We logon users to Active Directory via LDAP using the Java LDAP API. We want to enhance our logon functionality to further check if the user is in a given AD group. Does anyone know how to do this?
Current code:
import javax.naming.*;
import javax.naming.ldap.*;
LdapContext ctx = null;
Hashtable env = new Hashtable();
env.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.SECURITY_AUTHENTICATION,"simple");
env.put(Context.PROVIDER_URL, Config.get("ldap-url"));
try {
Control[] connCtls = new Control[] {new FastBindConnectionControl()};
ctx = new InitialLdapContext(env, connCtls);
ctx.addToEnvironment(Context.SECURITY_PRINCIPAL, "DOMAIN\\" + username);
ctx.addToEnvironment(Context.SECURITY_CREDENTIALS, password);
ctx.reconnect(connCtls);
/* TODO: Only return true if user is in group "ABC" */
return true; //User authenticated
} catch (Exception e) {
return false; //User could NOT be authenticated
} finally {
...
}
Update: See the solution below.
We solved this with the class below. Just call the authenticate method:
import java.text.MessageFormat;
import java.util.*;
import javax.naming.*;
import org.apache.log4j.Level;
public class LdapGroupAuthenticator {
public static final String DISTINGUISHED_NAME = "distinguishedName";
public static final String CN = "cn";
public static final String MEMBER = "member";
public static final String MEMBER_OF = "memberOf";
public static final String SEARCH_BY_SAM_ACCOUNT_NAME = "(SAMAccountName={0})";
public static final String SEARCH_GROUP_BY_GROUP_CN = "(&(objectCategory=group)(cn={0}))";
/*
* Prepares and returns CN that can be used for AD query
* e.g. Converts "CN=**Dev - Test Group" to "**Dev - Test Group"
* Converts CN=**Dev - Test Group,OU=Distribution Lists,DC=DOMAIN,DC=com to "**Dev - Test Group"
*/
public static String getCN(String cnName) {
if (cnName != null && cnName.toUpperCase().startsWith("CN=")) {
cnName = cnName.substring(3);
}
int position = cnName.indexOf(',');
if (position == -1) {
return cnName;
} else {
return cnName.substring(0, position);
}
}
public static boolean isSame(String target, String candidate) {
if (target != null && target.equalsIgnoreCase(candidate)) {
return true;
}
return false;
}
public static boolean authenticate(String domain, String username, String password) {
Hashtable env = new Hashtable();
env.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, "ldap://1.2.3.4:389");
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.SECURITY_PRINCIPAL, domain + "\\" + username);
env.put(Context.SECURITY_CREDENTIALS, password);
DirContext ctx = null;
String defaultSearchBase = "DC=DOMAIN,DC=com";
String groupDistinguishedName = "DN=CN=DLS-APP-MyAdmin-C,OU=DLS File Permissions,DC=DOMAIN,DC=com";
try {
ctx = new InitialDirContext(env);
// userName is SAMAccountName
SearchResult sr = executeSearchSingleResult(ctx, SearchControls.SUBTREE_SCOPE, defaultSearchBase,
MessageFormat.format( SEARCH_BY_SAM_ACCOUNT_NAME, new Object[] {username}),
new String[] {DISTINGUISHED_NAME, CN, MEMBER_OF}
);
String groupCN = getCN(groupDistinguishedName);
HashMap processedUserGroups = new HashMap();
HashMap unProcessedUserGroups = new HashMap();
// Look for and process memberOf
Attribute memberOf = sr.getAttributes().get(MEMBER_OF);
if (memberOf != null) {
for ( Enumeration e1 = memberOf.getAll() ; e1.hasMoreElements() ; ) {
String unprocessedGroupDN = e1.nextElement().toString();
String unprocessedGroupCN = getCN(unprocessedGroupDN);
// Quick check for direct membership
if (isSame (groupCN, unprocessedGroupCN) && isSame (groupDistinguishedName, unprocessedGroupDN)) {
Log.info(username + " is authorized.");
return true;
} else {
unProcessedUserGroups.put(unprocessedGroupDN, unprocessedGroupCN);
}
}
if (userMemberOf(ctx, defaultSearchBase, processedUserGroups, unProcessedUserGroups, groupCN, groupDistinguishedName)) {
Log.info(username + " is authorized.");
return true;
}
}
Log.info(username + " is NOT authorized.");
return false;
} catch (AuthenticationException e) {
Log.info(username + " is NOT authenticated");
return false;
} catch (NamingException e) {
throw new SystemException(e);
} finally {
if (ctx != null) {
try {
ctx.close();
} catch (NamingException e) {
throw new SystemException(e);
}
}
}
}
public static boolean userMemberOf(DirContext ctx, String searchBase, HashMap processedUserGroups, HashMap unProcessedUserGroups, String groupCN, String groupDistinguishedName) throws NamingException {
HashMap newUnProcessedGroups = new HashMap();
for (Iterator entry = unProcessedUserGroups.keySet().iterator(); entry.hasNext();) {
String unprocessedGroupDistinguishedName = (String) entry.next();
String unprocessedGroupCN = (String)unProcessedUserGroups.get(unprocessedGroupDistinguishedName);
if ( processedUserGroups.get(unprocessedGroupDistinguishedName) != null) {
Log.info("Found : " + unprocessedGroupDistinguishedName +" in processedGroups. skipping further processing of it..." );
// We already traversed this.
continue;
}
if (isSame (groupCN, unprocessedGroupCN) && isSame (groupDistinguishedName, unprocessedGroupDistinguishedName)) {
Log.info("Found Match DistinguishedName : " + unprocessedGroupDistinguishedName +", CN : " + unprocessedGroupCN );
return true;
}
}
for (Iterator entry = unProcessedUserGroups.keySet().iterator(); entry.hasNext();) {
String unprocessedGroupDistinguishedName = (String) entry.next();
String unprocessedGroupCN = (String)unProcessedUserGroups.get(unprocessedGroupDistinguishedName);
processedUserGroups.put(unprocessedGroupDistinguishedName, unprocessedGroupCN);
// Fetch Groups in unprocessedGroupCN and put them in newUnProcessedGroups
NamingEnumeration ns = executeSearch(ctx, SearchControls.SUBTREE_SCOPE, searchBase,
MessageFormat.format( SEARCH_GROUP_BY_GROUP_CN, new Object[] {unprocessedGroupCN}),
new String[] {CN, DISTINGUISHED_NAME, MEMBER_OF});
// Loop through the search results
while (ns.hasMoreElements()) {
SearchResult sr = (SearchResult) ns.next();
// Make sure we're looking at correct distinguishedName, because we're querying by CN
String userDistinguishedName = sr.getAttributes().get(DISTINGUISHED_NAME).get().toString();
if (!isSame(unprocessedGroupDistinguishedName, userDistinguishedName)) {
Log.info("Processing CN : " + unprocessedGroupCN + ", DN : " + unprocessedGroupDistinguishedName +", Got DN : " + userDistinguishedName +", Ignoring...");
continue;
}
Log.info("Processing for memberOf CN : " + unprocessedGroupCN + ", DN : " + unprocessedGroupDistinguishedName);
// Look for and process memberOf
Attribute memberOf = sr.getAttributes().get(MEMBER_OF);
if (memberOf != null) {
for ( Enumeration e1 = memberOf.getAll() ; e1.hasMoreElements() ; ) {
String unprocessedChildGroupDN = e1.nextElement().toString();
String unprocessedChildGroupCN = getCN(unprocessedChildGroupDN);
Log.info("Adding to List of un-processed groups : " + unprocessedChildGroupDN +", CN : " + unprocessedChildGroupCN);
newUnProcessedGroups.put(unprocessedChildGroupDN, unprocessedChildGroupCN);
}
}
}
}
if (newUnProcessedGroups.size() == 0) {
Log.info("newUnProcessedGroups.size() is 0. returning false...");
return false;
}
// process unProcessedUserGroups
return userMemberOf(ctx, searchBase, processedUserGroups, newUnProcessedGroups, groupCN, groupDistinguishedName);
}
private static NamingEnumeration executeSearch(DirContext ctx, int searchScope, String searchBase, String searchFilter, String[] attributes) throws NamingException {
// Create the search controls
SearchControls searchCtls = new SearchControls();
// Specify the attributes to return
if (attributes != null) {
searchCtls.setReturningAttributes(attributes);
}
// Specify the search scope
searchCtls.setSearchScope(searchScope);
// Search for objects using the filter
NamingEnumeration result = ctx.search(searchBase, searchFilter,searchCtls);
return result;
}
private static SearchResult executeSearchSingleResult(DirContext ctx, int searchScope, String searchBase, String searchFilter, String[] attributes) throws NamingException {
NamingEnumeration result = executeSearch(ctx, searchScope, searchBase, searchFilter, attributes);
SearchResult sr = null;
// Loop through the search results
while (result.hasMoreElements()) {
sr = (SearchResult) result.next();
break;
}
return sr;
}
}
None of above code snippets didn't worked for me. After 1 day spending on Google and tomcat source following code worked well to find user groups.
import java.util.Hashtable;
import javax.naming.CompositeName;
import javax.naming.Context;
import javax.naming.Name;
import javax.naming.NameParser;
import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.directory.Attribute;
import javax.naming.directory.Attributes;
import javax.naming.directory.InitialDirContext;
import javax.naming.directory.SearchControls;
import javax.naming.directory.SearchResult;
public class MemberOfTest{
private static final String contextFactory = "com.sun.jndi.ldap.LdapCtxFactory";
private static final String connectionURL = "ldap://HOST:PORT";
private static final String connectionName = "CN=Query,CN=Users,DC=XXX,DC=XX";
private static final String connectionPassword = "XXX";
// Optioanl
private static final String authentication = null;
private static final String protocol = null;
private static String username = "XXXX";
private static final String MEMBER_OF = "memberOf";
private static final String[] attrIdsToSearch = new String[] { MEMBER_OF };
public static final String SEARCH_BY_SAM_ACCOUNT_NAME = "(sAMAccountName=%s)";
public static final String SEARCH_GROUP_BY_GROUP_CN = "(&(objectCategory=group)(cn={0}))";
private static String userBase = "DC=XXX,DC=XXX";
public static void main(String[] args) throws NamingException {
Hashtable<String, String> env = new Hashtable<String, String>();
// Configure our directory context environment.
env.put(Context.INITIAL_CONTEXT_FACTORY, contextFactory);
env.put(Context.PROVIDER_URL, connectionURL);
env.put(Context.SECURITY_PRINCIPAL, connectionName);
env.put(Context.SECURITY_CREDENTIALS, connectionPassword);
if (authentication != null)
env.put(Context.SECURITY_AUTHENTICATION, authentication);
if (protocol != null)
env.put(Context.SECURITY_PROTOCOL, protocol);
InitialDirContext context = new InitialDirContext(env);
String filter = String.format(SEARCH_BY_SAM_ACCOUNT_NAME, username);
SearchControls constraints = new SearchControls();
constraints.setSearchScope(SearchControls.SUBTREE_SCOPE);
constraints.setReturningAttributes(attrIdsToSearch);
NamingEnumeration results = context.search(userBase, filter,constraints);
// Fail if no entries found
if (results == null || !results.hasMore()) {
System.out.println("No result found");
return;
}
// Get result for the first entry found
SearchResult result = (SearchResult) results.next();
// Get the entry's distinguished name
NameParser parser = context.getNameParser("");
Name contextName = parser.parse(context.getNameInNamespace());
Name baseName = parser.parse(userBase);
Name entryName = parser.parse(new CompositeName(result.getName())
.get(0));
// Get the entry's attributes
Attributes attrs = result.getAttributes();
Attribute attr = attrs.get(attrIdsToSearch[0]);
NamingEnumeration e = attr.getAll();
System.out.println("Member of");
while (e.hasMore()) {
String value = (String) e.next();
System.out.println(value);
}
}
}
The easiest way is with 'lookup': (to open an Ldap Context: look above examples)
/**
* Tests if an Active Directory user exists in an Active Directory group.
* #param ctx LDAP Context.
* #param dnADGroup distinguishedName of group.
* #param dnADUser distinguishedName of user.
* #return True if user is member of group.
*/
public static boolean isMemberOfADGroup(LdapContext ctx, String dnADGroup, String dnADUser) {
try {
DirContext lookedContext = (DirContext) (ctx.lookup(dnADGroup));
Attribute attrs = lookedContext.getAttributes("").get("member");
for (int i = 0; i < attrs.size(); i++) {
String foundMember = (String) attrs.get(i);
if(foundMember.equals(dnADUser)) {
return true;
}
}
} catch (NamingException ex) {
String msg = "There has been an error trying to determin a group membership for AD user with distinguishedName: "+dnADUser;
System.out.println(msg);
ex.printStackTrace();
}
return false;
}
LDAP lookup methods of finding whether a user is a member of a group are not correct, especially if you're talking about a logged on user. For a user that's actually logged on the list of groups varies depending on which computer the user logged on. That list needs to include groups from domain trusts, nested groups and local groups.
If you're looking for group memberships of the currently logged on user or a user that you're logging on with a username and password in Java, try Waffle.
IWindowsAuthProvider prov = new WindowsAuthProviderImpl();
IWindowsIdentity identity = prov.logonUser("username", "password");
System.out.println("User identity: " + identity.getFqn());
for(IWindowsAccount group : identity.getGroups()) {
System.out.println(" " + group.getFqn() + " (" + group.getSidString() + ")");
}
Following up on Sundaramurthi's answer, it could be done even more straightforward way, where you don't query for all the user's group:
(&(objectClass=user)(sAMAccountName=XXXX)(memberOf=CN=YYY,OU=_Common-Access,OU=Groups,OU=_CORP,DC=XXX,DC=XX))
where
XXXX - user name
XXX.XX - domain name
YYY - group name
This lets you to just get an answer whether user is in a group or not.
So just do:
String userBase = "DC=XXX,DC=XX";
String CHECK_IF_USER_IN_GROUP = "(&(objectClass=user)(sAMAccountName=%s)(memberOf=CN=%s,OU=...,OU=...,OU=...,%s))";
String queryFilter = String.format(CHECK_IF_USER_IN_GROUP, user, group, userBase);
SearchControls constraints = new SearchControls();
constraints.setSearchScope(SearchControls.SUBTREE_SCOPE);
NamingEnumeration results = context.search(userBase, queryFilter, constraints);
if (results == null) {
throw new Exception("No answer from LDAP");
}
if (!results.hasMore()) {
System.out.println("No result found");
// user is not in the group
}
// user is in the group
Not sure about Java API specifics, but the generic way of doing this is adding a group check to the query/binding.
I can't give you a working code using java naming ldap.
I used Spring LDAP, and the way you do it:
Get the User object, do a search on the username something like sAMAccountName=USERNAME
After you get the object you retreive the property memberOf -> this will be a list and check for a specific one in Java.
That is the only way I could think of.
To query if a user belongs to a given group once you have established a connection you can query using either member or memberOf attribute in Active Directory.
Using memberOf Attribute :
filter used : (&(Group Member Attribute=Group DN)(objectClass=Group Object class))
Ex : (&(memberOf=CN=group,ou=qa_ou,dc=ppma,dc=org)(objectClass=group))
Using member Attribute :
filter used : (&(Group Member Attribute=User DN)(objectClass=Group Object class))
Ex : (&(member=CN=user,ou=qa_ou,dc=ppma,dc=org)(objectClass=group))
Unfortunately the answer varies with installations of AD as well as other types of LDAP server.
We had to solve the same problem. In the end we allowed the system administrator to provide us with an LDAP query-pattern where we substitute the user name (and group name if that needs to be variable too) into the pattern.
I found this useful:
retrieves-group-membership for Active Directory
And I have this piece of working code:
import java.util.Hashtable;
import javax.naming.CompositeName;
import javax.naming.Context;
import javax.naming.Name;
import javax.naming.NameParser;
import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.directory.Attribute;
import javax.naming.directory.Attributes;
import javax.naming.directory.DirContext;
import javax.naming.directory.InitialDirContext;
import javax.naming.directory.SearchControls;
import javax.naming.directory.SearchResult;
import javax.naming.ldap.InitialLdapContext;
import javax.naming.ldap.LdapContext;
public class TestAD1 {
private static String userBase = "DC=SomeName,DC=SomeName,DC=SomeName,DC=SomeName,DC=COM,DC=US";
public static void main(String[] args) {
TestAD1 tad = new TestAD1();
try {
// Create a LDAP Context
Hashtable env = new Hashtable();
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.SECURITY_PRINCIPAL, "ldap.serviceaccount#domain.com");
env.put(Context.SECURITY_CREDENTIALS, "drowssap");
env.put(Context.PROVIDER_URL, "ldap://fully.qualified.server.name:389");
LdapContext ctx = new InitialLdapContext(env, null);
InitialDirContext inidircontext = new InitialDirContext(env);
DirContext dirctx = new InitialLdapContext(env, null);
System.out.println("Connection Successful.");
// Print all attributes of the name in namespace
SearchControls sctls = new SearchControls();
String retatts[] = {"sn", "mail", "displayName", "sAMAccountName"};
sctls.setReturningAttributes(retatts);
sctls.setSearchScope(SearchControls.SUBTREE_SCOPE);
String srchfilter = "(&(objectClass=user)(mail=*))";
String srchbase = userBase;
int totalresults = 0;
NamingEnumeration answer = dirctx.search(srchbase, srchfilter, sctls);
while (answer.hasMoreElements()) {
SearchResult sr = (SearchResult) answer.next();
totalresults++;
System.out.println(">>> " + sr.getName());
Attributes attrs = sr.getAttributes();
if (answer == null || !answer.hasMore()) {
System.out.println("No result found");
return;
}
if (attrs != null) {
try {
System.out.println(" surname: " + attrs.get("sn").get());
System.out.println(" Email - ID: " + attrs.get("mail").get());
System.out.println(" User - ID: " + attrs.get("displayName").get());
System.out.println(" Account Name: " + attrs.get("sAMAccountName").get());
tad.GetGroups(inidircontext, attrs.get("sAMAccountName").get().toString());
} catch (NullPointerException e) {
System.out.println("Error listing attributes..." + e);
}
}
System.out.println("Total Results : " + totalresults);
// close dir context
dirctx.close();
}
ctx.close();
} catch (NamingException e) {
System.out.println("Problem Search Active Directory..." + e);
//e.printStackTrace();
}
}
// Get all the groups.
public void GetGroups(InitialDirContext context, String username) throws NamingException {
String[] attrIdsToSearch = new String[]{"memberOf"};
String SEARCH_BY_SAM_ACCOUNT_NAME = "(sAMAccountName=%s)";
String filter = String.format(SEARCH_BY_SAM_ACCOUNT_NAME, username);
SearchControls constraints = new SearchControls();
constraints.setSearchScope(SearchControls.SUBTREE_SCOPE);
constraints.setReturningAttributes(attrIdsToSearch);
NamingEnumeration results = context.search(userBase, filter, constraints);
// Fail if no entries found
if (results == null || !results.hasMore()) {
System.out.println("No result found");
return;
}
SearchResult result = (SearchResult) results.next();
Attributes attrs = result.getAttributes();
Attribute attr = attrs.get(attrIdsToSearch[0]);
NamingEnumeration e = attr.getAll();
System.out.println(username + " is Member of the following groups : \n");
while (e.hasMore()) {
String value = (String) e.next();
System.out.println(value);
}
}
}
Also you can modify the accepted answer from here: Authenticating against Active Directory with Java on Linux with the following:
String group="name of the group";
Iterator ig = groups.iterator();
Boolean bool=false;
while (ig.hasNext()) {
String a=ig.next().toString();
if (a.equals(group)) {
JOptionPane.showMessageDialog(this, "Authentication succeeded!");
bool=true;
// here you can do smth in case of success
}
}
if (bool==false){
JOptionPane.showMessageDialog(this, "Permission denied");
}
Related
I am using one java program to retrieve user information from active directory. The program is working but it is passing data from one group only (search filter is defined as a string
String searchFilter ="CN=CostCentre_1041";)
How I can pass multiple groups in a program.
I have tried using array but not able to define it properly.
package Test.ad;
import java.util.Hashtable;
import java.util.Properties;
import javax.naming.Context;
import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.directory.Attribute;
import javax.naming.directory.Attributes;
import javax.naming.directory.DirContext;
import javax.naming.directory.InitialDirContext;
import javax.naming.directory.SearchControls;
import javax.naming.directory.SearchResult;
public class GetUsersFrormLDAPGroup {
static String ldapSearchBase = "DC=test,DC=edu,DC=com";
private static DirContext ctx = null;
private static DirContext getActiveDirectoryContext() throws Exception {
final Properties properties = new Properties();
properties.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
properties.put(Context.PROVIDER_URL, "ldap://testad:3268");
properties.put(Context.SECURITY_AUTHENTICATION, "simple");
properties.put(Context.SECURITY_PRINCIPAL, "admin");
properties.put(Context.SECURITY_CREDENTIALS, "test");
return new InitialDirContext(properties);
}
public void getGroupUsers(String searchBase, String searchFilter, String returnedAttrs[], int maxResults) {
Hashtable userEntries = null;
String member = "";
try {
SearchControls searchCtls = new SearchControls();
searchCtls.setSearchScope(SearchControls.SUBTREE_SCOPE);
searchCtls.setReturningAttributes(returnedAttrs);
ctx = getActiveDirectoryContext();
try {
System.out.println("Search Base: " + searchBase);
System.out.println("Search Filter: " + searchFilter);
NamingEnumeration users = ctx.search(searchBase, searchFilter, searchCtls);
if (users.hasMoreElements() == false) {
System.out.println("Not find any object with this filter " + searchFilter + " and searchBase " + searchBase);
}
int k = 0;
String attValue = "";
userEntries = new Hashtable();
while (users.hasMoreElements()) {
if (k >= maxResults)
break;
SearchResult sr = (SearchResult) users.next();
Attributes attrs = sr.getAttributes();
if (attrs.size() == 0) {
System.out.println("Could not find attribute " + returnedAttrs[0] + " for this object.");
} else {
try {
for (NamingEnumeration ae = attrs.getAll(); ae.hasMore(); ) {
Attribute attr = (Attribute) ae.next();
String id = attr.getID();
for (NamingEnumeration e = attr.getAll(); e.hasMore(); ) {
attValue = (String) e.next();
if (id.equalsIgnoreCase("member"))
member = attValue;
{
System.out.println("member :" + member);
}
//{
//System.out.println("empty");
// }
}
}
} catch (NamingException e) {
System.out.println("Problem listing membership:" + e);
}
}
k++;
}
} catch (NamingException e) {
System.out.println("Problem searching directory: " + e);
}
ctx.close();
ctx = null;
} catch (Exception namEx) {
System.out.println("Exception while fetching the users from LDAP::" + namEx);
}
}
public static void main(String args[]) throws Exception {
GetUsersFrormLDAPGroup gug = new GetUsersFrormLDAPGroup();
String returnedAttrs[] = {"cn", "member", "name"};
String searchFilter = "CN=CostCentre_1041";
gug.getGroupUsers(ldapSearchBase, searchFilter, returnedAttrs, Integer.parseInt("2000"));
}
}
You can either:
Call getGroupUsers() a second time with a different searchFilter to get the results for a different group:
String searchFilter = "CN=CostCentre_1041";
gug.getGroupUsers(ldapSearchBase, searchFilter, returnedAttrs, Integer.parseInt("2000"));
searchFilter = "CN=SNOW - EA DEV INTG";
gug.getGroupUsers(ldapSearchBase, searchFilter, returnedAttrs, Integer.parseInt("2000"));
Change your searchFilter to return both groups.
String searchFilter = "(|(CN=CostCentre_1041)(CN=SNOW - EA DEV INTG))";
gug.getGroupUsers(ldapSearchBase, searchFilter, returnedAttrs, Integer.parseInt("2000"));
This question already has answers here:
What is a NullPointerException, and how do I fix it?
(12 answers)
Closed 3 years ago.
i have a problem with the code:
import java.util.Hashtable;
import javax.naming.Context;
import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.directory.DirContext;
import javax.naming.directory.SearchControls;
import javax.naming.directory.SearchResult;
import javax.naming.ldap.InitialLdapContext;
import javax.naming.ldap.LdapContext;
/**
* Example code for retrieving a Users Primary Group
* from Microsoft Active Directory via. its LDAP API
*
public class LDAPTest {
/**
* #param args the command line arguments
*/
public static void main(String[] args) throws NamingException {
final String ldapAdServer = "/*Server*/";
final String ldapSearchBase = "ou=users,ou=,dc=,dc=";
final String ldapUsername = "/*Username*/";
final String ldapPassword = "/*Passwort*/";
final String ldapAccountToLookup = "/*lookupaccount*/";
Hashtable<String, Object> env = new Hashtable<String, Object>();
env.put(Context.SECURITY_AUTHENTICATION, "simple");
if(ldapUsername != null) {
env.put(Context.SECURITY_PRINCIPAL, ldapUsername);
}
if(ldapPassword != null) {
env.put(Context.SECURITY_CREDENTIALS, ldapPassword);
}
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, ldapAdServer);
//ensures that objectSID attribute values
//will be returned as a byte[] instead of a String
env.put("java.naming.ldap.attributes.binary", "objectSID");
//the following is helpful in debugging errors
env.put("com.sun.jndi.ldap.trace.ber", System.err);
LdapContext ctx = new InitialLdapContext(env,null);
LDAPTest ldap = new LDAPTest();
//1) lookup the ldap account
SearchResult srLdapUser = ldap.findAccountByAccountName(ctx, ldapSearchBase, ldapAccountToLookup);
//2) get the SID of the users primary group
String primaryGroupSID = ldap.getPrimaryGroupSID(srLdapUser);
//3) get the users Primary Group
String primaryGroupName = ldap.findGroupBySID(ctx, ldapSearchBase,primaryGroupSID);
}
public SearchResult findAccountByAccountName(DirContext ctx, String ldapSearchBase, String accountName) throws NamingException {
String searchFilter = "(&(objectClass=user)(sAMAccountName=" + accountName + "))";
SearchControls searchControls = new SearchControls();
searchControls.setSearchScope(SearchControls.SUBTREE_SCOPE);
NamingEnumeration<SearchResult> results = ctx.search(ldapSearchBase, searchFilter, searchControls);
SearchResult searchResult = null ;
if(results.hasMoreElements()) {
searchResult = (SearchResult) results.nextElement();
//make sure there is not another item available, there should be only 1 match
if(results.hasMoreElements()) {
System.err.println("Matched multiple users for the accountName: " + accountName);
return null;
}
}
return searchResult;
}
public String findGroupBySID(DirContext ctx, String ldapSearchBase, String sid) throws NamingException {
String searchFilter = "(&(objectClass=group)(objectSid=" + sid + "))";
SearchControls searchControls = new SearchControls();
searchControls.setSearchScope(SearchControls.SUBTREE_SCOPE);
NamingEnumeration<SearchResult> results = ctx.search(ldapSearchBase, searchFilter, searchControls);
if(results.hasMoreElements()) {
SearchResult searchResult = (SearchResult) results.nextElement();
//make sure there is not another item available, there should be only 1 match
if(results.hasMoreElements()) {
System.err.println("Matched multiple groups for the group with SID: " + sid);
return null;
} else {
return (String)searchResult.getAttributes().get("sAMAccountName").get();
}
}
return null;
}
public String getPrimaryGroupSID(SearchResult srLdapUser) throws NamingException {
byte[] objectSID = (byte[])srLdapUser.getAttributes().get("objectSid").get();
String strPrimaryGroupID = (String)srLdapUser.getAttributes().get("primaryGroupID").get();
String strObjectSid = decodeSID(objectSID);
return strObjectSid.substring(0, strObjectSid.lastIndexOf('-') + 1) + strPrimaryGroupID;
}
/**
* The binary data is in the form:
* byte[0] - revision level
* byte[1] - count of sub-authorities
* byte[2-7] - 48 bit authority (big-endian)
* and then count x 32 bit sub authorities (little-endian)
*
* The String value is: S-Revision-Authority-SubAuthority[n]...
*
* Based on code from here - http://forums.oracle.com/forums/thread.jspa?threadID=1155740&tstart=0
*/
public static String decodeSID(byte[] sid) {
final StringBuilder strSid = new StringBuilder("S-");
// get version
final int revision = sid[0];
strSid.append(Integer.toString(revision));
//next byte is the count of sub-authorities
final int countSubAuths = sid[1] & 0xFF;
//get the authority
long authority = 0;
//String rid = "";
for(int i = 2; i <= 7; i++) {
authority |= ((long)sid[i]) << (8 * (5 - (i - 2)));
}
strSid.append("-");
strSid.append(Long.toHexString(authority));
//iterate all the sub-auths
int offset = 8;
int size = 4; //4 bytes for each sub auth
for(int j = 0; j < countSubAuths; j++) {
long subAuthority = 0;
for(int k = 0; k < size; k++) {
subAuthority |= (long)(sid[offset + k] & 0xFF) << (8 * k);
}
strSid.append("-");
strSid.append(subAuthority);
offset += size;
}
return strSid.toString();
}
}
Firstly if i run this code i become the error message :
Exception in thread "main" javax.naming.NoInitialContextException: Need to specify class name in environment or system property, or as an applet parameter, or in an application resource file: java.naming.factory.initial
at javax.naming.spi.NamingManager.getInitialContext(Unknown Source)
at javax.naming.InitialContext.getDefaultInitCtx(Unknown Source)
at javax.naming.InitialContext.getURLOrDefaultInitCtx(Unknown Source)
at javax.naming.directory.InitialDirContext.getURLOrDefaultInitDirCtx(Unknown Source)
at javax.naming.directory.InitialDirContext.search(Unknown Source)
at LDAPTest.findAccountByAccountName(LDAPTest.java:74)
at LDAPTest.main(LDAPTest.java:58)
As a measure i put on LdapContext ctx = new InitialLdapContext(env,null);
and now i have the error message
Exception in thread "main" java.lang.NullPointerException
at LDAPTest.getPrimaryGroupSID(LDAPTest.java:114)
at LDAPTest.main(LDAPTest.java:61)
I do not know how to continue. Can anybody help me? Is anyone familiar with it ? ----------------------------------------------------------------
You can try this ,naming exception occurs when your ldap authentication may not be done in a proper manner.
private boolean isLdapServerOnline() {
try {
Hashtable authEnv = new Hashtable();
authEnv.put(Context.INITIAL_CONTEXT_FACTORY, LDAP_JNDI_FACTORY);
authEnv.put(Context.PROVIDER_URL, ldapUrl);
authEnv.put(Context.SECURITY_AUTHENTICATION, ldapSecurityAuthentication);
authEnv.put(Context.SECURITY_PRINCIPAL, ldapDistinguishedName);
authEnv.put(Context.SECURITY_CREDENTIALS, ldapPassword);
DirContext authContext = new InitialDirContext(authEnv);
return true;
} catch (AuthenticationException authEx) {
LOGGER.error("Active Directory Authentication failed", authEx);
return false;
} catch (NamingException namEx) {
LOGGER.error("Unable to connect to Active Directory", namEx);
return false;
}
}
Nothing I've found is working for me. And I'm having trouble finding answers that have valid code and aren't simply pasting a search filter string from another site.
The relevant code that's trying to do the search is:
SearchResult sr = executeSearchSingleResult(ctx, SearchControls.SUBTREE_SCOPE, "dc=mydomain,dc=local", "(&(objectClass=person)(sAMAccountName=admin2))", new String[]{"memberOf"});
if (sr != null) {
Attribute memberOf = sr.getAttributes().get("memberOf");
if (memberOf != null) {
for (int i = 0; i < memberOf.size(); i++) {
Attributes attributes = ctx.getAttributes(memberOf.get(i).toString(), new String[]{"CN"});
Attribute attribute = attributes.get("CN");
if (attribute != null) {
log.info("member of : " + attribute.get(0));
}
}
for (Enumeration e1 = memberOf.getAll(); e1.hasMoreElements();) {
String unprocessedGroupDN = e1.nextElement().toString();
String unprocessedGroupCN = getCN(unprocessedGroupDN);
//checking something here
}
}
}
private static SearchResult executeSearchSingleResult(DirContext ctx, int searchScope, String searchBase, String searchFilter, String[] attributes) throws NamingException {
NamingEnumeration result = executeSearch(ctx, searchScope, searchBase, searchFilter, attributes);
SearchResult sr = null;
try {
while (result.hasMoreElements()) {
sr = (SearchResult) result.next();
break;
}
} catch (Exception e) {
log.error(e, e);
}
return sr;
}
private static NamingEnumeration executeSearch(DirContext ctx, int searchScope, String searchBase, String searchFilter, String[] attributes) throws NamingException {
SearchControls searchCtls = new SearchControls();
if (attributes != null) {
searchCtls.setReturningAttributes(attributes);
}
searchCtls.setSearchScope(searchScope);
NamingEnumeration result = ctx.search(searchBase, searchFilter, searchCtls);
return result;
}
This works fine when there are no nested groups. But say I have the following structure of groups and users:
My Admins (dn = CN=My Admins,CN=Users,DC=mydomain,DC=local)
AdminUser1 (dn = CN=AdminUser 1,CN=Users,DC=mydomain,DC=local)
AdminGroup1 (dn = CN=AdminGroup 1,CN=Users,DC=,mydomain,DC=local)
AdminUser2 (dn = CN=AdminUser 2,CN=Users,DC=mydomain,DC=local)
This finds AdminUser1 just fine. It cannot find AdminUser2. What I need to do, is discover that AdminUser2 goes all the way back up to the highest level group called My Admins.
I found a lot of references to 1.2.840.113556.1.4.1941, but different ways of putting that into the search filter have not helped.
What do I need to change in the code and/or the search filter to glean that a particular user at any particular depth of group nesting goes all the way back up to the topmost group?
Using the LDAP_MATCHING_RULE_IN_CHAIN filter similar to:
(member:1.2.840.113556.1.4.1941:=(CN=UserName,CN=Users,DC=YOURDOMAIN,DC=NET))
Will normally find all the groups that the user CN=UserName,CN=Users,DC=YOURDOMAIN,DC=NET is a member of.
But it is complicated.
Microsoft Active Directory has several group
types
Microsoft Active Directory has different LDAP Services
(normal and Global Catalog)
Limitations
Any which may cause a group to not show within results.
So the groups MUST be Security Groups and you should use the Global Catalog
And then there are limitations. The LDAP_MATCHING_RULE_IN_CHAIN type searches tend to fail when groups are nested "too deep" or "Too Broad". That is too many nesting levels or too many groups that the member is a member of.
In LDAP we can query if a User belongs to a given group once you have established a connection you can query using either member or memberOf attribute.
Query for memberOf Attribute :
filter used : (&(Group Member Attribute=Group DN)(objectClass=Group Object class))
Ex : (&(memberOf=CN=group,ou=qa_ou,dc=ppma,dc=org)(objectClass=group))
Using member Attribute :
filter used : (&(Group Member Attribute=User DN)(objectClass=Group Object class))
Ex : (&(member=CN=user,ou=qa_ou,dc=ppma,dc=org)(objectClass=group))
But You'll have to search recursively using the member or memberOf attribute list for a user. e.g. if a user has the following group hierarchy :
cn: user1 memberOf: CN=group1,DC=foo,DC=example,DC=com memberOf: CN=group2,DC=foo,DC=example,DC=com
then you'll want to recursively lookup group1 and group2 with additional LDAP searches, and so on for groups which those groups are members of.
We can't use LDAP_MATCHING_RULE_IN_CHAIN in production since it doesn't work when we have too deep nested hierarchy and it only works for Active Directory. Below Solution works independently with AD or OpenLDAP we just need to replace the group attributes.
Below is the sample code to query all the nested groups a User belongs to :
import java.util.ArrayList;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Hashtable;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.CopyOnWriteArrayList;
import javax.naming.Context;
import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.directory.InitialDirContext;
import javax.naming.directory.SearchControls;
import javax.naming.directory.SearchResult;
public class MemberDemo {
private static final String contextFactory = "com.sun.jndi.ldap.LdapCtxFactory";
private static final String connectionURL = "ldap://10.224.243.133:389";
private static final String connectionName = "CN=administrator,CN=users,DC=ppma,DC=org";
private static final String connectionPassword = "Conleyqa12345";
public static int nestLevel = 3;
public static int level = 1;
// Optional
private static final String authentication = null;
private static final String protocol = null;
private static String userBase = "OU=qa_OU,DC=ppma,DC=org";
public static void main(String[] args) throws NamingException {
long start = System.currentTimeMillis();
Hashtable<String, String> env = new Hashtable<String, String>();
// Configure our directory context environment.
env.put(Context.INITIAL_CONTEXT_FACTORY, contextFactory);
env.put(Context.PROVIDER_URL, connectionURL);
env.put(Context.SECURITY_PRINCIPAL, connectionName);
env.put(Context.SECURITY_CREDENTIALS, connectionPassword);
if (authentication != null)
env.put(Context.SECURITY_AUTHENTICATION, authentication);
if (protocol != null)
env.put(Context.SECURITY_PROTOCOL, protocol);
InitialDirContext context = new InitialDirContext(env);
SearchControls constraints = new SearchControls();
constraints.setSearchScope(SearchControls.SUBTREE_SCOPE);
Set<String> traversedGroups = new HashSet<String>();
Set<String> relatedGroups = new HashSet<String>();
List<String> tempParentColl = new CopyOnWriteArrayList<String>();
List<String> tempGroups = new ArrayList<String>();
String loginUser = "CN=qa20Nest,OU=qa_OU,DC=ppma,DC=org";
String filter = "(&(member=" + loginUser + ")(objectClass=group))";
tempGroups = findNestedGroups(tempGroups, context, filter, loginUser, constraints,
tempParentColl, traversedGroups, getUserName(loginUser));
relatedGroups.addAll(tempGroups);
System.out.println("Parent Groups :");
for (String group : relatedGroups) {
System.out.println(group);
}
long end = System.currentTimeMillis();
long elapsedTime = end - start;
System.out.println("Total time taken in sec : " + elapsedTime / 1000);
}
#SuppressWarnings("rawtypes")
public static List<String> findNestedGroups(List<String> tempGrpRelations, InitialDirContext context, String filter,
String groupName, SearchControls constraints, List<String> tempParentColl, Set<String> traversedGrp,
String groupIdentifier) {
NamingEnumeration results;
try {
traversedGrp.add(groupName);
results = context.search(userBase, filter, constraints);
// Fail if no entries found
if (results == null || !results.hasMore()) {
System.out.println("No result found for :" + groupName);
if (tempParentColl.isEmpty()) {
return tempGrpRelations;
} else {
tempParentColl.remove(groupName);
}
}
while (results.hasMore()) {
SearchResult result = (SearchResult) results.next();
System.out.println("DN - " + result.getNameInNamespace());
tempParentColl.add(result.getNameInNamespace());
tempGrpRelations.add(result.getNameInNamespace());
}
Iterator<String> itr = tempParentColl.iterator();
while (itr.hasNext()) {
String groupDn = itr.next();
String nfilter = "(&(member=" + groupDn + ")(objectClass=group))";
tempParentColl.remove(groupDn);
if (!traversedGrp.contains(groupDn)) {
findNestedGroups(tempGrpRelations, context, nfilter, groupDn, constraints, tempParentColl,
traversedGrp, getUserName(groupDn));
}
}
} catch (NamingException e) {
e.printStackTrace();
}
return tempGrpRelations;
}
public static String getUserName(String cnName) {
String name = cnName.substring(cnName.indexOf("CN=")).split(",")[0].split("=")[1];
return name;
}
}
My goal is recursive getting all group members from domain and subdomains using only connection to main dc.
I have Active Directory forest containing domain.com, sub.domain.com.
My 'MainGroup' located in domain.com and contains members/groups from domain.com and sub.domain.com.
I'm getting 'member' field strings of MainGroup using ldapContext connection with dc.domain.com. Here is it:
cn=userA,ou=Users,dc=domain,dc=com
cn=userB,ou=Users,dc=sub,dc=domain,dc=com
cn=groupB,ou=Users,dc=sub,dc=domain,dc=com
Can I get subdomain's user/group data (I need ObjectClass to recursive iterate) using current ldapConext?
private LdapContext createLdapContext() {
Hashtable env = new Hashtable();
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, ldapHost);
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.SECURITY_PRINCIPAL, "user#" + domain);
env.put(Context.SECURITY_CREDENTIALS, "******");
try {
ldapContext = new InitialLdapContext(env, null);
} catch (NamingException e) {
e.printStackTrace();
}
return ldapContext;
}
public List getGroupMembers(String groupName) {
List resultList = new ArrayList<String>();
int Start = 0;
int Finish = 1499;
int Step = 1500;
boolean Finished = false;
String Range;
try {
while (!Finished) {
Range = Start + "-" + Finish;
String[] returningAttrs = {"member;range=" + Range};
String searchFilter = "(&(objectClass=group)(sAMAccountName=" + groupName + "))";
SearchControls searchControls = new SearchControls();
searchControls.setReturningAttributes(returningAttrs);
searchControls.setSearchScope(SearchControls.SUBTREE_SCOPE);
NamingEnumeration answer = ldapContext.search(searchBase, searchFilter, searchControls);
while (answer.hasMoreElements()) {
SearchResult sr = (SearchResult) answer.next();
Attributes attrs = sr.getAttributes();
if (attrs != null) {
for (NamingEnumeration ae = attrs.getAll(); ae.hasMoreElements(); ) {
Attribute attr = (Attribute) ae.next();
if (attr.getID().endsWith("*")) {
Finished = true;
}
for (NamingEnumeration e = attr.getAll(); e.hasMoreElements(); ) {
resultList.add(e.next().toString());
}
}
}
}
Start = Start + Step;
Finish = Finish + Step;
}
ldapContext.close();
} catch (NamingException e) {
e.printStackTrace();
} finally {
return resultList;
}
}
Edited. Found another solution:
Anyway we should query every domain.
We can make 'recursive one shoot query' using filter (memberof:1.2.840.113556.1.4.1941:=cn=Group1,OU=groupsOU,DC=x)
Related c# question
msdn Search Filter Syntax
How to get List of LDAP servers given a domain name (using java + acitvedirectory) , and authenticate it based on username and password ?
Here are the steps to do it
GET Server List
Hit DNS server to get SRV records
Sort SRV records
Filter server record based on regexp pattern
Construct LDAP urls based on if we need ssl or not. Note that srv record can return only one port so dont rely on port returned from srv record. See srv record RFC
Authentication
iterate through list of servers
Construct Hashtable with ldap environments. note that need to append domain name with username separated by \, and add ldap URL to it
try to create InitialDirContext
success : close context and return
failure1 : if naming exception is AuthenticationException and contains messge "[LDAP: error code 49" translate and throw a readable exception ! see error code mapping
failure2 : if not failure1 continue with next ldap URL
And Here is the full fledged working code
If you are using spring use following conf to invoke init method
<bean
class="org.springframework.beans.factory.config.MethodInvokingFactoryBean">
<property name="targetClass">
<value>org.bhate.ldap.LdapUtil</value>
</property>
<property name="targetMethod" value="init" />
<property name="arguments">
<list>
<value>${ldap.dnsServer}</value>
<value>${ldap.domainName}</value>
<value>${ldap.filter.regexp}</value>
<value>${ldap.ssl}</value>
</list>
</property>
And Following properties
ldap.dnsServer=uk.mydomain.com
ldap.domainName=DOMAINNAME
ldap.filter.regexp=serv10.*|server.*
ldap.ssl=true
else call init during startup
LdapUtil.init("uk.mydomain.com", "DOMAINNAME", "serv10.*|server.*",true);
LdapUtil.java
package org.bhate.ldap;
import java.util.Collection;
import java.util.HashMap;
import java.util.Hashtable;
import java.util.LinkedHashSet;
import java.util.Map;
import java.util.TreeSet;
import java.util.regex.Pattern;
import javax.naming.AuthenticationException;
import javax.naming.Context;
import javax.naming.NamingException;
import javax.naming.directory.Attribute;
import javax.naming.directory.Attributes;
import javax.naming.directory.DirContext;
import javax.naming.directory.InitialDirContext;
import javax.naming.spi.NamingManager;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.core.NestedExceptionUtils;
import org.springframework.security.BadCredentialsException;
public class LdapUtil {
private static final Logger LOGGER = LoggerFactory
.getLogger(LdapUtil.class);
#SuppressWarnings("serial")
final static Map<String, String> errorCodesMap = new HashMap<String, String>() {
{
put("525", "user not found");
put("52e", "invalid credentials");
put("530", "not permitted to logon at this time");
put("531", "not permitted to logon at this workstation");
put("532", "password expired");
put("533", "account disabled");
put("701", "account expired");
put("773", "user must reset password");
put("775", "user account locked");
}
};
private static Collection<String> ldapServers;
private static String domainName;
private static Pattern PATTERN;
public static DirContext getDirContext(String url, String domainName,
String userName, String password) throws NamingException {
Hashtable<String, Object> env = getEnv(url, domainName, userName,
password);
return new InitialDirContext(env);
}
public static Collection<String> getLdapServers(String ldapDomain,
boolean useSsl) throws NamingException {
Collection<String> serverRecords = getSRVRecords(ldapDomain);
serverRecords = reOrder(serverRecords);
Collection<String> serverNames = new LinkedHashSet<String>();
String protocol = "ldap" + (useSsl ? 's' : "");
for (String s : serverRecords) {
String hostName = s.substring(s.lastIndexOf(' ') + 1,
s.length() - 1);
serverNames.add(protocol + "://" + hostName);
}
return serverNames;
}
private static Collection<String> reOrder(Collection<String> serverRecords) {
return serverRecords;
}
private static Collection<String> getSRVRecords(String ldapDomain)
throws NamingException {
DirContext context = (DirContext) NamingManager.getURLContext("dns",
new Hashtable<String, Object>());
String ldapDNSUrl = "dns:///_ldap._tcp." + ldapDomain;
String[] attrIds = { "SRV" };
Attributes attributes = context.getAttributes(ldapDNSUrl, attrIds);
Attribute servers = attributes.get("SRV");
int L = servers.size();
Collection<String> serverRecords = new TreeSet<String>();
for (int i = 0; i < L; i++) {
String s = (String) servers.get(i);
if (PATTERN.matcher(s).find())
serverRecords.add(s);
}
return serverRecords;
}
public static void authenticate(String userName, String password) {
String msg = "Unable authenticate user {} with {}";
for (String url : ldapServers) {
DirContext ctx = null;
try {
ctx = getDirContext(url, domainName, userName, password);
LOGGER
.info("Authenticated user {} on server {}", userName,
url);
return;
} catch (NamingException e) {
LOGGER.error(msg, userName, url);
String m = NestedExceptionUtils.buildMessage(e.getMessage(), e
.getCause());
LOGGER.error(m, e);
if (e instanceof AuthenticationException
&& e.getMessage().startsWith("[LDAP: error code 49"))
throwMeanigfulEx(userName, url, e);
} finally {
close(ctx);
}
}
LOGGER.error(msg, userName, "any available server");
throw new BadCredentialsException(
"Unable to authenticate : Please contact application support team");
}
public static void init(String dnsServerName, String domainName,
String serverFilter, boolean useSsl) {
PATTERN = Pattern.compile(serverFilter);
try {
LdapUtil.domainName=domainName;
ldapServers = getLdapServers(dnsServerName, useSsl);
if (LOGGER.isInfoEnabled()) {
LOGGER.info(
"LDAP servers available in domain {} to connect {}",
dnsServerName, ldapServers);
}
} catch (NamingException e) {
throw new RuntimeException("Unable retrieve ldapServers for "
+ dnsServerName, e);
}
}
private static void throwMeanigfulEx(String userName, String url,
NamingException e) {
String separator = ", data ";
String m = e.getMessage();
int strt = m.lastIndexOf(separator) + separator.length();
int end = m.lastIndexOf(", vece");
String code = m.substring(strt, end);
throw new BadCredentialsException("Unable to authenticate : "
+ errorCodesMap.get(code));
}
private static void close(DirContext ctx) {
if (ctx != null)
try {
ctx.close();
} catch (NamingException e) {
LOGGER.error("Unable to close context", e);
}
}
private static Hashtable<String, Object> getEnv(String url,
String domainName, String userName, String password) {
Hashtable<String, Object> env = new Hashtable<String, Object>();
env.put(Context.INITIAL_CONTEXT_FACTORY,
"com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.REFERRAL, "follow");
env.put(Context.PROVIDER_URL, url);
env.put("com.sun.jndi.ldap.connect.timeout", "2000");
// env.put("com.sun.jndi.ldap.trace.ber", System.err);
// env.put("javax.net.ssl.trustStoreType", "JKS");
// env.put(Context.SECURITY_PROTOCOL, "ssl");
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.SECURITY_PRINCIPAL, getPrincipal(domainName, userName));
env.put(Context.SECURITY_CREDENTIALS, password);
return env;
}
private static Object getPrincipal(String domainName, String userName) {
return domainName + "\\" + userName;
}
public static void main(String[] args) throws NamingException {
init("uk.mydomain.com", "DOMAINNAME", "serv10.*|server.*",true);
System.out.println(ldapServers.size());
System.out.println(ldapServers);
if (args.length == 2)
authenticate(args[0], args[1]);
}
//
// public static InitialLdapContext getLdapContext(String userName,
// String domainName, String password, String url)
// throws NamingException {
// Hashtable<String, Object> env = getEnv(url, domainName, userName,
// password);
// Control[] connCtls = new Control[] { new Control() {
// private static final long serialVersionUID = 1L;
//
// public byte[] getEncodedValue() {
// return null;
// }
//
// public String getID() {
// return "1.2.840.113556.1.4.1781";
// }
//
// public boolean isCritical() {
// return true;
// }
// } };
// return new InitialLdapContext(env, connCtls);
// }
}
Here is a snippet for looking up SRV records in Java, use it with the domain given by ShaMan (_ldap._tcp.dc._msdcs.your.domain.com).
private static final String[] SRV = new String[] { "SRV" };
public static Collection<InetSocketAddress> srv(String name)
throws NamingException
{
DirContext ctx = new IntialDirContext();
Attributes attrs = ctx.getAttributes("dns:/" + name, SRV);
if(attributes.get("SRV") == null)
{
return Collections.emptyList();
}
NamingEnumeration<?> e = attributes.get("SRV").getAll();
TreeMap<Integer, InetSocketAdress> result = new TreeMap<Integer, InetSocketAdress>();
while(e.hasMoreElements())
{
String line = (String) e.nextElement();
// The line is priority weight port host
String[] parts = line.split("\\s+");
int prio = Integer.parseInt(parts[0]);
int port = Integer.parseInt(parts[2]);
String host = parts[3];
result.put(prio, new InetSocketAddress(host, port));
}
return result.values();
}
You can get a list of LDAP servers for a given AD domain by reading the SRV records for that domain. The SRV record you need have value similar to this one _ldap._tcp.dc._msdcs.your.domain.com. This article should give you some more information: http://technet.microsoft.com/en-us/library/cc738991%28WS.10%29.aspx.
You can use JNDI to retrieve the DNS information and later to authenticate via LDAP. A nice tutorial can be found here: http://download.oracle.com/javase/jndi/tutorial/.