In my application, I use Websphere single sign on authentication. I want to retrieve the logged in user's name, e-mail Id and distinguished name. Almost all the solutions in google are using LDAP server to retrieve the values. I want a solution that doesn't use LDAP as I have already connected to Active Directory through websphere. Please help me with this.
Logged on user is represented as a set of principals within JAAS subject. Information like user name or email is not present there and is not supposed to. You have no other option other than query LDAP (Active Directory in your case).
The statement like "i have already connected to active directory" does not make much sense. Yes, the user is authenticated by WAS through AD, but this does not mean that any sort of persistent connection exists.
Related
I'm using a program that adds correctly a user to AD using LDAP protocol.
I noticed that there are some properties about the password. There are userPassoword that stores password in clear and unicodePwd that accepts encoded pwd.
I'm working in a project where a lot of users were created by the admin in AD, using Windows server administration tool. But what suprise me more, is that these users have password and the app workws fine with the login...but BOTH properties are empty! So, where are the password?
By Java I have to add the passwords in the same way, but I cannot figure out how to approach the problem, because I don't know where those users' password are stored.
Any ideas?
You cannot read a password from AD. There is special logic in the directory to handle writes to those attributes, but, there is no read capability. They will always appear to be null.
i have three active directory servers different address,port and domain name and all
In my app when user log-in the system i have to authenticate. The user provide his username and password only not the domain name or ip address.
How can i authenticate him, whether i have to loop through the all the ldap server and when i get the Context i have to break it .. or is any other possible solution is there for authenticate a user in multiple servers
please suggest. thanks in advance
If the user gives his FDN or UPN (User Principal Name) instead of just an user name it will be helpful. But still there is no guarantee that upn will match your realm name. If he gives FDN then atleast you can cache defaultNamingContext from all the three server and try to match it with the fdn provided by the user and authenticate him against the matching server.
But I guess he is providing the samAccountName in your case. In this case we dont have any clue to identify the server. You have to go through one by one and probably cache it which server he is authenticated against for next time performance improvment. Its also possible that the same username exist in multiple AD. You have to handle this case based on your AD environment.
as a additional note, if its web application try using spring's ldapTemplate. This might ease your task.
The title may seem a little weird but what I find around the internet is methods to sign on to stuff automatically with windows domain authentication (Single Sign On), but that is not what I want.
In my use case I want to explicitly ask the person to enter their windows domain user/password combination to make sure that the person performing the transaction is the one that is authorized to do so, i.e. not someone who secretly makes use of the authorized person's computer while he/she is away and left their computer unlocked.
Note
I am working on Java
I only want to authenticate a single transaction, no login session (if possible).
Only certain people should be authorized. (I believe this is done through roles in active directory?)
What I have used in the past is to authenticate against an LDAP server. Active directory works as an LDAP server so you should be able to authenticate against it. This can be used to verify the username/password combination.
I found this article showing how it works with java.
Is it possible to force google to create only one session for a single user?
I have created services in GAE, that uses google id to authenticate users.
Now a single user creating multiple sessions from multiple PCs by sharing
his username/password. I want to restrict this.
In simple language after successful login the application should sign out all other
session for this user.
In gmail there is a link at the bottom of the page by the name last activity details.
On clicking details it shows current sessions and also give option to log out other
session. I want same functionality programmatically.
There is one more option: before logging in detect whether the user is already logged
on?
Have a look at this
http://mail.google.com/support/bin/answer.py?ctx=%67mail&answer=45938
see Concurrent sessions
If this information can be accessed somehow I can take appropriate action.
It's certainly possible.
If you're using Google Accounts for authentication, a user logs in by posting their credentials to Google, and Google returns an authentication token to your site which is then stored as a cookie in the user's browser. The token is good until the cookie expires (24 hours by default) or until the user logs out.
If you want to track multiple login sessions, you can write handlers designed to run after login or logout. If your normal post-login return URL is "/do_stuff", you might change this to "/finish_login?next=%2Fdo_stuff". In that handler you could create an entity in the datastore representing the session, with a reference to the Google Account, the IP address that logged in, and the login timestamp (current timestamp). You can write the session entity key to another cookie in the user's browser. After you're done, redirect to the "next" URL.
After logout you can have a similar handler that checks for the session entity key cookie, deletes the entity, and deletes the cookie.
If you want to show the user that they are logged in from multiple locations, query for session entities associated with their Google Account that are less than 24 hours old (or whatever your cookie expiration is set to).
If you want to remotely log out another session, you might need to write your own version of the login_required decorator that Google offers in webapp.util. Your version would need to verify that the user is logged in, verify that sent a session key cookie, and verify that the associated entity still exists and is owned by the correct account.
There is nothing that prevents you from storing login details in Google App Engine Data service.
As a consequence, you can store all login details for a user in its associated object. As a consequence, I would say there is no difference between GAE and a traditionnal web application - excepted that you'll store login infos in database, instead of letting your web front-end handle it.
I don't know if this question has any sense, but this is what my boss want.
I work in a company with an intranet web.
In my department we have developed an application wich connects to a Bussiness Object server and executes and prints reports. This is a regular client/server app with our own user/password manintenance to log in.
My boss want to remove our password maintenance and let the users log in using the intranet password, somehow the desktop app connect the intranet (i don't know if it has a web service, but probabilly yes), makes the log in and retrieves some kind of object the Bussiness Object can use to authenticate.
Can this be done? I know the B.O. can use LDAP authentication if its well configured, so that if i can verify the intranet password and redirect the same password to B.O. it can autenticate the user by itself.
The closest I have seen/created is to use the shared secret (ITrustedPrincipal) mechanism to authenticate the user against secEnterprise without knowing the true password of the user. The only gotcha with this log in model is that the Universe Connection needs to not use the Business Objects credentials for connecting to the database.
The alternate is LDAP can be used and is fairly easy to set up as an authentication method for logging into Business Objects and auto adding users. The only caveat is that LDAP groups need to be correctly such that the Business Objects groups that the LDAP groups associate to are set up correctly.
Probably you'll have to look to some kind of "Single Sign One" ( sso ) and see if 1) your server can handle, 2) You client can implement it.