我想检索 MS Active Directory的一些信息（广告以下），例如 -

等等，名单可以在这里找到 - 的 AD的所有属性

我用了很多例子，包括 Apache目录LDAP API 和的 UnboundID ，但问题依然存在 - 我不能与广告连接

的路径 LDAP根树 -

  C：\ Users \用户阿列克谢＆GT; WHOAMI / FQDN
   CN =我共同的名字在这里，OU =我的组织单位在这里，OU =组织单位在这里2，OU =组织单位在这里1，OU =主要组织单位在这里，DC =。我的域名在这里，DC =域2在这里，DC =这里主要领域
 

部分的的Java code，我用它来搜索 -

 公共类Lda与pretriveAll {
        公共静态无效的主要（字串[] args）
{

Hashtable的ENV =新的Hashtable（）;

env.put（Context.INITIAL_CONTEXT_FACTORYcom.sun.jndi.ldap.LdapCtxFactory）;
env.put（Context.PROVIDER_URL，LDAP：//+在这里的域控制器的IP，389）;
env.put（Context.SECURITY_AUTHENTICATION，简单）;
//我也尝试使用以下SECURITY_PRINCIPAL：只有我登录，我的域名\我的登录信息
env.put（Context.SECURITY_PRINCIPAL，我在这里的登录名+@+我的域名here.domain 2 here.main域名在这里）;
env.put（Context.SECURITY_CREDENTIALS，我的密码在这里）;

尝试 {

    DirContext的CTX =新InitialLdapContext（ENV，NULL）;

    字符串returnedAtts [] = {SN，标题，部，给定名称};

    的SearchControls searchCtls =新的SearchControls（）;
    sea​​rchCtls.setReturningAttributes（returnedAtts）;
    sea​​rchCtls.setSearchScope（SearchControls.SUBTREE_SCOPE）;

    串searchFilter =（及（objectClass的=用户）（CN = *））;
    字符串searchBase =DC =我的域名在这里，DC =域2在这里，DC =这里主域名;

    NamingEnumeration中回答= ctx.search（searchBase，searchFilter，searchCtls）;
    ...
 

当我创建一个目录的背景下，基于从哈希表中的数据我得到一个异常：

例外1 -

 在线程异常主要javax.naming.AuthenticationException：[LDAP：错误code 49  -  80090308：LdapErr：DSID-0C090334，注释：AcceptSecurityContext错误，数据531， vece
 

如果我没有指定的密码，搜索时为我得到另一个异常：

异常2 -

 问题搜索目录：javax.naming.NamingException中：[LDAP：错误code 1  -  00000000：LdapErr：DSID-0C090627，评论：为了执行此操作成功绑定必须在连接上完成的，数据0，vece]。剩余名称DC =我的域名在这里，DC =域2在这里，DC =这里主要领域'
 

我已经验证了我的帐户未锁定。

我发现常见的Active Directory LDAP绑定错误的列表 -

  ...
525的用户没有找到
52E凭据无效
530不允许登录此时
531不允许登录此工作站
532密码过期
533账号被禁用
701帐户已过期
773用户必须重新设置密码
775用户帐户被锁定
...
 

在我的情况下，它意味着 - 不允许登录此工作站，但具有相同的凭据，我可以登录到域

在可能是什么问题？

该错误code 531是最有可能涉及到AD的配置。 在一些情况下，用户被限制只从一个例如将工作PC工作站登录。 这被配置在 userWorkstations 字段的用户。 当你不能使用RDP登录到你的AD，你需要你的AD管理员检查您的帐户，这一领域的广告服务器包含在您的 userWorkstations 或字段被完全地去除。

I'm trying retrieve some information from MS Active Directory(AD hereinafter), for example -

and so on, list is available here - All Attributes of AD

I used a lot of examples, including Apache Directory LDAP API and UnboundID, but the problem remains - I can not get a connection with AD.

The path to the root of a LDAP tree -

C:\Users\Alexey> whoami /fqdn
   CN=my common name here,OU=my organization unit here,OU=organization unit 2 here,OU=organization unit 1 here,OU=main organization unit here,DC=.my domain here,DC=domain 2 here,DC=main domain here

Some Java code, which I use to search -

public class LdapRetriveAll {
        public static void main (String[] args)
{

Hashtable env = new Hashtable();

env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, "ldap://" + "ip of domain controller here" + ":389");
env.put(Context.SECURITY_AUTHENTICATION, "simple");
// Also I try to use the following SECURITY_PRINCIPAL: my login only, my domain\ my login
env.put(Context.SECURITY_PRINCIPAL, "my login here" + "@" + "my domain here.domain 2 here.main domain here");
env.put(Context.SECURITY_CREDENTIALS, "my password here");

try {

    DirContext ctx = new InitialLdapContext(env,null);    

    String returnedAtts[]={"sn","title","department","givenName"};

    SearchControls searchCtls = new SearchControls();  
    searchCtls.setReturningAttributes(returnedAtts);  
    searchCtls.setSearchScope(SearchControls.SUBTREE_SCOPE);

    String searchFilter = "(&(objectClass=user)(cn=*))";
    String searchBase = "DC=my domain here,DC=domain 2 here,DC=main domain here";

    NamingEnumeration answer = ctx.search(searchBase, searchFilter, searchCtls);
    ...

When I create a directory context, based on data from the hash table I get an exception:

Exception 1 -

Exception in thread "main" javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 531, vece

If I don't specified the password, when searching for I get another exception:

Exception 2 -

Problem searching directory: javax.naming.NamingException:[LDAP:error code 1 - 00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece]; remaining name 'DC=my domain here,DC=domain 2 here,DC=main domain here'

I have verified that my account is not locked.

I found List of Common Active Directory LDAP bind errors -

...
525​    user not found ​
52e​    invalid credentials ​
530​    not permitted to logon at this time​
531​    not permitted to logon at this workstation​
532​    password expired ​
533​    account disabled ​
701​    account expired ​
773​    user must reset password ​
775​    user account locked
...

in my case it means - "not permitted to logon at this workstation​" ,but with the same credentials I can log on to the domain.

In what may be the problem?

The Error Code 531 is most likely related to a configuration of the AD. In some cases a user is restricted to login from only one workstation for example your working pc. This is configured in the userWorkstations field of the user. When you can't login to your AD using RDP you need your AD admin to check your account for this field and that the AD Server is included in your userWorkstations or the field is removed completly.