Java Active Directory query returning incomplete user list
Question
I want to list all AD users in Java. I'm using this code:
String ldapUri = "ldap://" + serverName;
LdapContext ctx = null;
Hashtable env = new Hashtable();
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.SECURITY_AUTHENTICATION, "Simple");
//it can be <domain\\userid> something that you use for windows login
//it can also be
env.put(Context.SECURITY_PRINCIPAL, adminName);
try {
env.put(Context.SECURITY_CREDENTIALS, adminPass.getBytes("UTF8"));
env.put(Context.REFERRAL, "follow");
} catch (java.io.UnsupportedEncodingException e) {
log.error("Non-Fatal exception : ", e);
/* ignore */
}
//in following property we specify ldap protocol and connection url.
//generally the port is 389
env.put(Context.PROVIDER_URL, ldapUri);
log.info("AD Server: " + ldapUri + ", admin " + adminName);
ctx = new InitialLdapContext(env, null);
DirContext ctx1 = new InitialDirContext(env);
SearchControls ctls = new SearchControls();
String[] attrIDs = {"distinguishedName", "cn", "name", "uid",
"sn",
"name",
"memberOf",
"displayName",
"userPrincipalName"};
ctls.setReturningAttributes(attrIDs);
ctls.setSearchScope(SearchControls.SUBTREE_SCOPE);
NamingEnumeration answer = ctx1.search(searchPath, "(&(objectClass=user)(objectCategory=person))", ctls);
while (answer.hasMoreElements()) {
// Process user
SearchResult rslt = (SearchResult) answer.next();
}
The code works fine in most environments but there is a customer that reports that some users are missing. I've tried to troubleshoot it but the user aren't listed but they are listed using Active Directory admin or Active Directory Explorer.
Any ideas?
2 answers
solution1
3 ACCPTED 2015-10-30 22:18:17
I assume that account you are using has enough permissions. As far as I recall any instance of domain controller will return 1000 objects by default. It is very likely you are running into this situation. You have to use LDAP pagination In order to solve this problem. Take a look into JNDI page controls - https://docs.oracle.com/javase/tutorial/jndi/newstuff/paged-results.html .
Also, take a look into JNDI code samples from Java forum - https://community.oracle.com/thread/1157644?tstart=0 .
Hope this helps.
solution2
0 2015-10-31 20:26:56
Besides making sure that you don't hit any query limits you should consider that some of your customers might run a more complex Active Directory setup. This might involve multiple domains. In order to address those you need to connect to the global catalog. You do so by binding to port 3268.
You should either make this your standard way of connecting or make this configurable by an administrator at your customers site.
Read more about this at Microsoft: https://technet.microsoft.com/de-de/library/cc978012.aspx
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.