LDAP

无论 OpenLDAP 还是 AD Server，本质上都是通过 LDAP 协议在工作，因此验证他们都可以通过 LDAP 命令，比如用 ldapsearch 自己查询一下自己是否在 LDAP 服务器

ldapsearch -h $LDAP_URL -p $LDAP_PORT -x -D "$DN" -w "$DN_PASSWORD" -b "$DN"

举个例子

账号被禁用

我的 AD Server 「地址在 192.168.111.118，域名为 baoxian-sz.com」中在 users 目录中有个账号 user01，它是个被禁用的账号，我们可以尝试如下命令：

ldapsearch -h 192.168.111.118 -p 389 -x -D "cn=user01,cn=users,dc=baoxian-sz,dc=com" -w "www.baoxian-sz.com" -b "cn=user01,cn=users,dc=baoxian-sz,dc=com"

它会返回无效的认证提示

ldap_bind: Invalid credentials (49)
    additional info: 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 533, v1db1

账号可用

若该账号是可用状态，执行上述命令会返回该账号的所有信息：

# extended LDIF
#
# LDAPv3
# base <cn=user01,cn=users,dc=baoxian-sz,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# user01, Users, baoxian-sz.com
dn: CN=user01,CN=Users,DC=baoxian-sz,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: user01
givenName: user01
distinguishedName: CN=user01,CN=Users,DC=baoxian-sz,DC=com
instanceType: 4
whenCreated: 20200228031855.0Z
whenChanged: 20200228055920.0Z
displayName: dc01
uSNCreated: 145644
uSNChanged: 145695
name: user01
objectGUID:: lILkqpySxEu5zTQpaWC5Xg==
userAccountControl: 66048
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
pwdLastSet: 132273431449056823
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAeKBQMDhffSPsV2PORhkAAA==
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: user01
sAMAccountType: 805306368
userPrincipalName: user01@baoxian-sz.com
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=baoxian-sz,DC=com
dSCorePropagationData: 20200228031855.0Z
dSCorePropagationData: 16010101000000.0Z
lastLogonTimestamp: 132273335624484516
msDS-SupportedEncryptionTypes: 0

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1