Active Directory:Thunderbird LDAP 自動完成功能不適用於 Kerberos 身份驗證
問題:
我正在嘗試配置LDAP 郵件自動完成- Mozilla Thunderbird 17.0.5 @ Windows 7 x64 在 2008R2 域環境中的內置功能。該作業系統是在 VBox 上全新的、開箱即用的安裝。看來我無法讓它與 Kerberos 身份驗證(本機 SSPI)一起使用。
我已經正確配置了 LDAP 參數 - 我已經成功地驗證了在 Thunderbird 中使用“簡單”身份驗證模式(其中應用程序要求使用者手動輸入域憑據)。在這種模式下,TB 自動完成功能有效。
然而,每當我切換到 Kerberos 身份驗證時,我都沒有得到自動完成結果。VBox 在我在地址欄位中鍵入每個字母后顯示一些網路活動,但沒有返回任何結果。
這對標準使用者帳戶和域管理員帳戶都有效。
問題:
據我所知,這可能是 Thunderbird 的一些問題,也可能是域/kerberos 問題。
根據Google的結果,Thunderbird 的這個功能並不是很受歡迎,但我讀過的大部分內容似乎都證明這應該在任何預設配置的域環境中工作。由於域控制器是由前員工設置的,因此域的某些功能可能被重新配置或禁用。我從未接觸過內置的 Kerberos。
誰能告訴我,我應該尋找什麼?
調試:
我嘗試調試 Thunderbird 客戶端並在底部發布了一個日誌。日誌顯示沒有錯誤,儘管我對 Kerberos 的內部工作幾乎一無所知,但據我所知,客戶端正在嘗試進行身份驗證(
InitializeSecurityContext: succeeded
)但似乎從未收到任何答案。然而 TB 也沒有返回錯誤。此外,無論我配置正確的
Bind DN
名稱(username@mydomain.com
是正確的名稱)還是一些完全隨機的字母,日誌似乎都幾乎相同。如果我在 之後啟動 Thunderbird
klist purge
,似乎系統正確獲取了新票(krbtgt\domain.mydomain.com
和LDAP\dc02.domain.mydomain.com
)。雷鳥日誌:
0[e0f140]: nsAuthSSPI::Init 0[e0f140]: InitSSPI 0[e0f140]: Using SPN of [ldap/mydomain.com] 0[e0f140]: AcquireCredentialsHandle() succeeded. 0[e0f140]: entering nsAuthSSPI::GetNextToken() 0[e0f140]: InitializeSecurityContext: continue. 0[e0f140]: pending operation added; total pending operations now = 1 1428[e13ac0]: nsLDAPConnection::RemovePendingOperation(): operation removed 1428[e13ac0]: nsLDAPConnection::RemovePendingOperation(): operation removed; total pending operations now = 0 1428[e13ac0]: entering nsAuthSSPI::GetNextToken() 1428[e13ac0]: InitializeSecurityContext: succeeded. 1428[e13ac0]: pending operation added; total pending operations now = 1 1428[e13ac0]: nsLDAPConnection::RemovePendingOperation(): operation removed 1428[e13ac0]: nsLDAPConnection::RemovePendingOperation(): operation removed; total pending operations now = 0 1428[e13ac0]: pending operation added; total pending operations now = 1 0[e0f140]: nsAuthSSPI::Init 0[e0f140]: Using SPN of [ldap/mydomain.com] 0[e0f140]: AcquireCredentialsHandle() succeeded. 0[e0f140]: entering nsAuthSSPI::GetNextToken() 0[e0f140]: InitializeSecurityContext: continue. 0[e0f140]: pending operation added; total pending operations now = 2 1428[e13ac0]: pending operation removed; total pending operations now = 1 1428[e13ac0]: nsLDAPConnection::RemovePendingOperation(): operation removed 1428[e13ac0]: nsLDAPConnection::RemovePendingOperation(): operation removed; total pending operations now = 0 1428[e13ac0]: entering nsAuthSSPI::GetNextToken() 1428[e13ac0]: InitializeSecurityContext: succeeded. 1428[e13ac0]: pending operation added; total pending operations now = 1 1428[e13ac0]: nsLDAPConnection::RemovePendingOperation(): operation removed 1428[e13ac0]: nsLDAPConnection::RemovePendingOperation(): operation removed; total pending operations now = 0 1428[e13ac0]: pending operation added; total pending operations now = 1 1428[e13ac0]: pending operation removed; total pending operations now = 0 0[e0f140]: nsLDAPOperation::SearchExt(): called with aBaseDn = 'OU=MyContainer,DC=mydomain,DC=com'; aFilter = '(&(objectClass=person)(|(mail=balsams*)(userPrincipalName=balsams*)(sn=balsams*)(cn=balsams*)))'; aAttributes = a,sn,mail; aSizeLimit = 100 0[e0f140]: pending operation added; total pending operations now = 1 1428[e13ac0]: pending operation removed; total pending operations now = 0 0[e0f140]: nsLDAPOperation::SearchExt(): called with aBaseDn = 