原创内容,爬取请指明出处:https://www.cnblogs.com/Lucy151213/p/11005298.html
公司做大后,用到的系统就会越来越多,来个新员工,需要在HR系统添加,然后再到域控系统添加,可能还需要到NC,OA等系统添加账号。后来公司引入总线系统,来个新员工只需要在HR系统添加账号,HR系统把员工信息下发到总线系统,总线系统再下发到其他各个系统,这样能保证数据的一致性。
我负责的那块就是让域控系统接收总线系统下发的员工信息。我在域控服务与总线系统中间搭建一层restful的服务,用于接收解析总线请求,调用相应域控方法。
在开发过程中花最多时间的地方是在证书认证那块,针对修改密码这种包含敏感信息的方法,需用LDAP协议才能实现。
- 域控服务安装
什么是域控服务,参考下面的链接可以对域控有个大概了解:
https://www.cnblogs.com/cnjavahome/p/9029665.html
怎么安装AD证书,我是参考如下文章安装的:
https://blog.csdn.net/hc1017/article/details/81293323
- 证书导出
导出证书步骤也可以参考上面的链接:https://blog.csdn.net/hc1017/article/details/81293323 。需要注意一点是链接里面证书导出选择的是’DER编码二进制X.509(.CER)(D)’,我们这里需要选择’Base64编码X.509(.CER)(S)’,我之前选择DER那种格式就是不成功,换成Base64才成功的(几种格式试出来的o(╥﹏╥)o)。
给导出的证书取名为cert.cer,文件长这样:
执行下面的命令(需把keytool所在目录设置为系统变量,位置在:C:\Program Files\Java\jre1.8.0_102\bin):
keytool -importcert -keystore F:/yourpath/security.keystore -storepass 123456 -keypass 123456 -alias security -file F:/cert.cer
生成一个叫做security.keystore的文件,将这个文件拷贝到你的Java目录下面,如:C:\Program Files\Java\jre1.8.0_102\lib\security
- 中间服务开发
部门或者员工都有编号这个属性,但是域控服务没有这个属性,我把部门编号,员工编号放在域控的属性‘描述’里面,对应的字段叫做‘description’。
全局文件配置如下:
①添加更新部门
Properties env = new Properties();
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.SECURITY_AUTHENTICATION, "simple");//LDAP访问安全级别:"none","simple","strong"
env.put(Context.SECURITY_PRINCIPAL, ADMINNAME);// AD User
env.put(Context.SECURITY_CREDENTIALS, ADMINPASSWORD);// AD Password
env.put(Context.PROVIDER_URL, LDAPURL);// LDAP工厂类
LdapContext ctx = null;
try {
ctx = new InitialLdapContext(env, null);
SearchControls searchCtls = new SearchControls();
searchCtls.setSearchScope(SearchControls.SUBTREE_SCOPE);
String searchFilter = "(&(objectClass=organizationalUnit)(description=" + departId + "))";//查询这个部门信息
String searchBase = "OU=实际情况,DC=实际情况,DC=com";//在整个公司查找指定description
String returnedAtts[] = {"name", "description", "distinguishedName"};//用于获取组织机构
searchCtls.setReturningAttributes(returnedAtts);
boolean isDepartExits = false;
NamingEnumeration<SearchResult> answer = ctx.search(searchBase, searchFilter, searchCtls);
while (answer.hasMoreElements()) {//理论上id是不会重复的,所以这边parentDC只会赋值一次
isDepartExits = true;//如果找到值,那么就表示有这个部门,就更新
SearchResult sr = answer.next();
Attributes Attrs = sr.getAttributes();//得到符合条件的属性集
if (Attrs != null) {
for (NamingEnumeration ne = Attrs.getAll(); ne.hasMore(); ) {
Attribute Attr = (Attribute) ne.next();//得到下一个属性
if ("distinguishedName".equals(Attr.getID())) {
for (NamingEnumeration e = Attr.getAll(); e.hasMore(); ) {
String userInfo = e.next().toString();
departDC = userInfo;
System.out.print(userInfo);
}
}
System.out.println("");
}
}
}
if (isDepartExits) {//这个部门id存在,那么如果传入的部门名称不相同,就更新部门名称,相同就不做处理
if (!isNullOrEmpty(departDC)) {
String[] dcs = departDC.split(",");
if (dcs.length > 0) {//名称不相同表示修改了部门名称,那么就修改
if (!((dcs[0].substring(dcs[0].indexOf("=") + 1)).equals(departName))) {
