I need to check through LDAP if an ActiveDirectory user has the PASSWD_CANT_CHANGE flag set. I found the UserAccountControl attribute (https://learn.microsoft.com/it-it/windows/desktop/ADSchema/a-useraccountcontrol): it works for all other flags but it doesn't work for this flag. I only need to read it, not to write.
I'm using Java with UnboundID LDAP SDK (https://ldap.com/unboundid-ldap-sdk-for-java/).
Here is my JUnit test code.
public static enum UACFlags {
SCRIPT(0x0001),
ACCOUNTDISABLE(0x0002),
HOMEDIR_REQUIRED(0x0008),
LOCKOUT(0x0010),
PASSWD_NOTREQD(0x0020),
PASSWD_CANT_CHANGE(0x0040),
ENCRYPTED_TEXT_PWD_ALLOWED(0x0080),
TEMP_DUPLICATE_ACCOUNT(0x0100),
NORMAL_ACCOUNT(0x0200),
INTERDOMAIN_TRUST_ACCOUNT(0x0800),
WORKSTATION_TRUST_ACCOUNT(0x1000),
SERVER_TRUST_ACCOUNT(0x2000),
DONT_EXPIRE_PASSWORD(0x10000),
MNS_LOGON_ACCOUNT(0x20000),
SMARTCARD_REQUIRED(0x40000),
TRUSTED_FOR_DELEGATION(0x80000),
NOT_DELEGATED(0x100000),
USE_DES_KEY_ONLY(0x200000),
DONT_REQ_PREAUTH(0x400000),
PASSWORD_EXPIRED(0x800000),
TRUSTED_TO_AUTH_FOR_DELEGATION(0x1000000);
private int flag;
private UACFlags(int flag) {
this.flag = flag;
}
}
#Test
public void testLDAP() throws LDAPException {
LDAPConnection connection = //GET CONNECTION
String username = "....";
String search = "(sAMAccountName=" + username + ")";
SearchRequest request = new SearchRequest("DC=....,DC=....", SearchScope.SUB, search, SearchRequest.ALL_USER_ATTRIBUTES);
SearchResult result = connection.search(request);
SearchResultEntry entry = result.getSearchEntries().get(0);
Attribute a = entry.getAttribute("userAccountControl");
int val = a.getValueAsInteger();
System.out.println(Integer.toHexString(val));
EnumSet<UACFlags> flags = EnumSet.noneOf(UACFlags.class);
for (UACFlags f : UACFlags.values()) {
if ((val & f.flag) == f.flag) {
flags.add(f);
}
}
System.out.println("FLAGS: " + flags);
}
I set up the flag on AD Users and Computers and it works as expected. I only want to check the flag programmatically, using Java and LDAP. Other solutions than UserAccountControl attribute are ok!
Thanks!!
That is, unfortunately, expected.
Microsoft uses the ADS_USER_FLAG_ENUM enumeration in a couple places:
The userAccountControl attribute when using LDAP, and
The userFlags property when using the WinNT provider.
The ADS_UF_PASSWD_CANT_CHANGE flag can only be used when using the WinNT provider, which I'm not sure you can do from Java.
When you click that 'User cannot change password' checkbox in AD Users and Computers, it doesn't actually change the userAccountControl attribute. In reality, it adds two permissions on the account:
Deny Change Password to 'Everyone'
Deny Change Password to 'SELF'
There is a description of how to look for those permissions here, but the examples are in C++ and VBScript. I don't know how to view the permissions in Java. It seems difficult and I can't find any real examples.
UPDATE
Appears from AD 2008 on that this is not a "real" value; but rather an ACE within the ACL of the entry.
THIS NO LONGER WORKS
As far as I can tell.
Microsoft Active Directory has a neat Extensible matching value that should work called LDAP_MATCHING_RULE_BIT_AND
So a simple LDAP Query Filter like:
(userAccountControl:1.2.840.113556.1.4.803:=64)
Should do the trick.
Related
We've migrated from adal4j to msal4j in our java web applications.
All works well but the big difference is that when the user is already logged (maybe in other applications but same browser session) we always see the "select user" page and the user is not logged automatically and redirected to redirect uri as before with adal4j.
This is how we redirect to autentication page:
private static void redirectToAuthorizationEndpoint(IdentityContextAdapter contextAdapter) throws IOException {
final IdentityContextData context = contextAdapter.getContext();
final String state = UUID.randomUUID().toString();
final String nonce = UUID.randomUUID().toString();
context.setStateAndNonce(state, nonce);
contextAdapter.setContext(context);
final ConfidentialClientApplication client = getConfidentialClientInstance();
AuthorizationRequestUrlParameters parameters = AuthorizationRequestUrlParameters
.builder(props.getProperty("aad.redirectURI"), Collections.singleton(props.getProperty("aad.scopes"))).responseMode(ResponseMode.QUERY)
.prompt(Prompt.SELECT_ACCOUNT).state(state).nonce(nonce).build();
final String authorizeUrl = client.getAuthorizationRequestUrl(parameters).toString();
contextAdapter.redirectUser(authorizeUrl);
}
I've tried to remove .prompt(Prompt.SELECT_ACCOUNT)
but I receive an error
Any ideas?
