[工作记录] AD账号建立

/*=======================================*/
/*验证操作不需要ssl验证,创建账号还是加上ssl认证为好*/
/*======================================*/
public class AdUtils {

     Hashtable env = new Hashtable();


     private static String url = "ldap://mydc.antipodes.com:636/";
     private static String root = "DC=antipodes,DC=com";// LDAP的根节点
     private static String principal = "Administrator";//账号
     private static String credentials = "XXXXXXX";//密码
     private static String protocol  = "ssl";//访问协议
     private static String authentication  = "simple";//认证模式

     env.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");

     //初始化验证

     env.put(Context.SECURITY_AUTHENTICATION,"simple");

     env.put(Context.SECURITY_PRINCIPAL,principal);

     env.put(Context.SECURITY_CREDENTIALS,credentials);

     //ssl验证

     env.put(Context.PROVIDER_URL, url);

     env.put(Context.SECURITY_PROTOCOL, protocol);



     try {


          // 创建初始化上下文

          LdapContext ctx = new InitialLdapContext(env,null);


          // Create attributes to be associated with the new user

          Attributes attrs = new BasicAttributes(true);



          //These are the mandatory attributes for a user object

          //Note that Win2K3 will automagically create a random

          //samAccountName if it is not present. (Win2K does not)

          attrs.put("objectClass","user");

          attrs.put("samAccountName","AlbertE");

          attrs.put("cn","Albert Einstein");


          //These are some optional (but useful) attributes

          attrs.put("giveName","Albert");

          attrs.put("sn","Einstein");

          attrs.put("displayName","Albert Einstein");

          attrs.put("description","Research Scientist");

          attrs.put("userPrincipalName","AlbertE@antipodes.com");

          attrs.put("mail","relativity@antipodes.com");

          attrs.put("telephoneNumber","999 123 4567");



          //some useful constants from lmaccess.h

          int UF_ACCOUNTDISABLE = 0x0002;

          int UF_PASSWD_NOTREQD = 0x0020;

          int UF_PASSWD_CANT_CHANGE = 0x0040;

          int UF_NORMAL_ACCOUNT = 0x0200;

          int UF_DONT_EXPIRE_PASSWD = 0x10000;

          int UF_PASSWORD_EXPIRED = 0x800000;



          //Note that you need to create the user object before you can

          //set the password. Therefore as the user is created with no

          //password, user AccountControl must be set to the following

          //otherwise the Win2K3 password filter will return error 53

          //unwilling to perform.


          attrs.put("userAccountControl",Integer.toString(UF_NORMAL_ACCOUNT + UF_PASSWD_NOTREQD + UF_PASSWORD_EXPIRED+ UF_ACCOUNTDISABLE));




          // Create the context

          Context result = ctx.createSubcontext(userName, attrs);

          System.out.println("Created disabled account for: " + userName);


          //now that we've created the user object, we can set the

          //password and change the userAccountControl

          //and because password can only be set using SSL/TLS

          //lets use StartTLS


          StartTlsResponse tls = (StartTlsResponse)ctx.extendedOperation(new StartTlsRequest());

          tls.negotiate();



          //set password is a ldap modfy operation

          //and we'll update the userAccountControl

          //enabling the acount and force the user to update ther password

          //the first time they login

          ModificationItem[] mods = new ModificationItem[2];



          //Replace the "unicdodePwd" attribute with a new value

          //Password must be both Unicode and a quoted string

          String newQuotedPassword = "\"Password2000\"";

          byte[] newUnicodePassword = newQuotedPassword.getBytes("UTF-16LE");


          mods[0] = new ModificationItem(DirContext.REPLACE_ATTRIBUTE, new BasicAttribute("unicodePwd", newUnicodePassword));

          mods[1] = new ModificationItem(DirContext.REPLACE_ATTRIBUTE, new BasicAttribute("userAccountControl",Integer.toString(UF_NORMAL_ACCOUNT + UF_PASSWORD_EXPIRED)));



          // Perform the update

          ctx.modifyAttributes(userName, mods);

          System.out.println("Set password & updated userccountControl");


          //now add the user to a group.


          try{

               ModificationItem member[] = new ModificationItem[1];

               member[0]= new ModificationItem(DirContext.ADD_ATTRIBUTE, new BasicAttribute("member", userName));



               ctx.modifyAttributes(groupName,member);

               System.out.println("Added user to group: " + groupName);

          }catch (NamingException e) {

               System.err.println("Problem adding user to group: " + e);

          }

          //Could have put tls.close()  prior to the group modification

          //but it seems to screw up the connection  or context ?

          tls.close();

          ctx.close();



          System.out.println("Successfully created User: " + userName);



     }

     catch (NamingException e) {

          System.err.println("Problem creating object: " + e);

     }

     catch (IOException e) {

          System.err.println("Problem creating object: " + e);

     }
     
 }

转载于:https://my.oschina.net/u/1579678/blog/779992