String newDc = "OU=" + departName + departDC.substring(departDC.indexOf(","), departDC.length());
ctx.rename(departDC, newDc);
retMsg.setSuccess(true);
retMsg.setMsg("更新成功");
retMsg.setUid(departId);
logger.info("更新部门成功。 departId:"+departId+" departDC:"+departDC);
} else {
retMsg.setSuccess(true);
retMsg.setMsg("部门名字未做修改,不处理");
retMsg.setUid(departId);
logger.info("部门名称未做修改,不予更新。 departId:"+departId+" departDC:"+departDC);
}
}
}
} else {//添加新部门,首先检查父id是否有效
String searchFilter1 = "(&(objectClass=organizationalUnit)(description=" + parentId + "))";//查询父id信息
NamingEnumeration<SearchResult> answer1 = ctx.search(searchBase, searchFilter1, searchCtls);
while (answer1.hasMoreElements()) {//理论上id是不会重复的,所以这边parentDC只会赋值一次
SearchResult sr = answer1.next();
Attributes Attrs = sr.getAttributes();//得到符合条件的属性集
if (Attrs != null) {
for (NamingEnumeration ne = Attrs.getAll(); ne.hasMore(); ) {
Attribute Attr = (Attribute) ne.next();//得到下一个属性
if ("distinguishedName".equals(Attr.getID())) {
for (NamingEnumeration e = Attr.getAll(); e.hasMore(); ) {
String userInfo = e.next().toString();
parentDC = userInfo;
}
}
}
}
}
if (isNullOrEmpty(parentDC)) {
logger.error("父组织的id不存在。 departId:"+departId);
return getNoParamDataMessage("父组织的id不存在");
} else {
ldapGroupDN = "OU=" + departName + "," + parentDC;
//查询这个departId是否存在
try {
Attributes attrs = ctx.getAttributes(parentDC);//note......
NamingEnumeration<String> nEnum = attrs.getIDs();
//如果没有报错,说明有这个组织的dn,那么如果明知不相同
Attributes attrs1 = new BasicAttributes();
attrs1.put("objectClass", "organizationalunit");
attrs1.put("description", departId);//部门的id放在description下面
ctx.createSubcontext(ldapGroupDN, attrs1);
retMsg.setSuccess(true);
retMsg.setMsg("添加成功");
retMsg.setUid(departId);
logger.info("部门添加成功。 departId:"+departId+" departDC:"+ldapGroupDN);
} catch (Exception ex) {
logger.error("添加部门发生异常。departId:"+departId+" departDC:"+ldapGroupDN+" 。ex:"+ex.getMessage());
logger.error("stack:"+ex.getStackTrace());
}
}
}
ctx.close();
} catch (NamingException e) {
logger.error("添加或者更新部门发生异常。departId:"+departId+" stack:"+e.getStackTrace());
retMsg.setUid(departId);
retMsg.setSuccess(false);
retMsg.setMsg("失败");
ctx.close();
}
②删除部门
和上面的代码类似,在获取到departDC后执行:ctx.destroySubcontext(departDC);
③添加更新用户
之前写的挫,每次添加更新我就创建一次连接,有一次传很多用户过来,然后速度就很慢,所有把创建连接提出来。
循环调用添加/更新用户方法:
LdapContext ctx = null;
LdapContext sslCtx = null;
try {
Properties env = new Properties();
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.SECURITY_AUTHENTICATION, "simple");//LDAP访问安全级别:"none","simple","strong"
env.put(Context.SECURITY_PRINCIPAL, ADMINNAME);// AD User
env.put(Context.SECURITY_CREDENTIALS, ADMINPASSWORD);// AD Password
env.put(Context.PROVIDER_URL, LDAPURL);// LDAP工厂类
ctx = new InitialLdapContext(env, null);
sslCtx = getSslConn();
for (UserEntity u :
users) {