• You might be getting the option for selecting the user account after switching to MSAL4J in your browser even after the SSO is enabled because either clearing the token cache is enabled in your code or MsalInteractionRequiredException option is thrown and specified accordingly due to which the application asks for a token interactively.
Thus, please check which accounts information is stored in the cache as below: -
ConfidentialClientApplication pca = new ConfidentialClientApplication.Builder(
labResponse.getAppId()).
authority(TestConstants.ORGANIZATIONS_AUTHORITY).
build();
Set<IAccount> accounts = pca.getAccounts().join(); ’
Then, from the above information, if you want to remove the accounts whose prompts you don’t want to see during the user account selection such that the default account should get selected and signed in automatically, execute the below code by modifying the required information: -
Set<IAccount> accounts = pca.getAccounts().join();
IAccount accountToBeRemoved = accounts.stream().filter(
x -> x.username().equalsIgnoreCase(
UPN_OF_USER_TO_BE_REMOVED)).findFirst().orElse(null);
pca.removeAccount(accountToBeRemoved).join();
• And for the MsalInteractiveRequiredException class in the code, kindly refer to the below official documentation link for the AcquireTokenSilently and other reasons responsible for the behaviour. Also, refer to the sample code given below for your reference regarding the same: -
https://learn.microsoft.com/en-us/azure/active-directory/develop/msal-error-handling-java#msalinteractionrequiredexception
IAuthenticationResult result;
try {
ConfidentialClientApplication application =
ConfidentialClientApplication
.builder("clientId")
.b2cAuthority("authority")
.build();
SilentParameters parameters = SilentParameters
.builder(Collections.singleton("scope"))
.build();
result = application.acquireTokenSilently(parameters).join();
}
catch (Exception ex){
if(ex instanceof MsalInteractionRequiredException){
// AcquireToken by either AuthorizationCodeParameters or DeviceCodeParameters
} else{
// Log and handle exception accordingly
}
}
First i want to explain what i want to do and how the code is looking:
I want to add a User via JNDI on my LDAP with JAVA, i added following code:
public void addUser(String firstName, String lastName, String number) throws NamingException {
Properties initialProperties = new Properties();
initialProperties.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
initialProperties.put(Context.PROVIDER_URL, "***");
initialProperties.put(Context.SECURITY_AUTHENTICATION, "simple");
initialProperties.put(Context.SECURITY_PRINCIPAL, "***");
initialProperties.put(Context.SECURITY_CREDENTIALS, "***");
DirContext context = new InitialDirContext(initialProperties);
BasicAttributes attributes = new BasicAttributes();
Attribute attribute = new BasicAttribute("objectClass");
attribute.add("top");
attribute.add("person");
attribute.add("organizationalPerson");
attribute.add("inetOrgPerson");
Attribute sn = new BasicAttribute("sn");
Attribute cn = new BasicAttribute("cn");
sn.add(lastName);
cn.add(firstName);
attributes.put(sn);
attributes.put(cn);
attributes.put(attribute);
try {
context.createSubcontext("***", attributes);
} catch(NamingException e) {
e.printStackTrace();
}
}
When i call the method i get following error:
javax.naming.NoPermissionException: [LDAP: error code 50 - 00000005: SecErr: DSID-031528D2, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
Which makes no sense in my point of view because i created two other methods, one for getting all the users which works and one for editing a user which works too, so i have the rights to read and write a user, but when i want to create a user it says i have no permission ?
Do anyone else had this problem?
Is there any configuration on the Administrator user necessary on the LDAP? But the Administrator should be have all rights?
I hope anyone can help me! :)
Greetings,
Fabian.
so i have the rights to read and write a user, but when i want to create a user it says i have no permission
Read, write and create are 3 separate permissions. A user can have write permissions to existing objects, but not have permission to create a new object. Those permissions can be set differently on each OU.
we required to fetch all user of dynamic group from LDAP server in Our Java based application.
below is my dynamic group url:
ldap:///ou=testou,o=test.com??sub?(&(|(atype=*Abc Company*)(atype=*def Company*)(ctype=test))(enabled=1)(!(sgroup=*testgrp*))(!(|(op=ABC)(bdesc=*abcdef*))))
when i provided filter from above url in JXplore, i am able to get user group which is available in this dynamic group but when i provide same filter in below java code LDAP is not returning any result. If i provided simple filter like cn=a* then it is working and LDAP is returning results.
public static void main(String[] args) throws NamingException, IOException {
Properties env = new Properties();
env.put("java.naming.factory.initial",
"com.sun.jndi.ldap.LdapCtxFactory");
// LDAP url
env.put("java.naming.provider.url", "url");
env.put("com.sun.jndi.ldap.read.timeout", "1000");
// ldap login
env.put("java.naming.security.principal", "username");
env.put("java.naming.security.credentials", "password");
InitialLdapContext ctx = new InitialLdapContext(env, null);
String contextName = "ou=testou,o=test.com";
// Filter expression
String filterExpr = "(&(|(atype=*Abc Company*)(atype=*def Company*)(ctype=test))(enabled=1)(!(sgroup=*testgrp*))(!(|(op=ABC)(bdesc=*abcdef*))))"; // selects the groups a user belongs to.
