I'm working with Openfire and XMPP. My problem is: whenever I want to sign someone up I need to log into Openfire, like this.
connection.login(Username, Password);
AccountManager accountManager = AccountManager.getInstance(connection);
accountManager.createAccount(Username1, Password1);
So, how can I avoid this useless login?
Thank you.
You have to split login functionality from createAccount().
You must connect on Openfire server (without provide user and password), then ask for createAccount
//...connection builder
connection.connect();
AccountManager.getInstance(connection).sensitiveOperationOverInsecureConnection(true);
username = username.toLowerCase();
Map<String,String> attributes = new HashMap<String, String>(2);
attributes.put("name", fullName);
attributes.put("email", email);
AccountManager.getInstance(connection).createAccount(username, password, attributes);
//now you can do connection.login(username,password)
Related
First i want to explain what i want to do and how the code is looking:
I want to add a User via JNDI on my LDAP with JAVA, i added following code:
public void addUser(String firstName, String lastName, String number) throws NamingException {
Properties initialProperties = new Properties();
initialProperties.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
initialProperties.put(Context.PROVIDER_URL, "***");
initialProperties.put(Context.SECURITY_AUTHENTICATION, "simple");
initialProperties.put(Context.SECURITY_PRINCIPAL, "***");
initialProperties.put(Context.SECURITY_CREDENTIALS, "***");
DirContext context = new InitialDirContext(initialProperties);
BasicAttributes attributes = new BasicAttributes();
Attribute attribute = new BasicAttribute("objectClass");
attribute.add("top");
attribute.add("person");
attribute.add("organizationalPerson");
attribute.add("inetOrgPerson");
Attribute sn = new BasicAttribute("sn");
Attribute cn = new BasicAttribute("cn");
sn.add(lastName);
cn.add(firstName);
attributes.put(sn);
attributes.put(cn);
attributes.put(attribute);
try {
context.createSubcontext("***", attributes);
} catch(NamingException e) {
e.printStackTrace();
}
}
When i call the method i get following error:
javax.naming.NoPermissionException: [LDAP: error code 50 - 00000005: SecErr: DSID-031528D2, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
Which makes no sense in my point of view because i created two other methods, one for getting all the users which works and one for editing a user which works too, so i have the rights to read and write a user, but when i want to create a user it says i have no permission ?
Do anyone else had this problem?
Is there any configuration on the Administrator user necessary on the LDAP? But the Administrator should be have all rights?
I hope anyone can help me! :)
Greetings,
Fabian.
so i have the rights to read and write a user, but when i want to create a user it says i have no permission
Read, write and create are 3 separate permissions. A user can have write permissions to existing objects, but not have permission to create a new object. Those permissions can be set differently on each OU.
I'm having an issue where everything works such as roles, and authentication. However, my development has come to a halt because I cannot get the permissions for an account. Permissions always return null and I don't know why.
DefaultSecurityManager defaultSecurityManager = new DefaultSecurityManager();
ModularRealmAuthenticator authenticator = new ModularRealmAuthenticator();
authenticator.setAuthenticationStrategy(new AtLeastOneSuccessfulStrategy());
defaultSecurityManager.setAuthenticator(authenticator);
ModularRealmAuthorizer authorizer = new ModularRealmAuthorizer();
authorizer.setPermissionResolver(new WildcardPermissionResolver());
defaultSecurityManager.setAuthorizer(authorizer);
JdbcRealm realm = new JdbcRealm();
realm.setDataSource(DatabaseUtil.DATA_SOURCE);
realm.setAuthenticationQuery("SELECT password FROM account WHERE username = ?");
realm.setUserRolesQuery("SELECT accountRole FROM account WHERE username = ?");
realm.setPermissionsQuery("SELECT permissions FROM account WHERE username = ?");
realm.setPermissionsLookupEnabled(true);
realm.setCredentialsMatcher(new PasswordMatcher());
defaultSecurityManager.setRealm(realm);
SecurityUtils.setSecurityManager(defaultSecurityManager);
I have recently started playing with the Bing Ads api for managing my ads and campaigns and I am having problem in authenticating user (not oauth authentication).
I authenticated my user using oauth by the following
private String devToken = "ZZZZZ";
private String clientId = "AAA0BBB-XXXX-AAAAA";
protected static String UserName = "a.v#h.c";
protected static String Password = "********";
// To get the initial access and refresh tokens you must call requestAccessAndRefreshTokens with the authorization redirection URL.
