{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 时光不老,我们不散 的问题《Associate Ldap user to a group with Java》','https://www.manongdao.com/q-329521.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I'm having problems to find how to associate a #Ldap user to a given group.
That is what I have tried:
Attributes attrs = new BasicAttributes();
BasicAttribute basicAttrs = new BasicAttribute("objectclass");
basicAttrs.add("top");
basicAttrs.add("person");
BasicAttribute memberOf = new BasicAttribute("memberOf");
memberOf.add("Managers"); // Tried with distinguished name too
memberOf.add("Administrators"); // Tried with distinguished name too
attrs.put(basicAttrs);
attrs.put("cn", user.getLogin());
attrs.put("name", user.getLogin());
attrs.put("login", user.getLogin());
attrs.put("mail", user.getMail());
attrs.put("displayName", user.getDisplayName());
attrs.put("memberOf", memberOf);
try {
ctx.bind("CN=" + user.getLogin() + "," + baseDn, null, attrs);
} catch (NamingException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
I also tried to use the distinguished names like: "CN=Managers,OU=<system_name>,OU=Users,OU=<server>,DC=com", but didn't work. I think it should be somewhere to reference the Ldap group.
But I got this error:
javax.naming.directory.InvalidAttributeValueException: Malformed 'memberOf' attribute value; remaining name 'CN=lcarvalho,OU=<system_name>,OU=Users,OU=<server>,DC=com'
at com.sun.jndi.ldap.LdapClient.encodeAttribute(LdapClient.java:951)
at com.sun.jndi.ldap.LdapClient.add(LdapClient.java:999)
at com.sun.jndi.ldap.LdapCtx.c_bind(LdapCtx.java:396)
at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_bind(ComponentDirContext.java:277)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.bind(PartialCompositeDirContext.java:197)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.bind(PartialCompositeDirContext.java:186)
at javax.naming.directory.InitialDirContext.bind(InitialDirContext.java:158)
...
This is all the stack trace besides my application lines.
If you're using OpenLDAP the memberOf attribute is maintained automatically by the memberOf overlay, and your application shouldn't write it at all. What you should be doing is adding the DN of the user to the uniqueMember or roleOccupant etc attribute of the group he is joining. Then its DN will magically appear in his memberOf attribute.
Most probably your DN is wrong, because it seems you've specified one extra Organizational Unit instead of Domain Component:
should be:
In LDAP the Directory Structure starts with 2 domain components, which are a reversed company domain name (by convention).
In order for your code to work, you have to take into account the following:
there's a schema "Person" that's loaded in your LDAP Server
there's an attribute "MemberOf" defined in your "Person" schema
"MemberOf" requires full DN as entry
I would also encourage you to take a look at UnboundID LDAP SDK.
Hope that helps.
The value of the
memberOfattribute is wrong. ThememberOfattribute is probably a distinguished name. LDAP clients should consult the schema (the base DN of which might be available in the root DSE) when in doubt about the syntax, ordering, or matching rules of an attribute.I had the same problem. Check the value type of this attribute using any client of ldap (for example: Apache Directory Studio). If you try to replace attribute which type is String with int value it will thrown this error.