java - Active Directory - authentication using base dn
Question
I have writeen a test code for authenticating user through Active Directory server. I am able to authenticate using bind dn using code below.
public static void main(String[] args) {
LdapContext ldapContext = null;
Hashtable<String, String> env = new Hashtable<String, String>();
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, "ldaps://10.121.85.24:636");
env.put(Context.SECURITY_PROTOCOL, "ssl");
env.put(Context.SECURITY_PRINCIPAL, "EXTLDAPTEST\batty"); // line 1
env.put(Context.SECURITY_CREDENTIALS, "mypassword");
env.put("com.sun.jndi.ldap.read.timeout", Integer.toString(8000));
env.put("java.naming.ldap.factory.socket", "com.auth.server.TrustAllSSLSocketFactory" );
try {
ldapContext = new InitialLdapContext(env, null);
} catch (Exception e) {
e.printStackTrace();
}
if (ldapContext != null)
{
System.out.println("Authenticatied");
}
}
But when I replace line 1 with
env.put(Context.SECURITY_PRINCIPAL, "CN=batty,OU=Unsorted,OU=EDN Users,OU=User accounts,DC=extLDAPTest,DC=local"); // line 1
it throws exception as
javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1
AD's tree structure is :
Am I doing something wrong when trying to use full dn for authentication?
EDIT 1 : When I use service account to get full dn using
NamingEnumeration<?> aa = context.list("OU=Unsorted,OU=EDN Users,OU=User accounts,DC=extLDAPTest,DC=local");
I get following result:
CN=batty,OU=Unsorted,OU=EDN Users,OU=User accounts,DC=extLDAPTest,DC=local
Which is same as I passed for authentication.
EDIT 2 : the reason I am using full dn is, I will be given service account and dn of an sub-tree. Now, same user can exists in different subtrees. So I want to authenticate it from a specific sub tree.
2 answers
solution1
0 2015-10-06 12:14:29
The error code 49 related to LDAP is caused by the invalid credentials.
but you can use applications like ADSI Edit or AD Explorer to get the DN for an object. You can either just use them to view the "distinguishedName" attribute of the object in question, or use other methods that are specific to each application.
or user LDAPExplorerTool 2. and find out the CN you wabt to get dn of. you can get its value in secDN attribute:
solution2
0 2015-10-06 18:24:34
I was wondering why do you need to use a full DN to specify user name ? You can use either DOMAIN\\USER or USER@DOMAIN format to authenticate against AD.
I personally never used any other format but RFC 2829 specifies the following DN based authentication identity format: dn: DN . In your case, SECURITY.PRINCIPAL would look dn: CN=batty,OU=Unsorted,OU=EDN Users,OU=User accounts,DC=extLDAPTest,DC=local . Once again, I never used DN format but try it out and see if the proposed solution works.
Hope this helps.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.