Question

我们尝试连接到Active Directory作为辅助存储，我们成功从AD检索了数据，但是当我们尝试从用户配置文件更新用户Info时，我们收到以下消息：

当我们查看日志时，我们发现了以下问题：

javax.naming.directory.NoSuchAttributeException：[LDAP：错误代码16 - 00000057：LdapErr：DSID-0C090EC7，注释：属性转换操作错误，数据0，v3839];剩余名称CN = mhejazi＆＃39;

secondry商店配置是：

<?xml version="1.0" encoding="UTF-8"?><UserStoreManager class="org.wso2.carbon.user.core.ldap.ActiveDirectoryUserStoreManager">
  <Property name="ConnectionURL">ldap://10.3.5.33:389</Property>
  <Property name="ConnectionName">CN=mhejazi,CN=Users,DC=devdc,DC=sure,DC=Com,DC=sa</Property>
  <Property encrypted="true" name="ConnectionPassword">kuv2MubUUveMyv6GeHrXr9il59ajJIqUI4eoYHcgGKf/BBFOWn96NTjJQI+wYbWjKW6r79S7L7ZzgYeWx7DlGbff5X3pBN2Gh9yV0BHP1E93QtFqR7uTWi141Tr7V7ZwScwNqJbiNoV+vyLbsqKJE7T3nP8Ih9Y6omygbcLcHzg=</Property>
  <Property name="UserSearchBase">CN=Users,DC=devdc,DC=sure,DC=com,DC=sa</Property>
  <Property name="UserEntryObjectClass">user</Property>
  <Property name="UserNameAttribute">sAMAccountName</Property>
  <Property name="UserNameSearchFilter">(&amp;(objectClass=user)(sAMAccountName=?))</Property>
  <Property name="UserNameListFilter">(objectClass=person)</Property>
  <Property name="UserDNPattern"/>
  <Property name="DisplayNameAttribute"/>
  <Property name="Disabled">false</Property>
  <Property name="ReadGroups">true</Property>
  <Property name="WriteGroups">true</Property>
  <Property name="GroupSearchBase">CN=Users,DC=devdc,DC=sure,DC=com,DC=sa</Property>
  <Property name="GroupEntryObjectClass">group</Property>
  <Property name="GroupNameAttribute">cn</Property>
  <Property name="GroupNameSearchFilter">(&amp;(objectClass=group)(cn=?))</Property>
  <Property name="GroupNameListFilter">(objectcategory=group)</Property>
  <Property name="RoleDNPattern"/>
  <Property name="MembershipAttribute">member</Property>
  <Property name="MemberOfAttribute">memberOf</Property>
  <Property name="BackLinksEnabled">true</Property>
  <Property name="Referral">follow</Property>
  <Property name="UserNameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>
  <Property name="UserNameJavaScriptRegEx">^[\S]{3,30}$</Property>
  <Property name="UsernameJavaRegExViolationErrorMsg">Username pattern policy violated.</Property>
  <Property name="PasswordJavaRegEx">^[\S]{5,30}$</Property>
  <Property name="PasswordJavaScriptRegEx">^[\S]{5,30}$</Property>
  <Property name="PasswordJavaRegExViolationErrorMsg">Password pattern policy violated.</Property>
  <Property name="RoleNameJavaRegEx">[a-zA-Z0-9._-|//]{3,30}$</Property>
  <Property name="RoleNameJavaScriptRegEx">^[\S]{3,30}$</Property>
  <Property name="SCIMEnabled">false</Property>
  <Property name="BulkImportSupported">true</Property>
  <Property name="EmptyRolesAllowed">true</Property>
  <Property name="PasswordHashMethod">PLAIN_TEXT</Property>
  <Property name="MultiAttributeSeparator">,</Property>
  <Property name="isADLDSRole">false</Property>
  <Property name="userAccountControl">512</Property>
  <Property name="MaxUserNameListLength">100</Property>
  <Property name="MaxRoleNameListLength">100</Property>
  <Property name="kdcEnabled">false</Property>
  <Property name="defaultRealmName">WSO2.ORG</Property>
  <Property name="UserRolesCacheEnabled">true</Property>
  <Property name="ConnectionPoolingEnabled">false</Property>
  <Property name="LDAPConnectionTimeout">5000</Property>
  <Property name="ReadTimeout">5000</Property>
  <Property name="RetryAttempts">0</Property>
  <Property name="CountRetrieverClass"/>
  <Property name="java.naming.ldap.attributes.binary"/>
  <Property name="DomainName">devdc.sure.com.sa</Property>
  <Property name="Description">Sue Dev&#13;
        </Property>

Answer 1

javax.naming.directory.NoSuchAttributeException: [LDAP: error code 16 - 00000057: LdapErr: DSID-0C090D50, comment: Error in attribute conversion operation, data 0, v3839

如果未通过声明管理UI针对AD属性正确配置声明映射，则会发生此错误。

您需要确保映射的所有属性都有效且存在于Active Directory中。不同的用户商店使用不同的属性在[2]中，您可以找到对Active Directory支持的属性集的引用。默认的WSO2声明映射到某些通用属性，Firstname映射到nickname属性，但Active Directory没有nickname属性。 Full Name被映射到cn属性，在active目录中cn具有其他语义含义。

同样，在您的声明配置中，您需要确保Active Directory支持其中定义的所有属性。如果不受支持，您可以在AD支持的本地声明的声明配置中添加其他映射属性。样本配置如下。

有关详细信息，请参阅[3]。

[1] https://wiki.servicenow.com/index.php?title=LDAP_Error_Codes

[2] http://www.kouti.com/tables/userattributes.htm

[3] https://docs.wso2.com/display/IS540/Managing+User+Attributes

WSO2在AD中更新用户

1 个答案: