i am writing an OpenLdap controller, where i have a lot of ldap functions. One function is to get a LdapUser and his different attributes.
For example:
NamingEnumeration<SearchResult> enumResult = null;
UserData ldapUser = new UserData();
private String[] user_attributes = new String[]{"uid","cn", "sn", "dn", "description", "mail", "displayName",
"userPassword","pwdChangedTime","pwdExpires", "lastLogonTime"};
try
{
SearchControls searchCtrls = new SearchControls();
searchCtrls.setSearchScope(SearchControls.SUBTREE_SCOPE);
searchCtrls.setReturningAttributes(user_attributes);
String filter = "(&(objectClass=inetOrgPerson)(uid="+userUid+"))";
enumResult = ctx.search(ou,filter,searchCtrls);
SearchResult result = (SearchResult) enumResult.next();
ldapUser.setUid(getAttribute(result,"uid"));
ldapUser.setCN(getAttribute(result, "cn"));
ldapUser.setSN(getAttribute(result, "sn"));
ldapUser.setGivenName(getAttribute(result, "givenName"));
ldapUser.setDescription(getAttribute(result, "description"));
ldapUser.setMail(getAttribute(result, "mail"));
}
That works fine. I have my ldapUser class fullfilled with the attributes. I did the same for a TDS Controller before, and there i could use even the following attributes:
ldapUser.setPassword(getAttribute(result, "userPassword"));
ldapUser.setpwdExpires(getAttribute(result,"pwdExpires"));
ldapUser.setpwdChangedTime(getAttribute(result, "pwdChangedTime"));
ldapUser.setlastLogonTime(getAttribute(result,"lastLogonTime"));
But it seems this doesn't work for OpenLdap anymore. Does anyone know or has a solution for getting these password attributes in java from OpenLdap?
Best regards
The "password" is most likely either a hash of the real password or an encrypted version.
Source: How to retrieve LDAP password via JNDI
See also http://bethecoder.com/applications/tutorials/java/ldap/how-to-query-password-attribute-of-ldap-entry.html
Related
we required to fetch all user of dynamic group from LDAP server in Our Java based application.
below is my dynamic group url:
ldap:///ou=testou,o=test.com??sub?(&(|(atype=*Abc Company*)(atype=*def Company*)(ctype=test))(enabled=1)(!(sgroup=*testgrp*))(!(|(op=ABC)(bdesc=*abcdef*))))
when i provided filter from above url in JXplore, i am able to get user group which is available in this dynamic group but when i provide same filter in below java code LDAP is not returning any result. If i provided simple filter like cn=a* then it is working and LDAP is returning results.
public static void main(String[] args) throws NamingException, IOException {
Properties env = new Properties();
env.put("java.naming.factory.initial",
"com.sun.jndi.ldap.LdapCtxFactory");
// LDAP url
env.put("java.naming.provider.url", "url");
env.put("com.sun.jndi.ldap.read.timeout", "1000");
// ldap login
env.put("java.naming.security.principal", "username");
env.put("java.naming.security.credentials", "password");
InitialLdapContext ctx = new InitialLdapContext(env, null);
String contextName = "ou=testou,o=test.com";
// Filter expression
String filterExpr = "(&(|(atype=*Abc Company*)(atype=*def Company*)(ctype=test))(enabled=1)(!(sgroup=*testgrp*))(!(|(op=ABC)(bdesc=*abcdef*))))"; // selects the groups a user belongs to.
SearchControls constraints = new javax.naming.directory.SearchControls();
constraints.setSearchScope(SearchControls.SUBTREE_SCOPE); // SUBTREE_SCOPE means recursive search
ctx.setRequestControls(new Control[]{new PagedResultsControl(1000,true)});
byte[] cookie = null;
int totalResults = 0;
NamingEnumeration<SearchResult> search = ctx.search(contextName,
filterExpr,constraints);
int count=0;
while (search.hasMoreElements()) {
count++;
System.out.println(search.next().getName());
}
System.out.println("Total user"+count);
}
Assuming you are talking about JNDI, sadly the JNDI Tutorial, p. 247, says:
Note: Version 1.2 of Sun's LDAP provider does not treat query components properly
and nothing appears to have changed in any release up to Java 8.
The Dynamic Groups feature relies on this.
We have a couple of sites that use our company AD.
Currently in order to login we have to use the following
iuser\userid
with the code:
Hashtable<String, String> config = new Hashtable<String, String>();
config.put("java.naming.factory.initial", "com.sun.jndi.ldap.LdapCtxFactory");
config.put("java.naming.provider.url", ldapUrl);
config.put("java.naming.security.authentication", "simple");
config.put("java.naming.security.principal", "iuser\\" + username);
config.put("java.naming.security.credentials", password);
InitialDirContext dirCxt = new InitialDirContext(config);
However when we go to search the AD we can only use just the userid
SearchControls cons = new SearchControls();
cons.setSearchScope(SearchControls.SUBTREE_SCOPE);
NamingEnumeration<SearchResult> resultsEnum =
derek.search("dc=iuser,dc=example,dc=example,dc=com", "(&(objectCategory=user)(cn={0}))", new Object[] {username}, cons);
When we try to create the InitialDirContext without putting the domain first then we get User not found response
Is there a way of creating the InitialDirContext without having to put our domain infront of the username?
