如何使用 Java 删除 Active Directory 中的用户

Question

我已经实现了在 AD 中启用、创建和禁用用户的功能。我还需要确保我可以使用 Java 删除 AD 中的用户。 下面是一些相关代码，有人可以告诉我如何删除AD中的用户吗？ 我更喜欢使用原始的java代码来实现这个。

import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.util.ArrayList;
import java.util.Hashtable;
import java.util.List;

import javax.naming.Context;
import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.directory.Attribute;
import javax.naming.directory.Attributes;
import javax.naming.directory.BasicAttribute;
import javax.naming.directory.BasicAttributes;
import javax.naming.directory.DirContext;
import javax.naming.directory.ModificationItem;
import javax.naming.directory.SearchControls;
import javax.naming.directory.SearchResult;
import javax.naming.ldap.Control;
import javax.naming.ldap.InitialLdapContext;
import javax.naming.ldap.LdapContext;
import javax.naming.ldap.PagedResultsControl;
import javax.naming.ldap.PagedResultsResponseControl;

public class LDAPTool {

/**
 * 
 * @param attrs
 * @param propertyName
 * @return the value of the property.
 */
public static String getString(Attributes attrs, String propertyName) {
    String value = "";

    if (null != attrs) {
        Attribute attr = attrs.get(propertyName);
        if (null != attr) {
            value = String.valueOf(attr);
            value = value.substring(value.indexOf(": ") + 2).trim();
        }
    }

    return value;
}

/**
 * 
 * @param host
 * @param port
 * @param username
 * @param password
 * @return 
 * @return true if passed the authenticate, or else false.
 * @throws NamingException 
 */
public static void authenticate(String host, int port, String username, String password) 
        throws NamingException {

    LdapContext ctx = getLdapContext(host, port, username, password);
    if(null != ctx){
        ctx.close();
    }

}

/**
 * 
 * @param host
 *            host name or IP address
 * @param port
 *            port for LDAP protocol
 * @param username
 * @param password
 * @return the LDAP context
 * @throws NamingException
 */
public static LdapContext getLdapContext(String host, int port, String username, String password)
        throws NamingException {

    Hashtable<String, String> env = new Hashtable<String, String>();

    env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
    env.put(Context.PROVIDER_URL, "ldap://" + host + ":" + port);
    env.put(Context.SECURITY_AUTHENTICATION, "simple");
    env.put(Context.SECURITY_PRINCIPAL, username);
    env.put(Context.SECURITY_CREDENTIALS, password);
    env.put("java.naming.ldap.attributes.binary", "tokenGroups");
    env.put("java.naming.ldap.attributes.binary", "objectSID");

    LdapContext ctx = new InitialLdapContext(env, null);
    return ctx;
}
public static boolean isDisabled(LdapContext ctx, String username, String baseDn) throws NamingException, IOException  {

    boolean disabled = false;

    String filter = "sAMAccountName=" + username;
    SearchControls searchCtls = new SearchControls();
    searchCtls.setSearchScope(SearchControls.SUBTREE_SCOPE);

    searchCtls.setCountLimit(1);

    searchCtls.setTimeLimit(0);

    // We want 500 results per request.
    ctx.setRequestControls(new Control[] { new PagedResultsControl(1,
            Control.CRITICAL) });

    // We only want to retrieve the "distinguishedName" attribute.
    // You can specify other attributes/properties if you want here.
    String returnedAtts[] = { "userAccountControl" };
    searchCtls.setReturningAttributes(returnedAtts);

    NamingEnumeration<SearchResult> answer = ctx.search(baseDn, filter,
            searchCtls);

    // Loop through the search results.
    if (answer.hasMoreElements()) {
        SearchResult sr = answer.next();
        Attributes attr = sr.getAttributes();
        long userAccountControl = Long.parseLong(getString(attr, returnedAtts[0]));
        if(isDisabled(userAccountControl)){
            disabled = true;
        }
    }
    return disabled;

}

/**
 * Remove the user from group.
 * 
 * @param ctx
 * @param userDn
 * @param groupDn
 * @return
 * @throws NamingException 
 * @throws Exception
 */
public static void removeFromGroup(LdapContext ctx, String userDn, String groupDn) 
        throws NamingException {

    ModificationItem[] mods = new ModificationItem[1];
    mods[0] = new ModificationItem(DirContext.REMOVE_ATTRIBUTE, new BasicAttribute("member", userDn));
    ctx.modifyAttributes(groupDn, mods);

}

/**
 * Disable the account
 * 
 * @param ctx
 * @param dn
 * @throws NamingException
 */
public static void disableUser(LdapContext ctx, String dn)
        throws NamingException {

    ModificationItem[] mods = new ModificationItem[1];
    mods[0] = new ModificationItem(DirContext.REPLACE_ATTRIBUTE,
            new BasicAttribute(USER_ACCOUNT_CONTROL_ATTR_NAME,
                    ""+USER_CONTROL_VALUE_DISABLED));
    ctx.modifyAttributes(dn, mods);

}
}

谢谢。

Answer 1

要从上下文中删除用户，您基本上需要使用javax.naming.Context#unbind 功能。

所以你的方法应该如下所示：

/**
 * Remove the account
 * 
 * @param ctx
 * @param dn
 * @throws NamingException
 */
public static void removeUser(LdapContext ctx, String dn) throws NamingException {
    ctx.unbind(dn); //that's all
}

这是一个小例子：http://www.java2s.com/Code/Java/JNDI-LDAP/howtoremoveabinding.htm

Answer 2

以下示例使用UnboundID LDAP SDK 删除条目：

try {
    final LDAPConnection ldapConnection =
       new LDAPConnection(hostname,port,bindDN,bindPassword);
    final DeleteRequest deleteRequest =
       new DeleteRequest("cn=entry to delete,dc=example,dc=com");
    try {
         LDAPResult deleteResult = connection.delete(deleteRequest);
         System.out.println("The entry was successfully deleted.");
    } catch (LDAPException le) {
        // The delete request failed
    } finally {
        ldapConnection.close();
    }
} catch(final LDAPException ex) {
     // failed to connect to to the server
}