SECURITY_PRINCIPAL必须是您要验证的用户的完整DN.

The SECURITY_PRINCIPAL needs to be the entire DN of the user you are authenticating as.

通常，您必须使用用户的某些唯一属性(例如，他的电子邮件地址)对DIT进行事先搜索，以查找到该信息，并且通常您必须作为内置在具有权限的DIT中的其他管理用户身份进行身份验证进行搜索.然后，找到DN后，您就可以更改SECURITY_PRINCIPAL并重新连接.

Usually you have to do a prior search of the DIT to find that, using some unique attribute of the user such as his email address, and usually you have to authenticate as some other administrative user built into the DIT that has the rights to do that search. Then, when you've found the DN, you change the SECURITY_PRINCIPAL and do a reconnect.