Active Directory:Thunderbird LDAP 自动完成功能不适用于 Kerberos 身份验证

Active Directory:Thunderbird LDAP 自动完成功能不适用于 Kerberos 身份验证

问题:

我正在尝试配置一个LDAP 邮件自动完成- 内置功能Mozilla Thunderbird17.0.5 @ Windows 7 x64 2008R2 域环境中。操作系统是 VBox 上的全新开箱安装。似乎我无法让它与 Kerberos 身份验证一起工作(原生 SSPI)。

我已经正确配置了 LDAP 参数 - 我已成功使用 Thunderbird 中的“简单”身份验证模式(该模式要求用户手动输入域凭据)验证了这一点。在该模式下,TB 自动完成功能有效。

但是,每当我切换到 Kerberos 身份验证时,我都不会得到自动完成结果。在我输入地址字段中的每个字母后,VBox 都会显示一些网络活动,但没有返回任何结果。

这对于标准用户帐户和域管理员帐户的作用相同。

问题:

据我所知,这可能是 Thunderbird 的一些问题,也可能是域/kerberos 问题。

根据谷歌搜索结果,Thunderbird 的这个功能并不流行,但我读到的大部分内容似乎都证明它应该在任何默认配置的域环境中工作。由于域控制器是由前员工设置的,因此域的某些功能可能被重新配置或禁用。我从未接触过内置的 Kerberos。

有人能建议我,我该寻找什么?

调试:

我尝试调试 Thunderbird 客户端,并得到了一个日志,我将把它发布在底部。日志中没有显示任何错误,尽管我对 Kerberos 的内部工作原理几乎一无所知,但据我所知,客户端正在尝试进行身份验证 ( InitializeSecurityContext: succeeded),但似乎从未收到任何答复。然而 TB 也没有返回任何错误。

此外,无论我配置了正确的Bind DN名称([email protected]是正确的)还是一些完全随机的字母,日志似乎都几乎相同。

如果我之后启动 Thunderbird klist purge,系统似乎可以正确获取新票(krbtgt\domain.mydomain.comLDAP\dc02.domain.mydomain.com)。

雷鸟日志:

0[e0f140]:   nsAuthSSPI::Init
0[e0f140]:   InitSSPI
0[e0f140]: Using SPN of [ldap/mydomain.com]
0[e0f140]: AcquireCredentialsHandle() succeeded.
0[e0f140]: entering nsAuthSSPI::GetNextToken()
0[e0f140]: InitializeSecurityContext: continue.
0[e0f140]: pending operation added; total pending operations now = 1
1428[e13ac0]: nsLDAPConnection::RemovePendingOperation(): operation removed
1428[e13ac0]: nsLDAPConnection::RemovePendingOperation(): operation removed; total pending operations now = 0
1428[e13ac0]: entering nsAuthSSPI::GetNextToken()
1428[e13ac0]: InitializeSecurityContext: succeeded.
1428[e13ac0]: pending operation added; total pending operations now = 1
1428[e13ac0]: nsLDAPConnection::RemovePendingOperation(): operation removed
1428[e13ac0]: nsLDAPConnection::RemovePendingOperation(): operation removed; total pending operations now = 0
1428[e13ac0]: pending operation added; total pending operations now = 1
0[e0f140]:   nsAuthSSPI::Init
0[e0f140]: Using SPN of [ldap/mydomain.com]
0[e0f140]: AcquireCredentialsHandle() succeeded.
0[e0f140]: entering nsAuthSSPI::GetNextToken()
0[e0f140]: InitializeSecurityContext: continue.
0[e0f140]: pending operation added; total pending operations now = 2
1428[e13ac0]: pending operation removed; total pending operations now = 1
1428[e13ac0]: nsLDAPConnection::RemovePendingOperation(): operation removed
1428[e13ac0]: nsLDAPConnection::RemovePendingOperation(): operation removed; total pending operations now = 0
1428[e13ac0]: entering nsAuthSSPI::GetNextToken()
1428[e13ac0]: InitializeSecurityContext: succeeded.
1428[e13ac0]: pending operation added; total pending operations now = 1
1428[e13ac0]: nsLDAPConnection::RemovePendingOperation(): operation removed
1428[e13ac0]: nsLDAPConnection::RemovePendingOperation(): operation removed; total pending operations now = 0
1428[e13ac0]: pending operation added; total pending operations now = 1
1428[e13ac0]: pending operation removed; total pending operations now = 0
0[e0f140]: nsLDAPOperation::SearchExt(): called with aBaseDn = 'OU=MyContainer,DC=mydomain,DC=com'; aFilter = '(&(objectClass=person)(|(mail=balsams*)(userPrincipalName=balsams*)(sn=balsams*)(cn=balsams*)))'; aAttributes = a,sn,mail; aSizeLimit = 100
0[e0f140]: pending operation added; total pending operations now = 1
1428[e13ac0]: pending operation removed; total pending operations now = 0
0[e0f140]: nsLDAPOperation::SearchExt(): called with aBaseDn = 'OU=MyContainer,DC=mydomain,DC=com'; aFilter = '(&(objectClass=person)(|(mail=balsam*)(userPrincipalName=balsam*)(sn=balsam*)(cn=balsam*)))'; aAttributes = a,sn,mail; aSizeLimit = 100
0[e0f140]: pending operation added; total pending operations now = 1
1428[e13ac0]: pending operation removed; total pending operations now = 0
0[e0f140]: nsLDAPOperation::SearchExt(): called with aBaseDn = 'OU=MyContainer,DC=mydomain,DC=com'; aFilter = '(&(objectClass=person)(|(mail=balsa*)(userPrincipalName=balsa*)(sn=balsa*)(cn=balsa*)))'; aAttributes = a,sn,mail; aSizeLimit = 100
0[e0f140]: pending operation added; total pending operations now = 1
1428[e13ac0]: pending operation removed; total pending operations now = 0
0[e0f140]: nsLDAPOperation::SearchExt(): called with aBaseDn = 'OU=MyContainer,DC=mydomain,DC=com'; aFilter = '(&(objectClass=person)(|(mail=bals*)(userPrincipalName=bals*)(sn=bals*)(cn=bals*)))'; aAttributes = a,sn,mail; aSizeLimit = 100
0[e0f140]: pending operation added; total pending operations now = 1
1428[e13ac0]: pending operation removed; total pending operations now = 0
0[e0f140]: nsLDAPOperation::SearchExt(): called with aBaseDn = 'OU=MyContainer,DC=mydomain,DC=com'; aFilter = '(&(objectClass=person)(|(mail=bal*)(userPrincipalName=bal*)(sn=bal*)(cn=bal*)))'; aAttributes = a,sn,mail; aSizeLimit = 100
0[e0f140]: pending operation added; total pending operations now = 1
1428[e13ac0]: pending operation removed; total pending operations now = 0
0[e0f140]: nsLDAPOperation::SearchExt(): called with aBaseDn = 'OU=MyContainer,DC=mydomain,DC=com'; aFilter = '(&(objectClass=person)(|(mail=bals*)(userPrincipalName=bals*)(sn=bals*)(cn=bals*)))'; aAttributes = a,sn,mail; aSizeLimit = 100
0[e0f140]: pending operation added; total pending operations now = 1
1428[e13ac0]: pending operation removed; total pending operations now = 0
0[e0f140]: nsLDAPOperation::SearchExt(): called with aBaseDn = 'OU=MyContainer,DC=mydomain,DC=com'; aFilter = '(&(objectClass=person)(|(mail=balsa*)(userPrincipalName=balsa*)(sn=balsa*)(cn=balsa*)))'; aAttributes = a,sn,mail; aSizeLimit = 100
0[e0f140]: pending operation added; total pending operations now = 1
1428[e13ac0]: pending operation removed; total pending operations now = 0
0[e0f140]: nsLDAPOperation::SearchExt(): called with aBaseDn = 'OU=MyContainer,DC=mydomain,DC=com'; aFilter = '(&(objectClass=person)(|(mail=balsam*)(userPrincipalName=balsam*)(sn=balsam*)(cn=balsam*)))'; aAttributes = a,sn,mail; aSizeLimit = 100
0[e0f140]: pending operation added; total pending operations now = 1
1428[e13ac0]: pending operation removed; total pending operations now = 0
0[e0f140]: unbinding
0[e0f140]: unbound
0[e0f140]: unbinding
0[e0f140]: unbound

答案1

有效!答案其实很简单,尽管我是盲目发现的:

该  Bind DN  字段必须为空!

一旦将 Bind DN 属性设置为空,它就可以起作用!

请注意,仍然存在一些额外的障碍:

  • 您不能使用您的域名(例如mydomain.com)作为 LDAP 服务器地址。您需要专门使用单个 DC 名称(即dc03.mydomain.com)。由于 TB 配置文件是 javscript 代码,我将尝试将多个 DC 添加到某个数组中,并在每次启动时随机化ldap_2.servers.MyCompany.uri
  • 用于联系人匹配的内置 LDAP 查询并不适用于 Active Directory。您可以使用以下变量来自定义过滤字符串:
    • ldap_2.servers.MyCompany.autoComplete.filterTemplate是自动完成匹配查询,例如(|(mail=%v*)(userPrincipalName=%v*)(sn=%v*)(cn=%v*))%v代表您已在地址框中输入的所有字母,
    • ldap_2.servers.MyCompany.autoComplete.nameFormat是电子邮件地址的“好名字”(即名字和姓氏),您必须在方括号中提供 LDAP 字段名称,即:[givenName] [sn]
    • ldap_2.servers.MyCompany.autoComplete.commentFormat是自动完成下拉列表中的附加列,可用于存储一些附加信息,如组织单位 - 如果您将其存储在 AD LDAP 中。

相关内容