我有一个Active Directory LDAP用户,如下所示:
dn: CN=test44,OU=adduserspd,DC=addiam,DC=local
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: test44
sn: test44
userPassword:: dGVzdDEyMw==
givenName: a
distinguishedName: CN=test44,OU=adduserspd,DC=addiam,DC=local
instanceType: 4
whenCreated: 20210719112205.0Z
whenChanged: 20210719154614.0Z
uSNCreated: 48807
uSNChanged: 49210
name: test44
objectGUID:: kHzOfDVztEictCZgD2sK7g==
userAccountControl: 66048
badPwdCount: 23
codePage: 0
countryCode: 0
badPasswordTime: 132711842865805975
lastLogoff: 0
lastLogon: 0
pwdLastSet: 132711810368404085
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAANJehYHpPGd4MmIXVWgYAAA==
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: $QI1000-T26H6SSO71UL
sAMAccountType: 805306368
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=addiam,DC=local
dSCorePropagationData: 16010101000000.0Z
mail: placeholder@mail.com
unixHomeDirectory: User
当我尝试搜索该用户时;ldapsearch";命令,我遇到身份验证问题。
admin@PC1-01:~> ldapsearch -x -LLL -h 11.14.18.111:389 -D test44 -w 'test123' -b"dc=addiam,dc=local" -s sub "(objectClass=user)"
ldap_bind: Invalid credentials (49)
additional info: 80090308: LdapErr: DSID-0C090439, comment: AcceptSecurityContext error, data 52e, v4563
根据我发现的错误";52e";,这意味着用户存在并且所提供的凭证是错误的。但我可以看到,用户的";userPassword"属性包含base64编码形式的正确密码。
我也尝试了以下内容,但结果是相同的
admin@PC1-01:~> ldapsearch -x -LLL -h 11.14.18.111:389 -D test44 -w 'test123' -b"cn=test44,ou=adduserspd,dc=addiam,dc=local" -s sub "(objectClass=user)"
ldap_bind: Invalid credentials (49)
additional info: 80090308: LdapErr: DSID-0C090439, comment: AcceptSecurityContext error, data 52e, v4563
admin@PC1-01:~>
如果有人能解释造成这种情况的原因,我们将不胜感激。
属性"userPassword"不是保存用户密码的。所以目前正在寻找一种不同的方法。参考:Active Directory中保存加密密码的属性是什么?,