OAuthTokens tokens = oAuthDesktopMobileAuthCodeGrant.requestAccessAndRefreshTokens(url);
System.out.println("Access token: " + tokens.getAccessToken());
System.out.println("Refresh token: " + tokens.getRefreshToken());
authorizationData = new AuthorizationData();
authorizationData.setDeveloperToken(getDevToken());
authorizationData.setAuthentication(oAuthDesktopMobileAuthCodeGrant);
This authenticates my user just fine since I can use the ICustomerManagementService.class just fine for accounts related information
customerServiceClient = new ServiceClient<>(authorizationData, ICustomerManagementService.class);
ArrayOfAccount accounts = searchAccountsByUserId(user.getId());
The above works perfectly. But when I try to do the same with ICampaignManagementService.class like below
campaignServiceClient = new ServiceClient<>(authorizationData, ICampaignManagementService.class);
GetAdsByAdGroupIdRequest cReq = new GetAdsByAdGroupIdRequest();
cReq.setAdGroupId(1234567890L);
campaignServiceClient.getService().getAdsByAdGroupId(cReq);
I get error code 106 saying that the user is not authorized.
The user does not represent a authorized developer.
106
Any help in this regard ?
Please try to set the CustomerId and CustomerAccountId header elements (CustomerId and AccountId of AuthorizationData). These headers are not available with the Customer Management service, but are applicable for Campaign Management service. If that does not resolve the issue please feel free to send the SOAP request + response to support for investigation. I hope this helps!
Ok, this is driving me crazy. I'm trying to create an LDAP authentication with Java and everything is fine if I use my First name and Last name in the SECURITY_PRINCIPAL. This is my code:
try {
Hashtable<String, String> ldapEnv = new Hashtable<String, String>();
ldapEnv.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
ldapEnv.put(Context.PROVIDER_URL, "LDAP://myldap.mydomain.com:389");
ldapEnv.put(Context.SECURITY_AUTHENTICATION, "simple");
ldapEnv.put(Context.SECURITY_PRINCIPAL, "CN=FirstName LastName" + ",ou=Users");
ldapEnv.put(Context.SECURITY_CREDENTIALS, "password");
DirContext ldapContext = new InitialLdapContext(ldapEnv, null);
}
catch (Exception e) {
System.out.println(" bind error: " + e);
e.printStackTrace();
}
The problem is that it does not work with my username. If I try:
ldapEnv.put(Context.SECURITY_PRINCIPAL, "CN=myusername" + ",ou=Users");
Or
ldapEnv.put(Context.SECURITY_PRINCIPAL, "uid=myusername" + ",ou=Users");
I always get [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1]
This only seems to work with my First name and Last name for some reason. I checked the AD and my sAMAccountName is my correct username. Not sure why this is happening. Anyone else had such issues? Can I pass something else to Context.SECURITY_PRINCIPAL? I tried ldapEnv.put(Context.SECURITY_PRINCIPAL, "sAMAccountName=myusername" + ",ou=Users"); but it also fails... Can anyone please help?
EJP, thanks for your input. You are indeed correct but I was looking for something simple - just pass a username and password to the AD and see if it authenticates or not .I should have been more specific in my first post. Your suggestion will work but I think this is much simpler:
Hashtable props = new Hashtable();
String principalName = "username#mydomain.com";
props.put(Context.SECURITY_PRINCIPAL, principalName);
props.put(Context.SECURITY_CREDENTIALS, "mypassword");
DirContext context;
//try to authenticate
try {
context = com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance("LDAP://myldap.mydomain.com:389" + '/', props);
context.close();
}
This way I don't care about the DN. Just passing the username#domain and voila - works like a charm :) Thanks again!
There is no entry whose DN contains a UID or CN=username. You have to provide an entry which exists, not just an arbitrary string of attributes. The usual technique is to bind as an admin user, search for the user who has that UID or whatever he provided to your login system, retrieve the DN of that user, then try to bind as that DN with the user-supplied password.
We have a couple of sites that use our company AD.
Currently in order to login we have to use the following
iuser\userid
with the code:
Hashtable<String, String> config = new Hashtable<String, String>();
config.put("java.naming.factory.initial", "com.sun.jndi.ldap.LdapCtxFactory");
config.put("java.naming.provider.url", ldapUrl);
config.put("java.naming.security.authentication", "simple");
config.put("java.naming.security.principal", "iuser\\" + username);
config.put("java.naming.security.credentials", password);
InitialDirContext dirCxt = new InitialDirContext(config);
However when we go to search the AD we can only use just the userid
SearchControls cons = new SearchControls();
cons.setSearchScope(SearchControls.SUBTREE_SCOPE);
NamingEnumeration<SearchResult> resultsEnum =
derek.search("dc=iuser,dc=example,dc=example,dc=com", "(&(objectCategory=user)(cn={0}))", new Object[] {username}, cons);
When we try to create the InitialDirContext without putting the domain first then we get User not found response
Is there a way of creating the InitialDirContext without having to put our domain infront of the username?
While I would recommend you to rather use Kerberos. You should try the global catalog and not use commonName but rather a unique attribute like userPrincipalName or aAMAccountName.