I have set up a AD 2016 installation. Now intend to use it for authentication of web applications(java). I have a piece of code for testing authentication and have some observations.
public static void main(String[] args)
{
String userid="userhere",password="passwordhere";
LdapContextCreation ldapContxCrtn = new LdapContextCreation();
LdapContext ctx = ldapContxCrtn.getLdapContext(userid,password);
if(ctx==null)
{System.out.println("Authentication Failed.");}
else
{System.out.println("Authentication Successful.");}
}
public LdapContext getLdapContext(String base, String password)
{
LdapContext ctx = null;
try
{
Hashtable<String, String> env = new Hashtable<String, String>();
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.SECURITY_AUTHENTICATION, "Simple");
env.put(Context.SECURITY_PRINCIPAL, base);
env.put(Context.SECURITY_CREDENTIALS, password);
env.put(Context.PROVIDER_URL, "ldaps://mydomaincontroller:636");
ctx = new InitialLdapContext(env, null);
}
catch(NamingException nex)
{
//nex.printStackTrace();
}
Now I tested the user/password combination in the following scenarios-
//First Combination, user1 exists in AD and password is correct (testing authenticated bind). String userid="user1@domain.com",password="user1password"; Expected:Authentication Successful. Actual:Authentication Successful. This is clear to me. For a incorrect password,it responds correct message- Authentication Failed.
//Second Combination, user2 exists in AD but password we attempt to send is empty (testing unauthenticated bind) String userid="user2@domain.com",password=""; Expected:Authentication Failed. Actual:Authentication Successful. How to handle this scenario- Can I control this in AD or has to be handled in code?
//Third Combination, user3 DOES NOT exists in AD (testing for non existant user) String userid="user3@domain.com",password="somepassword"; Expected:Authentication Failed. Actual:Authentication Successful. How to handle this scenario? The user does-not even exist. Is this a AD misconfiguration?
//Fourth Combination, empty username and password (testing for anonymous bind) String userid="",password=""; Expected:Authentication Failed. Actual:Authentication Successful. How to handle this scenario- Can I control this in AD or has to be handled in code?
What you're seeing is an "unauthenticated bind", detailed in LDAP RFC 4513 section 5.1.2 with a note regarding the subsequent security considerations in section 6.3.1 .
It would be best to handle this in code (ie verify that username and password are both non-null prior to communicating with the directory server). A setting to disallow unauthenticated bind operations was added in Windows 2019 -- in your Configuration partition, open the properties of CN=Directory Service, CN=Windows NT, CN=Services, CN=Configuration
-- find the msDS-Other-Settings attribute, and add a new entry DenyUnauthenticatedBind=1
but unless you are writing a one-off application that will only ever be used with the Active Directory you own, it's not a secure assumption that other Active Directories have been configured in this manner.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.