'OU=MyContainer,DC=mydomain,DC=com'; aFilter = '(&(objectClass=person)(|(mail=balsam*)(userPrincipalName=balsam*)(sn=balsam*)(cn=balsam*)))'; aAttributes = a,sn,mail; aSizeLimit = 100 0[e0f140]: pending operation added; total pending operations now = 1 1428[e13ac0]: pending operation removed; total pending operations now = 0 0[e0f140]: nsLDAPOperation::SearchExt(): called with aBaseDn = 'OU=MyContainer,DC=mydomain,DC=com'; aFilter = '(&(objectClass=person)(|(mail=balsa*)(userPrincipalName=balsa*)(sn=balsa*)(cn=balsa*)))'; aAttributes = a,sn,mail; aSizeLimit = 100 0[e0f140]: pending operation added; total pending operations now = 1 1428[e13ac0]: pending operation removed; total pending operations now = 0 0[e0f140]: nsLDAPOperation::SearchExt(): called with aBaseDn = 'OU=MyContainer,DC=mydomain,DC=com'; aFilter = '(&(objectClass=person)(|(mail=bals*)(userPrincipalName=bals*)(sn=bals*)(cn=bals*)))'; aAttributes = a,sn,mail; aSizeLimit = 100 0[e0f140]: pending operation added; total pending operations now = 1 1428[e13ac0]: pending operation removed; total pending operations now = 0 0[e0f140]: nsLDAPOperation::SearchExt(): called with aBaseDn = 'OU=MyContainer,DC=mydomain,DC=com'; aFilter = '(&(objectClass=person)(|(mail=bal*)(userPrincipalName=bal*)(sn=bal*)(cn=bal*)))'; aAttributes = a,sn,mail; aSizeLimit = 100 0[e0f140]: pending operation added; total pending operations now = 1 1428[e13ac0]: pending operation removed; total pending operations now = 0 0[e0f140]: nsLDAPOperation::SearchExt(): called with aBaseDn = 'OU=MyContainer,DC=mydomain,DC=com'; aFilter = '(&(objectClass=person)(|(mail=bals*)(userPrincipalName=bals*)(sn=bals*)(cn=bals*)))'; aAttributes = a,sn,mail; aSizeLimit = 100 0[e0f140]: pending operation added; total pending operations now = 1 1428[e13ac0]: pending operation removed; total pending operations now = 0 0[e0f140]: nsLDAPOperation::SearchExt(): called with aBaseDn = 'OU=MyContainer,DC=mydomain,DC=com'; aFilter = '(&(objectClass=person)(|(mail=balsa*)(userPrincipalName=balsa*)(sn=balsa*)(cn=balsa*)))'; aAttributes = a,sn,mail; aSizeLimit = 100 0[e0f140]: pending operation added; total pending operations now = 1 1428[e13ac0]: pending operation removed; total pending operations now = 0 0[e0f140]: nsLDAPOperation::SearchExt(): called with aBaseDn = 'OU=MyContainer,DC=mydomain,DC=com'; aFilter = '(&(objectClass=person)(|(mail=balsam*)(userPrincipalName=balsam*)(sn=balsam*)(cn=balsam*)))'; aAttributes = a,sn,mail; aSizeLimit = 100 0[e0f140]: pending operation added; total pending operations now = 1 1428[e13ac0]: pending operation removed; total pending operations now = 0 0[e0f140]: unbinding 0[e0f140]: unbound 0[e0f140]: unbinding 0[e0f140]: unbound
有用!答案其實很簡單,雖然我是瞎拍的:
該
Bind DN
欄位必須為空!將 Bind DN 屬性設置為空後,它就可以工作了!
請注意,還有一些額外的障礙:
Tou 不能使用您的域名(例如
mydomain.com
)作為 LDAP 伺服器地址。您需要專門使用單個 DC 名稱(即。dc03.mydomain.com
)。由於 TB 配置文件是一個 javscript 程式碼,我將嘗試將幾個 DC 添加到某個數組並ldap_2.servers.MyCompany.uri
在每次啟動時隨機化。用於聯繫人匹配的內置 LDAP 查詢並非最適合 Active Directory。您可以使用以下變數來自定義過濾器字元串:
ldap_2.servers.MyCompany.autoComplete.filterTemplate
是一個自動完成匹配查詢,例如。(|(mail=%v*)(userPrincipalName=%v*)(sn=%v*)(cn=%v*))
,%v
代表您已經在地址框中輸入的所有字母,ldap_2.servers.MyCompany.autoComplete.nameFormat
是電子郵件地址的“好名字”(即姓名和姓氏),您必須在方括號中提供 LDAP 欄位名稱,即:[givenName] [sn]
ldap_2.servers.MyCompany.autoComplete.commentFormat
是自動完成下拉列表中的附加列,可用於一些附加資訊,如組織單位 - 如果您將其儲存在 AD LDAP 中。