i have three active directory servers different address,port and domain name and all
In my app when user log-in the system i have to authenticate. The user provide his username and password only not the domain name or ip address.
How can i authenticate him, whether i have to loop through the all the ldap server and when i get the Context i have to break it .. or is any other possible solution is there for authenticate a user in multiple servers
please suggest. thanks in advance
If the user gives his FDN or UPN (User Principal Name) instead of just an user name it will be helpful. But still there is no guarantee that upn will match your realm name. If he gives FDN then atleast you can cache defaultNamingContext from all the three server and try to match it with the fdn provided by the user and authenticate him against the matching server.
But I guess he is providing the samAccountName in your case. In this case we dont have any clue to identify the server. You have to go through one by one and probably cache it which server he is authenticated against for next time performance improvment. Its also possible that the same username exist in multiple AD. You have to handle this case based on your AD environment.
as a additional note, if its web application try using spring's ldapTemplate. This might ease your task.
Related
I am configuring Liferay with my organization LDAP.
1.While configuring LDAP, I specify "ldap.security.principal" and "ldap.security.credentials" as my user id and password to authenticate against LDAP and test connection succeeds.
Are these mandatory attributes? As in production ,I will not be able to specify my own credentials in portal-ext.properties. Do I need separate user created in LDAP to specify in portal-ext for production? I unfortunately do not have control over configuring LDAP as its an org LDAP.
Any pointers would help. Thanks.
There are several use-cases where you need privileged system account for accessing the LDAP database.
Authentication
There are two basic methods how you can authenticate against LDAP:
Do a BIND operation against LDAP - you need to know the user DN
Do a password attribute comparison - you need to know the user DN, name of attribute with the password, attribute value encoding (e.g. plaintext, hashed, ...)
For both approaches you need to know the distinguished name of the target user:
Either you are able to construct the DN from credentials (e.g. cn={screenName},ou=Users,o=MyOrg) - which is not supported by Liferay AFAIK;
or you need to do LDAP SEARCH to find the right user DN... for that you need to have a system account.
Account Import & Export
Next to pulling user information right when the user authenticates Liferay offers also LDAP import and export functionality. For obvious reasons you need to have a privileged system account to be able to search for users in LDAP and / or to write user entries.
TL;DR
Properties ldap.security.principal and ldap.security.credentials are mandatory (they can be configured also via user interface). You will need to have a dedicated system account for Liferay in the LDAP for this.
In my application, I use Websphere single sign on authentication. I want to retrieve the logged in user's name, e-mail Id and distinguished name. Almost all the solutions in google are using LDAP server to retrieve the values. I want a solution that doesn't use LDAP as I have already connected to Active Directory through websphere. Please help me with this.
Logged on user is represented as a set of principals within JAAS subject. Information like user name or email is not present there and is not supposed to. You have no other option other than query LDAP (Active Directory in your case).
The statement like "i have already connected to active directory" does not make much sense. Yes, the user is authenticated by WAS through AD, but this does not mean that any sort of persistent connection exists.
I'm in charge of maintaining a web application (Lives on a Tomcat server) which has two different access points, through two Apache HTTPD servers which are outside of my reach.
The two access points are meant to log in user either through a third-party SSO system or a good ol' authentication page which prompts for login and password.
The trick is, this SSO puts a limit on the size of files which can be uploaded or downloaded. As SSO users will need to retrieve and send things heavier than that, I need a workaround for this, most likely simply offering a link pointing to the correct resource location through the other server.
What concerns me here is security, in case someone enters a cleverly guessed address to get a document he's not supposed to. The person in charge doesn't want to hear about a SessionManager to make sure the user has the rights to retrieve the documents, but suggested that I could simply use their JSESSSION_ID to confirm their identity...
I am not sure about how to implement this, and have a serious gut feeling that this will backfire in a quite horrible fashion.
Can anyone who had to deal with a similar problem points some of the pitfalls and possibly share a few useful tips on how to securely bypass this SSO ?
One possible way to implement this is to protect the resources on the non-restricted site with a one-time password with a very short life time.
Example:
User clicks on a link to open a document on the SSO protected site. The link should not provide the document directly.
The Tomcat server generates a one time password and redirects (using http code 303) the user to the un-restricted site with this password as an http parameter.
3. When the browser connects to the un-restricted site, check that the password is correct and provide the document. Delete the password so that it cannot be used again.
The password should only be valid for say 30 seconds. You may also record the user's ip-address and validate that.
You should not use the jsession id for this. It is not a good practise to expose the jsession id in a parameter on the address bar or in an html page.
However, you say that the other access point is protected by username and password. If so, will not the user have to log in here anyway? And if so, does not that login protect the resources?
If you provide a link pointing to the correct resource, we need to consider the security.
https://www.owasp.org/index.php/Top_10_2010-A2
The most important thing is XSS and CSRF and solutions are provided in the above website.
Session Hijacking can be another security threat if we provide a direct link which can directly access the resources.
The title may seem a little weird but what I find around the internet is methods to sign on to stuff automatically with windows domain authentication (Single Sign On), but that is not what I want.
In my use case I want to explicitly ask the person to enter their windows domain user/password combination to make sure that the person performing the transaction is the one that is authorized to do so, i.e. not someone who secretly makes use of the authorized person's computer while he/she is away and left their computer unlocked.
Note
I am working on Java
I only want to authenticate a single transaction, no login session (if possible).
Only certain people should be authorized. (I believe this is done through roles in active directory?)
What I have used in the past is to authenticate against an LDAP server. Active directory works as an LDAP server so you should be able to authenticate against it. This can be used to verify the username/password combination.
I found this article showing how it works with java.
I don't know if this question has any sense, but this is what my boss want.
I work in a company with an intranet web.
In my department we have developed an application wich connects to a Bussiness Object server and executes and prints reports. This is a regular client/server app with our own user/password manintenance to log in.
My boss want to remove our password maintenance and let the users log in using the intranet password, somehow the desktop app connect the intranet (i don't know if it has a web service, but probabilly yes), makes the log in and retrieves some kind of object the Bussiness Object can use to authenticate.
Can this be done? I know the B.O. can use LDAP authentication if its well configured, so that if i can verify the intranet password and redirect the same password to B.O. it can autenticate the user by itself.
The closest I have seen/created is to use the shared secret (ITrustedPrincipal) mechanism to authenticate the user against secEnterprise without knowing the true password of the user. The only gotcha with this log in model is that the Universe Connection needs to not use the Business Objects credentials for connecting to the database.
The alternate is LDAP can be used and is fairly easy to set up as an authentication method for logging into Business Objects and auto adding users. The only caveat is that LDAP groups need to be correctly such that the Business Objects groups that the LDAP groups associate to are set up correctly.
Probably you'll have to look to some kind of "Single Sign One" ( sso ) and see if 1) your server can handle, 2) You client can implement it.