dataMessageList.add(ADHelpUtil.addUserNew(u,ctx,sslCtx));
}
ctx.close();
sslCtx.close();
}catch (Exception ex){
logger.error("新方法添加用户异常。ex:"+ex.getMessage());
try {
ctx.close();
sslCtx.close();
} catch (NamingException e) {
e.printStackTrace();
}
}
获取SSL连接代码如下:
Properties env = new Properties();
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.SECURITY_AUTHENTICATION, "simple");//LDAP访问安全级别:"none","simple","strong"
env.put(Context.SECURITY_PRINCIPAL, ADMINNAME);// AD User
env.put(Context.SECURITY_CREDENTIALS, ADMINPASSWORD);// AD Password
env.put(Context.SECURITY_PROTOCOL, "ssl");
env.put(Context.PROVIDER_URL, LDAPSURL);// LDAP工厂类
System.setProperty("javax.net.ssl.trustStore", TRUST_STORE_PATH);
System.setProperty("javax.net.ssl.trustStorePassword", TRUST_STORE_PASSWORD);
LdapContext ctx = null;
try {
ctx = new InitialLdapContext(env, null);
return ctx;
}catch (Exception ex){
System.out.println("Problem resetting password: " + ex);
ex.printStackTrace();
}
添加方法代码片段如下:
try {
SearchControls searchCtls = new SearchControls();
searchCtls.setSearchScope(SearchControls.SUBTREE_SCOPE);
String searchFilter = "(&(objectClass=user)(description=" + uid + "))";//查询这个用户信息
String searchBase = "OU=实际情况,DC=实际情况,DC=com";//在整个公司查找指定description
String returnedAtts[] = {"name", "description", "distinguishedName"};//用于获取组织机构
searchCtls.setReturningAttributes(returnedAtts);
boolean isUserExits = false;
NamingEnumeration<SearchResult> answer = ctx.search(searchBase, searchFilter, searchCtls);
if(answer.hasMoreElements()){//理论上id是不会重复的,所以这边usertDC只会赋值一次
isUserExits = true;//如果找到值,那么就表示有这个部门,就更新
userDC = getDistinguishedName(answer);
}
//检测部门编号查询部门是否存在,不存在抛挫,代码省略
//检测传入的员工经理是否有效,无需抛挫,代码省略
if (isUserExits) {//用户存在,如果名或姓或部门id有变化,就修改
if (!isNullOrEmpty(userDC)) {
//如果用户cancel=1,就直接停用,不用去修改其他属性
if("1".equals(canceld)){//启用停用需要使用ssl协议
ModificationItem[] mods = new ModificationItem[1];
mods[0] = new ModificationItem(DirContext.REPLACE_ATTRIBUTE,
new BasicAttribute("userAccountControl",
Integer.toString(DONT_EXPIRE_PASSWORD+UF_NORMAL_ACCOUNT+ACCOUNTDISABLE)));
if(null!=sslCtx){
sslCtx.modifyAttributes(userDC, mods);
logger.error("禁用客户成功 userid:"+uid+" userDC:"+userDC);
}else {
logger.error("禁用客户失败,SSL失败 userid:"+uid+" userDC:"+userDC);
return getNoParamDataMessage("禁用客户失败,SSL失败");
}
mods = null;
}else {
String curDepDC = userDC.substring(userDC.indexOf(",") + 1, userDC.length());
String newDc = userDC;
if (!curDepDC.equals(departDC)) {//说明用户是要修改所在部门
newDc = userDC.substring(0, userDC.indexOf(",")) + "," + departDC;
ctx.rename(userDC, newDc);//换部门
}
//修改员工属性
//设置属性
Attributes attrs = new BasicAttributes();
attrs.put("displayName", lastName + firstName);
attrs.put("description", uid);
attrs.put("mail", email);
attrs.put("userPrincipalName", email);
if(null!=company&&!"".equals(company))
attrs.put("company", company);
if(null!=title&&!"".equals(title))
