In my organization we had a request to implement LDAP authentication for a new application. The problem we faced was that CN used to connect to active directory is different that the sAMAccountName.
sAMAccountName was the username given to user by the organization while cn was something like lastName, firstName [Intern]
.
To solve this problem we decided to use a technical user to retrieve the cn from sAMAccountName and then try to authenticate the user using cn and password, the code looked like:
InitialDirContext initialDirContext = new InitialDirContext(initUserAuthenticationInfo(technicalUserCredentilas.Username, technicalUserCredentilas.Password))
searchResult =initialDirContext.search(AuthenticationHelper.DEFAULT_SEARCH_BASE, "(&(sAMAccountName=" + username + "))", searchCriteria)
userCNFromAD = searchResult.hasMore() ? "CN=" + (searchResult.nextElement().getAttributes().get("cn").get())
The problem is, whenever a failed login attemp for the user happen, Active directory is treating it as a failed login attemp for the technical user! and then after some time the technical user is always getting locked I tried to close initialDirContext after getting user cn using initialDirContext.close() but that didn't change anything.
Active Directory can authenticate users with domain-and-user sAMAccountName or userPrincipalName values. If you have a single tree in a single forest, the username "sampleuser" in a domain called "domain.ccTLD" (legacy name "domain") can authenticate as "domain\\sampleuser" or "sampleuser@domain.com" -- there's no need to figure out the actual distinguished name.
But for the flow you are using, which is what I use for LDAP authentication both to AD and to pure LDAP servers (OpenLDAP, Oracle Unified Directory, etc):
By separating the system account logon and search from the user logon and search, I've never seen a system account incorrectly locked.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.