我正在尝试configurationLDAP邮件自动完成function – 2008R2域环境中Mozilla Thunderbird 17.0.5 @ Windows 7 x64的内置function。 该操作系统是一个新鲜的,在VBOX开箱即用的安装。 看来我无法使用Kerberos身份validation (本机SSPI)。
我已经正确configuration了LDAP参数 – 我已经设法validation在Thunderbird中使用“简单”身份validation模式(在哪个应用程序中要求用户手动input域凭据)。 在这种模式下,自动完成工作。
然而,每当我切换到Kerberos身份validation,我没有得到自动完成的结果。 VBox在地址字段中键入每个字母后显示一些networking活动,但不返回任何结果。
这对标准用户帐户和域pipe理员帐户都是一样的。
据我所知,这可能是Thunderbird的一个问题,或者是一个domain / kerberos问题。
根据谷歌的结果,Thunderbird的这个function并不是很stream行,但我读过的大部分内容似乎都certificate了这一点,在任何默认configuration的域环境下都可以工作。 由于域控制器是由以前的员工设置的,所以域的某些function可能被重新configuration或禁用。 我从来没有碰过内置的Kerberos。
谁能告诉我,我该找什么?
我试图debuggingThunderbird客户端,并得到一个日志,我发布在底部。 日志显示没有错误,尽pipe我对Kerberos的内部工作几乎一无所知,据我所知,客户端正在尝试进行身份validation( InitializeSecurityContext: succeeded ),但似乎从来没有收到任何答案。 然而TB也不会返回任何错误。
此外,无论我是否configuration了正确的Bind DN名称( [email protected]是正确的)或一些完全随机的字母,似乎日志几乎相同。
如果我在klist purge之后启动Thunderbird,似乎系统正确地获取新的票证( krbtgt\domain.mydomain.com和LDAP\dc02.domain.mydomain.com )。
0[e0f140]: nsAuthSSPI::Init 0[e0f140]: InitSSPI 0[e0f140]: Using SPN of [ldap/mydomain.com] 0[e0f140]: AcquireCredentialsHandle() succeeded. 0[e0f140]: entering nsAuthSSPI::GetNextToken() 0[e0f140]: InitializeSecurityContext: continue. 0[e0f140]: pending operation added; total pending operations now = 1 1428[e13ac0]: nsLDAPConnection::RemovePendingOperation(): operation removed 1428[e13ac0]: nsLDAPConnection::RemovePendingOperation(): operation removed; total pending operations now = 0 1428[e13ac0]: entering nsAuthSSPI::GetNextToken() 1428[e13ac0]: InitializeSecurityContext: succeeded. 1428[e13ac0]: pending operation added; total pending operations now = 1 1428[e13ac0]: nsLDAPConnection::RemovePendingOperation(): operation removed 1428[e13ac0]: nsLDAPConnection::RemovePendingOperation(): operation removed; total pending operations now = 0 1428[e13ac0]: pending operation added; total pending operations now = 1 0[e0f140]: nsAuthSSPI::Init 0[e0f140]: Using SPN of [ldap/mydomain.com] 0[e0f140]: AcquireCredentialsHandle() succeeded. 0[e0f140]: entering nsAuthSSPI::GetNextToken() 0[e0f140]: InitializeSecurityContext: continue. 0[e0f140]: pending operation added; total pending operations now = 2 1428[e13ac0]: pending operation removed; total pending operations now = 1 1428[e13ac0]: nsLDAPConnection::RemovePendingOperation(): operation removed 1428[e13ac0]: nsLDAPConnection::RemovePendingOperation(): operation removed; total pending operations now = 0 1428[e13ac0]: entering nsAuthSSPI::GetNextToken() 1428[e13ac0]: InitializeSecurityContext: succeeded. 1428[e13ac0]: pending operation added; total pending operations now = 1 1428[e13ac0]: nsLDAPConnection::RemovePendingOperation(): operation removed 1428[e13ac0]: nsLDAPConnection::RemovePendingOperation(): operation removed; total pending operations now = 0 1428[e13ac0]: pending operation added; total pending operations now = 1 1428[e13ac0]: pending operation removed; total pending operations now = 0 0[e0f140]: nsLDAPOperation::SearchExt(): called with aBaseDn = 'OU=MyContainer,DC=mydomain,DC=com'; aFilter = '(&(objectClass=person)(|(mail=balsams*)(userPrincipalName=balsams*)(sn=balsams*)(cn=balsams*)))'; aAttributes = a,sn,mail; aSizeLimit = 100 0[e0f140]: pending operation added; total pending operations now = 1 1428[e13ac0]: pending operation removed; total pending operations now = 0 0[e0f140]: nsLDAPOperation::SearchExt(): called with aBaseDn = 'OU=MyContainer,DC=mydomain,DC=com'; aFilter = '(&(objectClass=person)(|(mail=balsam*)(userPrincipalName=balsam*)(sn=balsam*)(cn=balsam*)))'; aAttributes = a,sn,mail; aSizeLimit = 100 0[e0f140]: pending operation added; total pending operations now = 1 1428[e13ac0]: pending operation removed; total pending operations now = 0 0[e0f140]: nsLDAPOperation::SearchExt(): called with aBaseDn = 'OU=MyContainer,DC=mydomain,DC=com'; aFilter = '(&(objectClass=person)(|(mail=balsa*)(userPrincipalName=balsa*)(sn=balsa*)(cn=balsa*)))'; aAttributes = a,sn,mail; aSizeLimit = 100 0[e0f140]: pending operation added; total pending operations now = 1 1428[e13ac0]: pending operation removed; total pending operations now = 0 0[e0f140]: nsLDAPOperation::SearchExt(): called with aBaseDn = 'OU=MyContainer,DC=mydomain,DC=com'; aFilter = '(&(objectClass=person)(|(mail=bals*)(userPrincipalName=bals*)(sn=bals*)(cn=bals*)))'; aAttributes = a,sn,mail; aSizeLimit = 100 0[e0f140]: pending operation added; total pending operations now = 1 1428[e13ac0]: pending operation removed; total pending operations now = 0 0[e0f140]: nsLDAPOperation::SearchExt(): called with aBaseDn = 'OU=MyContainer,DC=mydomain,DC=com'; aFilter = '(&(objectClass=person)(|(mail=bal*)(userPrincipalName=bal*)(sn=bal*)(cn=bal*)))'; aAttributes = a,sn,mail; aSizeLimit = 100 0[e0f140]: pending operation added; total pending operations now = 1 1428[e13ac0]: pending operation removed; total pending operations now = 0 0[e0f140]: nsLDAPOperation::SearchExt(): called with aBaseDn = 'OU=MyContainer,DC=mydomain,DC=com'; aFilter = '(&(objectClass=person)(|(mail=bals*)(userPrincipalName=bals*)(sn=bals*)(cn=bals*)))'; aAttributes = a,sn,mail; aSizeLimit = 100 0[e0f140]: pending operation added; total pending operations now = 1 1428[e13ac0]: pending operation removed; total pending operations now = 0 0[e0f140]: nsLDAPOperation::SearchExt(): called with aBaseDn = 'OU=MyContainer,DC=mydomain,DC=com'; aFilter = '(&(objectClass=person)(|(mail=balsa*)(userPrincipalName=balsa*)(sn=balsa*)(cn=balsa*)))'; aAttributes = a,sn,mail; aSizeLimit = 100 0[e0f140]: pending operation added; total pending operations now = 1 1428[e13ac0]: pending operation removed; total pending operations now = 0 0[e0f140]: nsLDAPOperation::SearchExt(): called with aBaseDn = 'OU=MyContainer,DC=mydomain,DC=com'; aFilter = '(&(objectClass=person)(|(mail=balsam*)(userPrincipalName=balsam*)(sn=balsam*)(cn=balsam*)))'; aAttributes = a,sn,mail; aSizeLimit = 100 0[e0f140]: pending operation added; total pending operations now = 1 1428[e13ac0]: pending operation removed; total pending operations now = 0 0[e0f140]: unbinding 0[e0f140]: unbound 0[e0f140]: unbinding 0[e0f140]: unbound
有用! 毕竟,答案是非常简单的,尽pipe我是盲目的发现的:
Bind DN字段必须为空! 一旦您将Bind DN属性设置为空,它就可以工作!
请注意,还有一些额外的障碍:
mydomain.com )作为LDAP服务器地址。 您需要专门使用一个DC名称(即dc03.mydomain.com )。 由于TBconfiguration文件是一个javscript代码,我会尝试添加几个DC到某个数组,并在每次启动时随机化ldap_2.servers.MyCompany.uri 。 ldap_2.servers.MyCompany.autoComplete.filterTemplate是一个自动完成匹配查询,例如。 (|(mail=%v*)(userPrincipalName=%v*)(sn=%v*)(cn=%v*)) , %v代表您已经在地址框中input的所有字母, ldap_2.servers.MyCompany.autoComplete.nameFormat是电子邮件地址(即名称和姓氏)的“好名字”,您必须在方括号中提供LDAP字段名称,即: [givenName] [sn] ldap_2.servers.MyCompany.autoComplete.commentFormat是自动完成下拉列表中的附加列,可用于组织单元等其他信息 – 如果将其存储在AD LDAP中。