【发布时间】:2015-12-25 15:05:15
【问题描述】:
我有可以搜索 eDirectory 的工作 VBScript
Set dso = GetObject("LDAP:")
Dim pwd
pwd = "NotTellingU!"
Set objConnection = CreateObject("ADODB.Connection")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider", "cn=x12345,ou=IDM,ou=System,o=XYZ" , pwd
Set objCommand = CreateObject("ADODB.Command")
objCommand.ActiveConnection = objConnection
objCommand.CommandText = "<LDAP://myservq01.myplace.corp/o=XYZ>;" & _
"(ou=*)" & ";" & "ou;onelevel"
Set objRecordSet = objCommand.Execute
WScript.Echo objRecordSet.RecordCount
尝试在 PowerShell (v2) 中实现此功能:
[System.Reflection.Assembly]::LoadWithPartialName("System.DirectoryServices.Protocols") | Out-Null
[System.Reflection.Assembly]::LoadWithPartialName("System.Net") | Out-Null
$BaseDN = "o=XYZ"
$attrlist = "ou"
$scope = [System.DirectoryServices.Protocols.SearchScope]::OneLevel
$Filter = "(ou=*)"
$c = New-Object System.DirectoryServices.Protocols.LdapConnection "myservq01.myplace.corp:389"
$c.SessionOptions.SecureSocketLayer = $FALSE;
$c.AuthType = [System.DirectoryServices.Protocols.AuthType]::Basic
$user = "cn=x12345,ou=IDM,ou=System,o=XYZ"
$pwd = "NotTellingU!"
$NovellCredentials = New-Object "System.Net.NetworkCredential" -ArgumentList $user,$pwd
$c.Credential = $NovellCredentials
$c.Bind()
$r = New-Object System.DirectoryServices.Protocols.SearchRequest -ArgumentList $baseDN,$Filter,$scope,$attrlist
$re = $c.SendRequest($r);
"A Total of $($re.Entries.Count) Entry(s) found in LDAP Search"
在执行 Bind 和 SendRequest 的两行中,我得到了
使用“0”参数调用“绑定”的异常:“提供的凭据无效。”
我对两者都进行了 NDS 跟踪。在 VBScript 中是:
LDAP: New cleartext connection 0x2006dc70 from 123.45.211.222:58720, monitor = 0x85f45700, index = 17
LDAP: (123.45.211.222:58720)(0x0001:0x60) DoBind on connection 0x2006dc70
LDAP: (123.45.211.222:58720)(0x0001:0x60) Bind name:cn=x12345,ou=IDM,ou=System,o=XYZ, version:3, authentication:simple
LDAP: (123.45.211.222:58477)(0x0005:0x63) DoSearch on connection 0x2006dc70
LDAP: (123.45.211.222:58477)(0x0005:0x63) Search request:
base: "o=XYZ"
scope:1 dereference:0 sizelimit:0 timelimit:0 attrsonly:0
filter: "(ou=*)"
attribute: "ou"
LDAP: (123.45.211.222:58477)(0x0005:0x63) Sending search result entry "ou=services,o=XYZ" to connection 0x2006dc70
还有来自 PS:
LDAP: New cleartext connection 0x2006dc70 from 123.45.211.222:59552, monitor = 0x85f45700, index = 17
LDAP: (123.45.211.222:59552)(0x0007:0x60) DoBind on connection 0x2006dc70
LDAP: (123.45.211.222:59552)(0x0007:0x60) Bind name:cn=x12345,ou=IDM,ou=System,o=XYZ, version:2, authentication:simple
LDAP: (123.45.211.222:59552)(0x0007:0x60) Failed to authenticate local on connection 0x2006dc70, err = failed authentication (-669)
LDAP: (123.45.211.222:59552)(0x0007:0x60) Sending operation result 49:"":"NDS error: failed authentication (-669)" to connection 0x2006dc70
我能看到的唯一区别是Bind name 行。当它工作时,我看到“版本:3”,当它失败时,“版本:2”,但我没有找到任何我可以在代码中做的事情来控制它。
【问题讨论】:
-
猜你不会觉得这特别有用,但this 说你的问题是:没有设置 NDS 密码限制。相反,这会详细说明用户实际输入错误密码时的结果。
-
在你的VBS中,你用auth创建了
LdapConnection,在powershell中,你先打开连接,然后尝试做事。您是否尝试过先创建凭据,然后在LdapConnection构造函数上使用它? -
在
Bind()之前设置$c.SessionOptions.ProtocolVersion = 3 -
谢谢马蒂亚斯。我现在在跟踪中看到 version:3 但我仍然遇到同样的错误。我知道我传递了正确的凭据,但仍然不明白为什么它们的处理方式不同。
标签: powershell ldap identity-management edirectory netiq