tags:

views:

54

answers:

3
+1  Q: 

LDAP user password authentication using JNDI 

public static void main(String[] args)
{
    String INITCTX = "com.sun.jndi.ldap.LdapCtxFactory";
    String MY_HOST = "ldap://Localhost:1389";
    String MGR_DN = "cn=John,ou=Users,o=IT,dc=QuizPortal";
    String MGR_PW = "password";           

    //Identify service provider to use
    Hashtable env = new Hashtable();
    env.put(Context.INITIAL_CONTEXT_FACTORY, INITCTX);
    env.put(Context.PROVIDER_URL, MY_HOST);
    env.put(Context.SECURITY_AUTHENTICATION, "simple");
    env.put(Context.SECURITY_PRINCIPAL, MGR_DN);
    env.put(Context.SECURITY_CREDENTIALS, MGR_PW);

    try
    {
        // Create the initial directory context
        InitialDirContext initialContext = new InitialDirContext(env);

        System.out.println("Context Sucessfully Initialized");
    }
    catch(Exception e)
    {
        System.err.println(e);
    }
}

Hi, i am very new to JNDI and LDAP.

I would like to ask when i set the MGR_DN = "cn=John,ou=Users,o=IT,dc=QuizPortal" to MGR_DN = "uid=103,ou=Users,o=IT,dc=QuizPortal". Basically changing from cn to uid, i would encounter an error 

javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid Credentials]

I am authenticated when is specified as cn=John but not uid=103. Am i not allowed to specify by uid??

Any help would be appreciated. Thanks!

Kevin

+2  A: 

You have to specify the DN or distinguished name. That's the name the user is bound as in the directory. You can't just select any chain of attributes. If your users are bound via the 'cn' attribute then only the 'cn' attribute is part of the DN.

EJP  2010-08-11 09:28:46
Oh... THANKS! Got it... was wondering why it didnt work... THANKS
Nivek  2010-08-11 09:34:42
It depends on the LDAP directory. Some allow alternate naming attributes in which case uid=103 might work. Whereas others will not. So it is not a reliable approach.
geoffc  2010-08-11 13:54:03
+1  A: 

It looks like a server configuration issue. Here's a similar problem including a solution. Basically you'll have to specify whether to use uid or cn for authentication in ldap-authentication.properties.

Andreas_D  2010-08-11 09:28:59
A: 

If you don't know the exact DN in advance, you should do a search in the LDAP directory first. This can be done more or less like this (make sure you catch the relevant exceptions):

Properties env = new Properties();
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, ldapServerUrl);
env.put(Context.SECURITY_AUTHENTICATION, "none");

SearchControls searchCtrls = new SearchControls();
searchCtrls.setReturningAttributes(new String[] {});
searchCtrls.setSearchScope(SearchControls.SUBTREE_SCOPE);

String filter = "(&(cn=" + identifier + "))";

DirContext ctx = null;
ctx = new InitialDirContext(env);
NamingEnumeration<SearchResult> answer = ctx.search(
   ldapBaseDN, filter, searchCtrls);

String fullDN = null;
if (answer.hasMore()) {
    fullDN = answer.next().getNameInNamespace();

    ctx.close();
    ctx = null;

    env.put(Context.SECURITY_AUTHENTICATION, "simple");
    env.put(Context.SECURITY_PRINCIPAL, fullDN);
    env.put(Context.SECURITY_CREDENTIALS, password);

    ctx = new InitialDirContext(env);
    return true;
}
// Exception otherwise ...

Here, the search filter is "(&(cn=" + identifier + "))" (so, for example (&(cn=John))), but you could use the uid instead. Uniqueness of the results depends on the configuration of the LDAP server. The base DN also depends on the way it's set up (it could be ou=Users,o=IT,dc=QuizPortal in your example).

Bruno  2010-08-11 09:29:08
Oh.. Thanks for the additional info..
Nivek  2010-08-11 09:37:38
That will just help you get the full DN when you only have the uid or cn, for example. Typically, some LDAP servers are configured to have unique uids across a subtree. Doing the search helps you find the right user. For example, if you've organized your LDAP tree to have multiple sub-trees (`ou=Marketing` and `ou=Finances` for example), with `uid=user1,ou=Marketing,o=MyCompany` and `uid=user2,ou=Finances,o=MyCompany` and configured it to use unique uids across `o=MyCompany`, you can find the full DN of user with `uid=user1` (which you need to authenticate) using that sort of search.
Bruno  2010-08-11 09:44:28
Hey thanks for the sharing. Now i have a better understanding of LDAP :)Btw, your piece of code works like a charm. THanks!
Nivek  2010-08-12 00:49:47

related questions

Java Time Zone is messed up
Eclipse on win64
Automate builds for Java RCP for deployment with JNLP
Why are professors or schools picking Java over C++ to teach to students?
Is there a real benefit of using J#?
Public/Popular Websites using JavaServer Faces
Why can't I use a try block around my super() call?
Accessing post variables using Java Servlets
Personal Linux web server
Is this really widening vs autoboxing?
How can I Java webstart multiple, dependent, native libraries?
Why can't I call toString() on a Java primitive?
How do I use Java to read from a file that is actively being written?
What code analysis tools do you use for your Java projects?
IllegalArgumentException or NullPointerException for a null parameter?
How do I configure and communicate with a serial port?
What is the best way to parse strings in Java
Getting started with a custom JXTA PeerGroup
Creating a custom button in Java
How to get started "writing" a code coverage tool?
Which Build-/Configuration Management Tool?
What is the difference between an int and an Integer in Java/C#?
What is the meaning of the type safety warning in certain Java generics casts?
How would you access Object properties from within an object method?
Converting CSV File to XML in Java