While I would recommend you to rather use Kerberos. You should try the global catalog and not use commonName but rather a unique attribute like userPrincipalName or aAMAccountName.
I'm currently working on a app that contains official employees information even the login.
I would like to do an LDAP search filter that retrieve for me all the information concerning specific users that corresspond to a list of logins I provide.
A bit like a select statement in sql : select * from ldap where login in(my list of login)
I'm using the basic javax.naming.directory with all the blah blah comming with.
// set properties for our connection and provider
Properties properties = new Properties();
properties.put( Context.INITIAL_CONTEXT_FACTORY,
"com.sun.jndi.ldap.LdapCtxFactory" );
properties.put( Context.PROVIDER_URL, "ldap://myserver.somewhere.com:389"; );
properties.put( Context.REFERRAL, "ignore" );
// set properties for authentication
properties.put( Context.SECURITY_PRINCIPAL, "User Name" );
properties.put( Context.SECURITY_CREDENTIALS, "password" );
InitialDirContext context = new InitialDirContext( properties );
The only thing I could do so far is lising all the object users if I could get directly those I'm looking for that could be very nice :)
Thanks a lot for your help guys :)
String searchFilter = "your_query";
String ldapSearchBase = "dc=ad,dc=my-domain,dc=com"
SearchControls searchControls = new SearchControls();
searchControls.setSearchScope(SearchControls.SUBTREE_SCOPE);
NamingEnumeration<SearchResult> results = context.search(ldapSearchBase, searchFilter, searchControls);
an query might be like this:
(&(objectClass=user)(sAMAccountName=" + accountName + "))
complete example here:
http://www.adamretter.org.uk/blog/entries/LDAPTest.java
So the final query in the search filter I had to put is :
(&(objectCategory=person)
(|
(sAMAccountName=login1)
(sAMAccountName=login2)
(sAMAccountName=login3)
)
)
Thanks for you help :)
I'm a beginner with Apache Shiro. I've been following the docs and lots of other tutorials, blogs etc. but I just can't get the authentication to work. When I attempt to login with a valid username and password, I always get an InvalidCredentialsException thrown. I'm using DynamoDB as a custom realm for storing user credentials, but I really don't think that matters. It's obviously the way that I'm storing and/or doing the credential matching that's not correct. Here's my setup:
Shiro.ini:
[main]
myRealm = com.enki.closing.users.DynamoDBRealm
credentialsMatcher = org.apache.shiro.authc.credential.Sha256CredentialsMatcher
credentialsMatcher.storedCredentialsHexEncoded = false
credentialsMatcher.hashIterations = 1024
myRealm.credentialsMatcher = $credentialsMatcher
Create user account:
String password = ...
ByteSource passwordSalt = new SecureRandomNumberGenerator().nextBytes();
String hashedPasswordBase64 = new Sha256Hash(password, passwordSalt, 1024).toBase64();
// store the hashedPassword and salt in DynamoDB...
// I've tried storing the salt with and without base64 encoding.
The password and salt are stored fine in DynamoDB, the values look alright. Here's the custom realm for authentication:
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
UsernamePasswordToken userPass = (UsernamePasswordToken) token;
String username = userPass.getUsername();
...
// pull the matching password and salt out of DynamoDB, no problems...
ByteSource passwordSalt = ByteSource.Util.bytes( storedPasswordSalt );
return new SimpleAuthenticationInfo(username, passwordHash, passwordSalt, getName());
}
This is all pretty much what the docs are telling me to do, but there's something not right. When I try the login, it get InvalidCredentialsException.
I figured out how to get it working. I had to change this (in my custom realm impl):
ByteSource passwordSalt = ByteSource.Util.bytes( storedPasswordSalt );
to this:
ByteSource passwordSalt = ByteSource.Util.bytes(
Base64.decode( storedPasswordSalt) );
I use javax.naming.directory.DirContext to create a LDAP request for Active Directory. This request returns groups of which the user with given name is member of.
hSearchControls searchCtls = new SearchControls();
searchCtls.setSearchScope(SearchControls.SUBTREE_SCOPE);
searchCtls.setCountLimit(1);
searchCtls.setReturningAttributes(new String[]{"memberOf"});
String searchFilter = MessageFormat.format("(sAMAccountName={0})", new Object[]{userName});
NamingEnumeration answer = null;
try {
String hostDC = host.replaceAll("\\.", ",dc=");
adSearchRequestCr = adSearchRequestCr.replace("DL3", getDomainName(host, 3));
adSearchRequestCr = adSearchRequestCr.replace("DL2", getDomainName(host, 2));
adSearchRequestCr = adSearchRequestCr.replace("DL1", getDomainName(host, 1));
answer = context.search(adSearchRequestCr, searchFilter, searchCtls);
}
This works fine but now I need to change this request. Changed request should return not just group in which the user is, but also parent groups of that group and so on (tree of groups). I read about LDAP_MATCHING_RULE_IN_CHAIN, but I still didn`t manage to use it.
Please help with using LDAP_MATCHING_RULE_IN_CHAIN or smth similar to get new aim of the request.
Finally I created recursive by myself without using LDAP_MATCHING_RULE_IN_CHAIN. Firstly I get groups of which the user is member of. I retrieve this groups with attribute "memberOf" - this attribute contains parent groups. And then I make same operation for parent groups until my search is finished. This works fast.