我需要使用StartTLS连接到AD LDS实例,并从那里获取用户列表。不幸的是,它必须在传统的C ++应用程序中完成。 我在Windows 2008 R2计算机上安装了测试AD LDS(在网络服务上运行),看起来我正确设置了SSL,并且可以使用Apache Directory Studio从我的客户端计算机访问它(使用Simple Auth + StartTLS)或Ldap Admin。
C ++中的代码调用
hr = ADsOpenObject(
szPath, strUserName, strPassword, m_authentication,
IID_IADs, (void**)&m_pObject);
(https://msdn.microsoft.com/en-us/library/aa772238(v=vs.85).aspx)
其中szPath是LDAP:// IP:10386 / CN = Users,DC = Product,DC = local; strUserName是CN = admin,CN = Users,DC = Product,DC = local; m_authentication是ADS_AUTHENTICATION_ENUM(https://msdn.microsoft.com/en-us/library/aa772247%28v=vs.85%29.aspx?f=255&MSPPError=-2147217396)
根据微软的例子,我正在尝试不同的ADS_SECURE_AUTHENTICATION,ADS_USE_ENCRYPTION和ADS_USE_SSL组合。
到目前为止,ADS_USE_ENCRYPTION和ADS_USE_SSL给出了最有希望的错误
00002028: LdapErr: DSID-0C0901FB, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v1db1
A more secure authentication method is required for this server.
ADS_SECURE_AUTHENTICATION + ADS_USE_SSL + ADS_USE_ENCRYPTION给予
The user name or password is incorrect.
服务器日志提供2个失败的Auth事件: 计算机尝试验证帐户的凭据。
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: CN=admin,CN=Users,DC=Product,DC=local
Source Workstation: <MachineName>
Error Code: 0xc0000064
和
An account failed to log on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: CN=admin,CN=Users,DC=Product,DC=local
Account Domain:
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xc000006d
Sub Status: 0xc0000064
Process Information:
Caller Process ID: 0x0
Caller Process Name: -
Network Information:
Workstation Name: <MachineName>
Source Network Address: IP
Source Port: PortNum
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
喜欢它尝试验证用户与本地计算机或全局AD,而不是我的测试AD LDS。
有没有办法强制它验证用户对我的测试AD LDS?