SearchControls constraints = new javax.naming.directory.SearchControls();
constraints.setSearchScope(SearchControls.SUBTREE_SCOPE); // SUBTREE_SCOPE means recursive search
ctx.setRequestControls(new Control[]{new PagedResultsControl(1000,true)});
byte[] cookie = null;
int totalResults = 0;
NamingEnumeration<SearchResult> search = ctx.search(contextName,
filterExpr,constraints);
int count=0;
while (search.hasMoreElements()) {
count++;
System.out.println(search.next().getName());
}
System.out.println("Total user"+count);
}
Assuming you are talking about JNDI, sadly the JNDI Tutorial, p. 247, says:
Note: Version 1.2 of Sun's LDAP provider does not treat query components properly
and nothing appears to have changed in any release up to Java 8.
The Dynamic Groups feature relies on this.
I want to allow a user to authenticate and retrieve a full list of Active Directory users without having to enter their password. I'm able to authenticate easily through Waffle and can query information specific to the authenticated user, like the list of groups to which they belong. However, Waffle doesn't seem to have the ability to make more general queries like the full list of users (or even the list of users belonging to a certain group).
I have another toy example configured where I use the JNDI to query the user list, which works fine, but it requires a username and password in order to make the connection.
Assuming anonymous querying is disabled on my AD server, is there any way for me to use the authenticated session I've established through Waffle to query the list of users?
Figured it out, in case anyone is interested. Honestly surprised I didn't get an answer or find a clear-cut solution somewhere online. It turns out that Waffle is unnecessary for a simple user list query - I modified the code sample here to produce the following method which does the trick:
static void queryCom4j(){
IADs rootDSE = COM4J.getObject(IADs.class, "LDAP://RootDSE", null);
String namingContext = (String)rootDSE.get("defaultNamingContext");
_Connection conn = ClassFactory.createConnection();
conn.provider("ADsDSOObject");
conn.open("Active Directory Provider","","",-1);
_Command cmd = ClassFactory.createCommand();
cmd.activeConnection(conn);
String fields = "distinguishedName,userPrincipalName,telephoneNumber,mail";
String query = "(&(objectclass=user)(objectcategory=person))";
cmd.commandText("<LDAP://" + namingContext + ">;" + query + ";" + fields + ";subTree");
_Recordset rs = cmd.execute(null, Variant.getMissing(), -1);
System.out.println("Found " + rs.recordCount() + " users");
while (!rs.eof()){
for (int i = 0; i < fields.split(",").length; i++){
Object value = rs.fields().item(i).value();
System.out.println((value == null) ? "N/A" : value.toString());
}
rs.moveNext();
}
I would like to create a Liferay hook that creates public pages on server start.
I already have the hook bound to server start. But I have some problems with creating the page. Maybe I am wrong about user, group, community, etc. (remember that this hook doesn't have access to themeDisplay).
Company company = CompanyLocalServiceUtil.getCompanyByMx(PropsUtil.get(PropsKeys.COMPANY_DEFAULT_WEB_ID));
long companyId = company.getCompanyId();
User defaultUser = UserLocalServiceUtil.getDefaultUser(companyId);
long userId = defaultUser.getUserId();
long groupId = GroupLocalServiceUtil.getCompanyGroup(PortalUtil.getDefaultCompanyId()).getGroupId();
boolean privateLayout = false;
long parentLayoutId = LayoutConstants.DEFAULT_PARENT_LAYOUT_ID;
String name = page.getName();
String title = null;
String description = null;
String type = LayoutConstants.TYPE_PORTLET;
boolean hidden = false;
String friendlyUrl = "/test";
ServiceContext serviceContext = new ServiceContext();
serviceContext.setScopeGroupId(groupId);
LayoutLocalServiceUtil.addLayout(userId, groupId, privateLayout, parentLayoutId, name, title, description, type, hidden, friendlyUrl, serviceContext);
LayoutTypePortlet layoutTypePortlet = (LayoutTypePortlet) layout.getLayoutType();
layoutTypePortlet.setLayoutTemplateId(userId, page.getLayoutId());
LayoutLocalServiceUtil.updateLayout(layout.getGroupId(), layout.isPrivateLayout(), layout.getLayoutId(), layout.getTypeSettings());
The page is never listed...
You might want to check the leftovers of that old sevencogs hook demo code - James Falkner has blogged about it and resurrected some of the code. It might not be for the current version, but if there are any API changes, they're minor.
Pay special attention to the "Adding a Layout (Page) to a Site" paragraph in that article and compare it with your code.
Also note that "on server start" means that you'll have to pay attention to not create the same page twice. It'd happen on every single server start - or actually on every deployment of the hook that you write.