authentication - Active Directory LDAP 用户验证问题

问题描述

我在 Active Directory LDAP 有一个用户，如下所示：

dn: CN=test44,OU=adduserspd,DC=addiam,DC=local
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: test44
sn: test44
userPassword:: dGVzdDEyMw==
givenName: a
distinguishedName: CN=test44,OU=adduserspd,DC=addiam,DC=local
instanceType: 4
whenCreated: 20210719112205.0Z
whenChanged: 20210719154614.0Z
uSNCreated: 48807
uSNChanged: 49210
name: test44
objectGUID:: kHzOfDVztEictCZgD2sK7g==
userAccountControl: 66048
badPwdCount: 23
codePage: 0
countryCode: 0
badPasswordTime: 132711842865805975
lastLogoff: 0
lastLogon: 0
pwdLastSet: 132711810368404085
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAANJehYHpPGd4MmIXVWgYAAA==
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: $QI1000-T26H6SSO71UL
sAMAccountType: 805306368
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=addiam,DC=local
dSCorePropagationData: 16010101000000.0Z
mail: placeholder@mail.com
unixHomeDirectory: User

当我尝试使用以下“ldapsearch”命令搜索该用户时，我遇到了身份验证问题。

admin@PC1-01:~> ldapsearch -x -LLL -h 11.14.18.111:389 -D test44 -w 'test123' -b"dc=addiam,dc=local" -s sub "(objectClass=user)"
ldap_bind: Invalid credentials (49)
        additional info: 80090308: LdapErr: DSID-0C090439, comment: AcceptSecurityContext error, data 52e, v4563

根据我发现的错误“52e”，这意味着用户存在并且提供的凭据是错误的。但我可以看到用户的“userPassword”属性包含 base64 编码形式的正确密码。

我也尝试了以下，但结果是一样的

admin@PC1-01:~> ldapsearch -x -LLL -h 11.14.18.111:389 -D test44 -w 'test123' -b"cn=test44,ou=adduserspd,dc=addiam,dc=local" -s sub "(objectClass=user)"
ldap_bind: Invalid credentials (49)
        additional info: 80090308: LdapErr: DSID-0C090439, comment: AcceptSecurityContext error, data 52e, v4563
admin@PC1-01:~>

感谢有人能解释造成这种情况的原因。

标签： authenticationactive-directoryldap