attrs.put("title", title);
if(null!=officePhone&&!"".equals(officePhone))
attrs.put("telephoneNumber", officePhone);
if(null!=mobile&&!"".equals(mobile))
attrs.put("mobile", mobile);
if(!isNullOrEmpty(managerDC))
attrs.put("manager",managerDC);
if(departDC.length()!=0) {
int ind1 = departDC.indexOf("=");
int ind2 = departDC.indexOf(",");
if(ind1!=-1 && ind2!=-1)
attrs.put(new BasicAttribute("department", departDC.substring(ind1+1,ind2)));
}
ctx.modifyAttributes(newDc, DirContext.REPLACE_ATTRIBUTE, attrs);
}
}
} else {//添加新用户
Attribute objclass = new BasicAttribute("objectclass");
objclass.add("top");
objclass.add("user");
Attributes attrs1 = new BasicAttributes();
attrs1.put(objclass);
attrs1.put(new BasicAttribute("givenname", firstName));
attrs1.put(new BasicAttribute("sn", lastName));
attrs1.put(new BasicAttribute("displayName", lastName + firstName));
attrs1.put(new BasicAttribute("description", uid));
attrs1.put(new BasicAttribute("mail", email));
if(departDC.length()!=0) {
int ind1 = departDC.indexOf("=");
int ind2 = departDC.indexOf(",");
if(ind1!=-1 && ind2!=-1)
attrs1.put(new BasicAttribute("department", departDC.substring(ind1+1,ind2)));
}
attrs1.put(new BasicAttribute("sAMAccountName", email.substring(0, email.indexOf("@"))));
attrs1.put(new BasicAttribute("userPrincipalName", email));
if(null!=company && !"".equals(company))
attrs1.put(new BasicAttribute("company", company));
if(null!=title && !"".equals(title))
attrs1.put(new BasicAttribute("title", title));
if(null!=officePhone && !"".equals(officePhone))
attrs1.put(new BasicAttribute("telephoneNumber", officePhone));
if(null!=mobile && !"".equals(mobile))
attrs1.put(new BasicAttribute("mobile", mobile));
if(!isNullOrEmpty(managerDC))
attrs1.put(new BasicAttribute("manager",managerDC));
String newDc = "CN=" + lastName + firstName + "," + departDC;//新用户的dn
ctx.createSubcontext(newDc,attrs1);
ModificationItem[] mods = new ModificationItem[2];
String newQuotedPassword = "\"" + COMMON_PASSWORD + "\"";
byte[] newUnicodePassword = newQuotedPassword.getBytes("UTF-16LE");
mods[0] = new ModificationItem(DirContext.REPLACE_ATTRIBUTE,
new BasicAttribute("unicodePwd", newUnicodePassword));
mods[1] = new ModificationItem(DirContext.REPLACE_ATTRIBUTE,
new BasicAttribute("userAccountControl",
Integer.toString(UF_NORMAL_ACCOUNT
+ UF_PASSWORD_EXPIRED + UF_PASSWD_NOTREQD)));
if(null!=sslCtx){
sslCtx.modifyAttributes(newDc, mods);
}
mods = null;
}
}catch (NameAlreadyBoundException ex){
logger.error("异常:uid:"+uid+" userDC:"+userDC+" ex:"+ex.getMessage());
}
catch (Exception e) {
logger.error("异常:uid:"+uid+" userDC:"+userDC+" ex:"+e.getMessage());
}
④删除用户
核心代码,查询到userDC后,执行:ctx.destroySubcontext(userDC);
⑤获取员工列表(传入上级部门编号)
与上面的代码雷同,省略
⑥获取部门列表(传入上级部门编号)
与上面的代码雷同,省略
原文地址:https://www.cnblogs.com/Lucy151213/p/11005298.html
时间: 2024-11-05 20:43:28