttribute("unicodePwd", newUnicodePassword));
            mods[1] = new ModificationItem(DirContext.REPLACE_ATTRIBUTE, new BasicAttribute("userAccountControl",Integer.toString(UF_NORMAL_ACCOUNT + UF_PASSWORD_EXPIRED)));

            // Perform the update
            ctx.modifyAttributes(sUserName, mods);
            System.out.println("Set password & updated userccountControl");


            //now add the user to a group.

                try    {
                    ModificationItem member[] = new ModificationItem[1];
                    member[0]= new ModificationItem(DirContext.ADD_ATTRIBUTE, new BasicAttribute("member", sUserName));

                    ctx.modifyAttributes(sGroupName,member);
                    System.out.println("Added user to group: " + sGroupName);

                }
                catch (NamingException e) {
                     System.err.println("Problem adding user to group: " + e);
                }
            //Could have put tls.close()  prior to the group modification
            //but it seems to screw up the connection  or context ?
            //tls.close();

            System.out.println("Successfully created User: " + sUserName);
            return true;

        }
        catch (NamingException e) {
            System.err.println("Problem creating object: " + e);
        }

        catch (IOException e) {
            System.err.println("Problem creating object: " + e);
        }
        return false;
    }

    public boolean addUserToGroup(LdapContext ctx, String userDN, String groupDN) {
        try{
            ModificationItem[] mods = new ModificationItem[1];
            mods[0] = new ModificationItem(DirContext.ADD_ATTRIBUTE, new BasicAttribute("member", userDN));
            ctx.modifyAttributes(groupDN, mods);
            System.out.println("Added user " + userDN + " to group " + groupDN);
            return true;
        } catch (NamingException ne){
            System.err.println("Problem add user to group: " + ne);
        }
        return false;

评论

1 楼 spiritfrog 2007-11-19  

userChangePassword中能否先验证OldPassword？我试了下，总是拿不到。
像你这样直接删除OldPassword，如果不存在是否会报错？