I'm using a program that adds correctly a user to AD using LDAP protocol.
I noticed that there are some properties about the password. There are userPassoword that stores password in clear and unicodePwd that accepts encoded pwd.
I'm working in a project where a lot of users were created by the admin in AD, using Windows server administration tool. But what suprise me more, is that these users have password and the app workws fine with the login...but BOTH properties are empty! So, where are the password?
By Java I have to add the passwords in the same way, but I cannot figure out how to approach the problem, because I don't know where those users' password are stored.
Any ideas?
You cannot read a password from AD. There is special logic in the directory to handle writes to those attributes, but, there is no read capability. They will always appear to be null.
Related
I have an application that pulls the windows user's user name and uses that name to check against a database and provides various alerts when needed for that user name. I am needing to modify the program to be able to pull the Citrix username instead but I can not find any information on this. Does anyone know if this is possible?
I don't know about how to pull Citrix but if you need the username and if it's available according to the privileges request.getRemoteUser() or request.getUserPrincipal() should work otherwise you can try
System.getProperty("user.name") but it will only give you the username of the user running the java process.
So, I'm writing a password verification thingy, loading username and passwords from a database, but I can't figure out how to keep the database username and password out of the code.
String user = "username";//database username, not username to verify
String password = "password";//my password, not users password to check
String url = "jdbc:mysql://databaseurl:3306/table";
//i want this hidden somehow
I could load it from a file, but then people could just read the file.
Obviously I don't want people gaining access to the database and reading secret information. How should I go about doing this?
EDIT: What I'm asking, is, how can I secure MY database credentials. Other people should not have access to the database
You could, for instance, decompile the jar and read the above lines, and access my database using my credentials. (using a program such as jd-gui)
Use password encryption.
If you application runs inside J2EE container, use standart tools
Look at sample for Jboss container
If you're going to give the user direct access to the database, why not just make the username/password you're passing to the database the user's actual username/database?
Typically in secure systems the database is not directly exposed to the user. The user passes a query to some system which then performs authentication and then if passes passes the query to the database.
In other words, if you're relying on the obscuring of the database login credentials as the obstruction to accessing the database, you're relying on the client to authenticate itself with respect to actually querying the database, which is a bad, bad idea. As soon as your database's login credentials are compromised, your whole security scheme has now failed.
You can keep database details in a
property file/database
. It is a kind of one layer of abstraction. And in that property file/database, you give some different keys so that at the time of accessing database, take the keys/columns from property file/database and construct url information.
Secure your authentication and authorization services using a PKI exchange with a properly signed certificate (so it can be revoked if something does go wrong, and it certainly may).
One example is ws-security (a SOAP extension), but if you need to use REST you're stuck with transport-level security (securing your connection with HTTPS).
You might want to read up at http://security.stackexchange.com for more insightful commentary, rather than "store it in a property file."
In my application, I use Websphere single sign on authentication. I want to retrieve the logged in user's name, e-mail Id and distinguished name. Almost all the solutions in google are using LDAP server to retrieve the values. I want a solution that doesn't use LDAP as I have already connected to Active Directory through websphere. Please help me with this.
Logged on user is represented as a set of principals within JAAS subject. Information like user name or email is not present there and is not supposed to. You have no other option other than query LDAP (Active Directory in your case).
The statement like "i have already connected to active directory" does not make much sense. Yes, the user is authenticated by WAS through AD, but this does not mean that any sort of persistent connection exists.
I need to know if a user entered correct login information to Microsoft Active directory
I want the user to enter username and password on an xpage and it should only return if these values was entered correctly or not.
I know I can use ldap requests and send in credentials but have not seen any working solutions for this.
I need to use java as the code should be able to run on non windows servers
There are a number of approaches you can take:
The easiest would be to link the AD to Domino using DirectoryAssistance and let users login using their AD credentials in the first place.
If IIS is running on the AD server you could send an HTTP request using the Apache HTTPClient (and basic authentication) and see what's coming back
The best working Java libraries are listed in the Apache Directory project. There you would do an LDAP query (e.g. the user herself)
Let us know which one works for you
You can use JNDI to access the Active Directory. There are a lot of ressources on the web on how to do this, for example have a look at http://mhimu.wordpress.com/2009/03/18/active-directory-authentication-using-javajndi/
You have tagged the question as XPage, do you want to do the authentication from inside domino? In that case the domino server could do the authentication.
I am using Liferay 6.1 CE and I have the following issue related to the below blog
Ref: http://www.liferay.com/web/jonas.yuan/blog/-/blogs/6583930
I am trying to do LDAP auth and I am not supposed to import ldap user password and I would also like to use only ldap as auth source and not do liferay auth for second time.
These are my settings in portal-ext.properties:
ldap.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
ldap.referral=follow
ldap.base.provider.url=ldap://localhost:10389
ldap.base.dn=dc=example,dc=com
ldap.security.principal=uid=admin,ou=system
ldap.security.credentials=secret
auth.pipeline.enable.liferay.check=false
ldap.auth.enabled=true
ldap.auth.required=true
ldap.auth.method=bind
ldap.import.enabled=false
ldap.import.on.startup=false
ldap.import.interval=10
ldap.export.enabled=false
ldap.export.group.enabled=false
ldap.auth.search.filter=(mail=#email_address#)
ldap.user.mappings=screenName=cn\npassword=userPassword\nemailAddress=mail\nfirstName=givenName\nlastName=sn
ldap.user.custom.mappings=screenName=cn\npassword=userPassword\nemailAddress=mail\nfirstName=givenName\nlastName=sn
ldap.group.mappings=groupName=cn\ndescription=description\nuser=uniqueMember
ldap.import.user.search.filter=(objectClass=inetOrgPerson)
ldap.import.group.search.filter=(objectClass=groupOfUniqueNames)
ldap.password.policy.enabled=false
ldap.import.user.password.enabled=false
ldap.import.user.password.autogenerated=false
ldap.import.user.password.default=test
What is happening is , if I keep auth.pipeline.enable.liferay.check=false, then I am not able to login even using test#liferay.com user since he is not in ldap (others users also not able to login due to reason given in question 1 below). If I enable the property then the liferay does second validation after ldap and it fails since the password in ldap is different from the local dummy password(test) due to password not import setting.
Also, i have 2 separate questions.
When I load ldap props using this property file, then I can see it in the portalproperties table only after the test user logs in for the first time and goes to control panel (ldap page). If I don do this none of the other users able to do ldap auth (since the props file is not loaded to that portalproperties table)
Is there a way in liferay so that I can do only ldap auth and not create an liferay user
Almost two years late!! But in case that any other people find this thread, Liferay always passes the Auth Pipeline and , if passed, always checks the password again against its database unless
auth.pipeline.enable.liferay.check=false
In portal.properties . In that case, independently of the password stored in Liferay User_ table, the password would be checked only against the LDAP.
Sorry for being two years late!!