Java: Query Active Directory information with minimal user information

views:

620

answers:

+2 Q:

Java: Query Active Directory information with minimal user information

So, here's the situation. We'd like to be able to query active directory for a user's roles/group memberships, etc. Now, I can already do that using standard Java API (javax.naming), but I need a username, domain server name/address, and a password to do it. Users also have limited rights, so I can't use any external calls to fancy administrative tools.

In Java, is there a way that I can get that information with just the username and domain server name/address? I'm also open to 3rd party packages to do this. Alternatively, you could provide me with (or point me to) information on what to configure in AD to allow this.

Hopefully that makes sense. I'm not an AD guru, so the more info the better.

+5 A:

Your problem of needing to login first is because AD does not allow anonymous querying. Before you can query the database you must login ("bind" in LDAP terms) as a valid user with sufficient rights to issue the query.

If your AD admin is willing, you could have them create a special user (we call ours "ldapquery") that is permitted to bind and query the database. The userid and password for that user would become configuration values in your code.

Jim Garrison 2009-09-21 21:19:02

So, how would I use this special user to query the information for the current user?

Dopyiii 2009-09-21 21:24:52

We have a similar setup. I second this answer.

Adam Crume 2009-09-21 21:25:12

Also, the assumption is that the user has already logged onto the machine and authenticated via the Windows login mechanisms. The only issue is that they don't see why they'd have to enter their password again (I can get their username from environment variables). So, even if I had a "special user" that had the right permissions, how can I log in as me, and then use the "special user" to find information about myself?

Dopyiii 2009-09-21 22:13:09

Ah. Then what you're looking for is a way to channel your query through Windows' already-authenticated AD session. That wasn't quite clear in your original question. Not being a Windows API expert (or even a novice :-) I don't know if this is possible, but this restatement of the problem might help you find an answer.You'd need an API in Windows that lets you submit AD queries using the existing login binding, and a Java wrapper for that API.

Jim Garrison 2009-09-22 15:22:13

Yeah, sorry for the ambiguity. Either using the "special user" as a pass-through, or eliminating the need for a password altogether to discover the current user's AD group membership (sounds like I'd need to setup anonymous querying).

Dopyiii 2009-09-22 17:41:49

+1 A:

Okay, so expounding on what others have told me and the vast research I had to do with the clues given here, it appears that I'd just use my "special user" as the login info in my code, transparent to the user, and then perform the query using their credentials. So: in the code, bind using the "special user", then perform the query with the current user as a query parameter (sAMAccountName=username).

Thanks all, for your input.

Dopyiii 2009-09-23 14:41:29

Accepting your own answer which just recapitulates somebody else's upvoted answer is considered bad form on SO. Just FYI.

Jim Garrison 2010-07-13 20:12:34

ansaurus

tags:

views:

answers:

Java: Query Active Directory information with minimal user information

related questions