stackoom
  简体   繁体   中英

LDAP Authentication using a technical user

 原文  2018-09-26 08:53:36       java/ authentication/ ldap

Question

In my organization we had a request to implement LDAP authentication for a new application. The problem we faced was that CN used to connect to active directory is different that the sAMAccountName.

sAMAccountName was the username given to user by the organization while cn was something like lastName, firstName [Intern] .

To solve this problem we decided to use a technical user to retrieve the cn from sAMAccountName and then try to authenticate the user using cn and password, the code looked like: 

InitialDirContext initialDirContext = new InitialDirContext(initUserAuthenticationInfo(technicalUserCredentilas.Username, technicalUserCredentilas.Password))
searchResult =initialDirContext.search(AuthenticationHelper.DEFAULT_SEARCH_BASE, "(&(sAMAccountName=" + username + "))", searchCriteria)
userCNFromAD = searchResult.hasMore() ? "CN=" + (searchResult.nextElement().getAttributes().get("cn").get())

The problem is, whenever a failed login attemp for the user happen, Active directory is treating it as a failed login attemp for the technical user! and then after some time the technical user is always getting locked I tried to close initialDirContext after getting user cn using initialDirContext.close() but that didn't change anything.

1 answers

solution1
 0 ACCPTED  2018-09-26 16:14:04

Active Directory can authenticate users with domain-and-user sAMAccountName or userPrincipalName values. If you have a single tree in a single forest, the username "sampleuser" in a domain called "domain.ccTLD" (legacy name "domain") can authenticate as "domain\\sampleuser" or "sampleuser@domain.com" -- there's no need to figure out the actual distinguished name.

But for the flow you are using, which is what I use for LDAP authentication both to AD and to pure LDAP servers (OpenLDAP, Oracle Unified Directory, etc):

  • Connect to the LDAP server Bind with the service account
  • Search for the user with your "(&(sAMAccountName=...))" filter
  • Retrieve the fully qualified DN (distinguishedName attribute value or returned object DN)
  • Disconnect from the LDAP server.
  • Connect to the LDAP server
  • Bind with the retrieved fully qualified DN and user-supplied password
  • (Optional: if you are performing authorization as well, verify group memberships as needed)
  • Disconnect from the LDAP server

By separating the system account logon and search from the user logon and search, I've never seen a system account incorrectly locked.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question User authentication using LDAP and Java LDAP user password authentication using JNDI User authentication in LDAP java LDAP Authentication using Java Authentication in Java using Spring LDAP LDAP authentication using scala or java Smart card authentication using LDAP Basic Authentication on Glassfish using Ldap Simple LDAP authentication using Java LDAP “simple” User authentication (JNDI - Tomcat) not stable?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM