JNDI and LDAP

Similar Messages

• JNDI and LDAP Results

  I have also posted this on Novell forums and it seems to only happen when the LDAP target is eDirectory.
  I am writing a JAVA program that uses JNDI to access LDAP data sources and I have run into an interesting problem when accessing eDirectory. The issue is that when I query on objects that involve a multivalue attribute and that multivalue attribute contains a large number of values then I appear to be getting back multiple records in my JNDI result set. For example, when I am going after an object in the LDAP Directory that is a "group" and there is a multivalue object within that record called "member" and if there are large number of member values (say 30,000 or so) then I will get multiple results in the JNDI Result set for the same DN value. The first record will contain all the normal attributes plus the first 650 or so member attribute values. Subsequent records will contain only the member attribute with more values. Each record is assciated with the same DN value. When I do the same type of thing going against an Active Directory the member attribute will be returned with an id of "member;range=0-1499" indicating that a range retrieval is required to get the remaining attributes BUT with AD I only get a single record back in the result set and it is up to my code to make the appropriate calls to get the remaining records. I can understand that each LDAP provider may have a different implementation for this type of large multivalue attribute issue but I have not been able to figure out in the case of eDirectory who is doing this "chunking" of values and how it can be detected or controlled. Can anyone provide me some help understanding how this data is being returned from eDirectory? I have not been able to find an explanation doing searches on JNDI or eDirectory that explains this behavior. In the testing I have done and looking at the TCP/IP dumps it would appear that JNDI is breaking the result coming from LDAP into multiple SearchResult entries. As mentioned, each SearchResult enties contains about 650 of the multi-valued attribute results which total about 20,000 bytes of information. Whoever is doing this knows the data is for the same DN value as the DN returned for all records by SearchResult.getObject()).getNameInNamespace() is the same.

  Curious if you ever came across a good solution for this?
  I'm running up against essentially the same thing; I have an application that needs to traverse potentially tens of thousands of entries within a given search base. Sort order is unimportant, speed is important. Having the directory administrator create vlv indexes is a non-starter.
  I did notice that I could have it sort on any attribute, even an attribute not in the schema (e.g., "hooHahFoo"), and get the same performance. Also noted that sorting by "dn" is broken in DS5.1, not in DS5.2.

• Microsoft AD, JNDI and LDAP

  Hello,
  I working to move an application off of Novell eDirectory onto Microsoft AD. The program successfully binds to AD, the search filter executes correctly and the attributes are returned as expected. However, the final call to searchResults.hasMore() is not returning! In other words, the final call, which should return false, is not returning at all.
  Any ideas?
  -Bryan
  try
  hashtable = null;
  hashtable = new Hashtable();
  hashtable.put("java.naming.ldap.version", "3");
  hashtable.put Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
  hashtable.put(Context.SECURITY_AUTHENTICATION, "Simple");
  hashtable.put(Context.REFERRAL, "follow");
  hashtable.put(Context.PROVIDER_URL, url);
  hashtable.put(Context.SECURITY_PRINCIPAL, loginDN);
  hashtable.put(Context.SECURITY_CREDENTIALS, passwd);
  ctx = new InitialLdapContext(hashtable, null);
  SearchControls sc = new SearchControls();
  sc.setSearchScope(SearchControls.SUBTREE_SCOPE);
  sc.setReturningAttributes(new String[] {"mailNickname", "givenName", "sn", "mail"});
  NamingEnumeration results = ctx.search(base, filter, sc);
  cns = new ArrayList(25);
  givenNames = new ArrayList(25);
  mails = new ArrayList(25);
  surNames = new ArrayList(25);
  while (results.hasMore()) // hangup occurring here when hasMore() should return false
  SearchResult sr = (SearchResult)results.next();
  Attributes attrs = sr.getAttributes();
  Enumeration enum = attrs.getAll();
  while (enum.hasMoreElements())
  System.out.println(enum.nextElement());
  cns.add((String)(attrs.get("mailNickname").get()));
  givenNames.add((String)(attrs.get("givenName").get()));
  surNames.add((String)(attrs.get("sn").get()));
  mails.add((String)(attrs.get("mail").get()));
  finally
  try {ctx.close();}
  catch (Exception e) {}
  }

  I'll take a bit of a stab at this, although your code sample seems to have some typos, missing a few braces and few catches.
  Anyway, there are some subtle differences between the behaviour of AD and other LDAP directories. One is that by default AD limits the number of objects that can be returned in a LDAP query to 1000. I think I described this in the post JNDI, Active Directory, Paging and Range Retrieval available at http://forum.java.sun.com/thread.jspa?threadID=578347&tstart=0
  Also there are differences in the behaviour of Enumeration.hasMore & Enumeration.hasMoreElements, Enumeration.hasMore throws exception s and will not return false, whereas hasMoreElements does not throw an exception and will return false. Have a look at http://java.sun.com/j2se/1.3/docs/api/javax/naming/NamingEnumeration.html
  So I'll assume that AD is causing an exception to be thrown, perhaps a SizeLimitExceededException or PartialResultsException.
  Either process the exception, or use hasMoreElements instead.

• Problem with ADS and LDAP

  Problem with ADS and LDAP
  I have installed Win2000 + sp1 and ADS on a computer. This computer is PDC.
  After connection via LDAP I cann't get any object ( users or goups etc. ).
  I try connect to ADS by java ( JNDI ).
  When I use another clients of LDAP ( eg. Maxware Directory Explorer) I have
  the same problem - no objects.
  Can anybody help me?
  Grzegorz Pszona
  my e-mail: [email protected]

  Thanks a lot.
  Softerra's browser is really good.
  Thanks
  Rashmi
  "Anant Kadiyala" <[email protected]> wrote:
  >
  I used Softerra's LDAP browser. The browser is free. There is also a
  java baded
  LDAP browser from Univ of Michigan. I found the Softerra browser to be
  more easier
  to use.
  -anant
  "rashmi" <[email protected]> wrote:
  Hi,
  Can you please let me know which exact ADS tool that you used to examine
  the
  DN. I have Active Directory Users and Computers, Sites and Servicesand
  Domain
  and Trusts installed on my machine but I am not able to figure out how
  to get
  the DN?
  Thanks
  Rashmi
  for Stephen Davies <[email protected]> wrote:
  Grzegorz,
  I have had WLS6.1 & ADS working ok using LDAP V2. Mind you it did take
  a
  fair bit of messing around to get it going. MS does have a few oddities,
  for example the Administrators DN might look something like this:
  cn=Administrator,cn=Users,dc=eglobal,dc=net
  One tool that I found invaluable came with the additional support tools
  for Windows 2000. The 'Active Directory Administration Tool' made it
  easy to list the directory contents and examine the DNs.
  Regards,
  Steve
  Stephen Davies
  Principal Consultant
  eGlobal Services Pty. Ltd.
  Sydney, Australia
  Ph. +61 2 9283 1033
  http://www.eglobal.net/

• Help please: re proper use of JNDI and Directory services

  I'm new to this J2EE/JDev stuff and have spent a few days pouring over Sun's JNDI and J2EE documentation as to how best to accomplish my task. Here's the big picture. I am constructing a web site in my PC at home for eventual deployment in an ISP server. I don't have an LDAP or COS server but ISPs usually do. I've found a public LDAP server I can use but the problem is getting an entry on the server that my JSP client and EJB server code can use to find my Entity bean and SQLServer database server respectively. The best I've been able to come up with is that I need to write my own Applet or client application to register my entries on that LDAPserver with appropriate Java attributes and then code my stuff to look it up using the DirContext class.
  As for how I pass my stuff into my EJB bean, I intend to use jndi.properties to specify custom properties that map logicals to the physical resources that DirContext routines act on and use System.getProperty("...") to retrieve them dynamically without having to recode later. I haven't figured out exactly how to do this for Servlets and JSPs yet so they can find the beans.
  I'm interested in any feedback to what I'm doing and how better to achieve my ends.
  As an aside, I noticed as I poured through Sun's J2EE container software that they seem to have embedded COS in their deploytool as a nice feature that would effectively solve my problem if JDeveloper could integrate such a capability. Their sample programs were pretty straight-forward in configuring JDBC and the beans. Any thoughts from the JDev team on providing a similar capability for OC4J?
  Thanks,
  Dean

  I would first left-click with the mouse on the camera icon (to enable/activate the snap shot feature), then I'd go with the mouse to the area I wanted to take the snapshot, click-and-drag so I would box-in the desired area to be copied/duplicated, then let go off the mouse (a ding wound then sound) and finally I would go to the page where I wanted to reproduce the snapshotted and left-click once with the mouse... And presto!
  Not so with 11-Pro. It allows me to paste onto a different program such as MS-Word (or Outliok), but not onto a PDF page.
  ⚽ is☝

• GSSAPI JNDI and Windows 2000

  Hello,
  I'm trying to use JNDI to access ActiveDirectory on Windows 2000. I am currently successful when providing a username and password using simple authentication, but I want to be able to use the Windows account information that the program is running under.
  I've tried to do this by creating a login conf file (using the NTLoginModule) and creating a LoginContext, logging in (I can then view the Principals associated with the Subject).
  try
  LoginContext lc = new LoginContext (this.getClass ().getName (), null);
  lc.login ();
  Subject.doAs (lc.getSubject (), new SimpleAction ());
  lc.logout ();
  catch (LoginException e)
  System.err.println (e.getMessage ());
  public class SimpleAction implements java.security.PrivilegedAction
  public java.lang.Object run ()
  Hashtable h = new Hashtable ();
  h.put (Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
  h.put (Context.PROVIDER_URL, "OU=foo,DC=b,DC=a,DC=r");
  h.put (Context.SECURITY_AUTHENTICATION, "GSSAPI");
  DirContext ctx = new InitialDirContext (env);
  do something interesting
  ctx.close ();
  Then using JNDI in a Subject.doAs call I set the Context.SECURITY_AUTHENTICATION to "GSSAPI". This throws the following error:
  GSSAPI
  Error connecting to 'OU=foo,DC=b,DC=a,DC=r' on '<server>'. Please ensure that the LDAP Server is running and that the configuration parameters are correct.
  I followed (I thought) the examples based on http://java.sun.com/products/jndi/tutorial/ldap/security/src/GssExample.java
  and it works fine if I use "simple" authentication.
  Any ideas as to why AD throws it back?
  Regards

  I hope that this helps. Now I am on to seeing about
  GSSYes, how did you go with the GSS? I cannot get it to work.
  I followed your suggestions as before and my authentication works, now I'm trying to use GSS authentication to my Active Directory through LDAP and I get errors. My JAAS Authentication works fine.
  I'm using the following example URL http://java.sun.com/products/jndi/tutorial/ldap/security/gssapi.html
  My errors start as follows:
  ... [authentication info before this]
  Credentials acquireServiceCreds: same realm
  CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
  EType: sun.security.krb5.internal.crypto.DesCbcMd5ETypejavax.naming.AuthenticationException: GSSAPI. Root exception is com.sun.securit
  y.sasl.preview.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: _kerberos._udp.OBJADS.OBJECTIVE: _kerberos._udp.OBJADS.OBJECTIVE)]
  at com.sun.security.sasl.gsskerb.GssKerberosV5.evaluateChallenge(GssKerberosV5.java:180)
  at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(LdapSasl.java:113)
  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
  at java.lang.reflect.Method.invoke(Method.java:324)
  at com.sun.jndi.ldap.LdapClient.saslBind(LdapClient.java:399)
  at com.sun.jndi.ldap.LdapClient.authenticateLdapClient.java:215)
  at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2597)
  at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:275)
  at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLLdapCtxFactory.java:173)
  at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:191
  ... and so on
  Thanks, Philip

• JNDI and JDK 1.2

  Hello everyone,
  I am trying to add entries into an LDAP using JDK 1.2 and JNDI. I have succesfully removed and listed entries(I added the entries by using JDK 1.3), but still cannot add anything to the LDAP.
  I have been using an LDAP browser to verify that the entries that I added with JDK 1.3 where indeed added. In conjuction with JDK 1.2, I have been pointing my classpath to the jndi.jar file. I have also added the providerutil.jar, and ldap.jar file to my classpath.
  Perhaps I am missing another jar file. I have download and put in my classpath, from sun's JNDI website
  (http://www.columbia.edu/~he99/jndi-ext.html) these packages ( meaning all of the jar files contained in
  these packages). I put all of them in one folder and pointed to the folder from my classpath:
  JNDI 1.2.1
  LDAP 1.2.4
  DNS 1.2
  NIS 1.2.1
  FS Context
  COS Naming 1.2.1
  I also tried using the -classpath option while compiling and running my code to explicitly and individually
  point to each jar file. I am aware that there are two different versions of the provierutil.jar file among the
  above mentioned packages. The one that is 79 KB is the only one that works, however. I have also tried
  pointing to only the individual packages from my classpath. Also, I have tried mixing and matching different
  jar files from different packages.
  I get the error message printed below this paragraph when trying to add an entry with JDK 1.2(using JNDI), but no error messages when trying to list or remove an entry. With JDK 1.3, I get none of these error messages (Im using the same exact code for both JDK 1.2 and JDK 1.3, with the exception that I add the JNDI and other necessary jar files when using JDK 1.2).
  javax.naming.directory.SchemaViolationException: [LDAP: error code 65 - attribute not allowed]; remaining
  name 'cn=haro,ou=MDS3'
  at com.sun.jndi.ldap.LdapCtx.mapErrorCode(Compiled Code)
  at com.sun.jndi.ldap.LdapCtx.processReturnCode(Compiled Code)
  at com.sun.jndi.ldap.LdapCtx.processReturnCode(Compiled Code)
  at com.sun.jndi.ldap.LdapCtx.c_bind(Compiled Code)
  at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_bind(Compiled Code)
  at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.bind(Compiled Code)
  at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.bind(Compiled Code)
  at javax.naming.directory.InitialDirContext.bind(Compiled Code)
  at AddService.main(Compiled Code)
  This may have to do something with what is said here:
  http://www.columbia.edu/~he99/jndi-ext.html
  Particularly the following:
  "When a Reference is read from the naming or directory service and a codebase specifying where to load
  the factory class for the reference has been specified, JNDI will attempt to load the class from the
  locations specified in code base. In order for the class loading to succeed, you must grant the application
  the permissions appropriate for the URLs named in the codebase. For example, if the URL scheme is "http"
  or "ftp", you must grant the application the appropriate java.net.SocketPermission; if the URL scheme is
  "file", you must grant the application the appropriate java.io.FilePermission.
  If you are using JNDI as an installed extension, that is, jndi.jar has been installed in the
  $JAVA_HOME/jre/lib/ext directory, you need to take no further action."
  I have created a directory in unix and made a jre folder with lib and ext as a subfolders and then
  made the variable "$JAVA_HOME" point to that directory, in which I put all of the jar files from those
  packages (with the 79 KB providerutil jar). Still, I get the same error message.
  Does anyone know how to resolve this problem? (My development team has coded everything with JDK 1.2 so far and cannot migrate to JDK 1.3 so late in our implementation).

  ref13E,
  I think it's not because of the jdk. I use jdk1.4 and get the same exception.
  Wht is the LDAP server that you use? We use AD.
  Regards,
  George

• Single sign-on using Kerberos and Ldap

  I am currently setting up single sign-on using Kerberos for authentication and Ldap for authorization and information store.
  The setup includes several Solaris 8 & 9 workstations, a couple of SGI's, as well as a M$ terminal server farm, several WinXP desktops and their associated Active Directory.
  I am required to authenticate etc against the AD. (which has M$ SFU3.5 installed)
  I have the Kerberos authentication and part of the Ldap service working via pam & nss.
  ie. I can logon to the solaris worksatations using the AD username and password, mount the home directory from a M$ NFS server.
  BUT...
  id gives:- userID, groupID (primary group only)
  groups :- primary group only. (no secondary groups are listed)
  Question: what additional configuration information do I need in the pam, nss &/or ldap config files, so that I can list the secondary groups.
  Thanks in advance for any help.

  After evaluating (giving up on, and finally throwing out) the Sun Directory server it looks like we are going to endup with a similar solution..
  Sadly enough, the MS AD seems much more stable and easier to handle than Suns DS, kerberos and associated services.
  Anyway, currently we are evaluating a product called vintela ( www.vintela.com ), and it seems very promising; its easy, robust, stable and does what we require it to do, as well as more :) It comes with an additional nss module called 'vas', so you easily can retrieve data like hosts/groups from your AD.
  //M.

• What is the recommended way of connecting to repository out of WebDAV, RMI, JNDI and JCA connector ?

  What is the recommended way of connecting to repository out of WebDAV, RMI, JNDI, and JCA connector possibilities provided by CQ 5.5?

  Hi dp_adusumalli,
  I recognized your list of ~8 questions you posted at around the same time, as I received that same list in our customer implementation from Arif A., from the India team, visiting San Jose. :-)
  I provided him feedback for most of the questions, so please check back with Arif for that info.
  For this particular question, can you provide specifics for the types of interactions you are interested in?
  Understanding the kinds of things you need to achieve will help determine which of the CQ/CRX interfaces is best suited for the task(s).
  I've collated a few points on this subject on this page:
  Manipulating the Adobe WEM/CQ JCR
  Regards,
  Paul

• Adding phones and users with bat and LDAP sync

  What are the various ways of importing users with phones when the Communications Manager 9.0 is sync'd with LDAP.  Also, what method is the easiest and fastest?
  For example, I could do the following steps:
  Sync CUCM with LDAP to import new users, add phones using bat files, manually update users to associate devices etc
  I believe I should also be able to do the above method and use a bat file to update the users to associate devices etc.  This method still involves 2 steps and the creation of 2 seperate bat files.
  In CUCM version 9 it is possible to have local and LDAP users, so is it possible to add the phones and users using the phones/users tab of the bat file and have them beocme LDAP users?
  Thank you,
  Danny

  #1 Remove this embedded CSS code from your HTML document(s).  You don't need it.
  body {
      background-color: #CCC;
  body,td,th {
      color: #FFF;
      font-size: 14px;
  #2 Open  PW.css file and add this to the top:
  body {
  font-family: Arial, Helvetica, sans-serif;
  font-size: 14px;
  background-color: #CADFEB;
  /**or insert a background-image using the CSS editor**/
  #3 Remove font-family and font-size from all your other CSS selectors.  You don't need to duplicate styles on every element. 
  #4 Replace this:
  #content {
      position:absolute;
      left:199px;
      top:10px;
      width:860px;
      z-index:1;
      right: auto;
      background-color: #FFF;
      text-align: center;
      color: #000;
      height: auto;
  with this:
  #content {
       width:860px;
       margin: 20px auto;
       border: 4px solid silver;
       background-color: #FFF;
       text-align: center;
       color: #000;
       -moz-box-shadow: 5px 5px 5px #888;
       -webkit-box-shadow: 5px 5px 5px #888;
       box-shadow: 5px 5px 5px #888;
  #5 Save your PW.css file and upload to server.
  Nancy O.
  Alt-Web Design & Publishing
  Web | Graphics | Print | Media  Specialists 
  http://alt-web.com/
  http://twitter.com/altweb

• OBIEE and LDAP problem

  Hi all!
  After connecting our OBIEE 11.1.1.5 to LDAP we faced with a strange problem: after one user enters the system any next user logged in has the same privileges in OBIEE as the first one.
  We turned off the following caches:
  - WebLogic Principal Validator Cache in a security realm Performance section
  - Group Membership Lookup Hierarchy Caching in our LDAP authentication provider Performance section
  But the problem still occurs. Does anyone have any suggestions on this?

  Hi I was having endless issues with OBIEE and LDAP, I followed the exact steps here:
  http://docs.oracle.com/cd/E17904_01/web.1111/e13707/atn.htm#SECMG169
  These worked for me, so you could check for a start these recommended setting are same in your environment.
  Thanks

• XI 3.1 Client Tools and LDAP Authentication

  I have Business Objects XI 3.1 SP2 installed.  For the web clients (InfoView) single sign on and LDAP authentication are working correctly.  However when a user tries to log in using LDAP authentication to one of the client tools (Universe Designer, Webi Rich Client, etc) the error "Cannot access the repository (USR0013)" occurs with the following details:
  [repo_proxy 13] SessionFacade::openSessionLogon with user info has failed(Security plugin error: Failed to set parameters on plugin.(hr=#0x80042a01)
  Are there troubleshooting or setup guides dealing specifically with LDAP authentication with the various client tools?

  Make sure that the File and Printer Sharing for Microsoft Networks component is installed and enabled on your clients.
  Take a look at note 1272536 (http://service.sap.com/notes)
  Regards,
  Stratos

• I want to see list of Disabled user from AD and LDAP

  Hi
  i wan see the list of disabled user from AD and LDAP and it shows in the next page as Tabular format
  having all the details of AD (Attributes)

  Hi
  i wan see the list of disabled user from AD and LDAP and it shows in the next page as Tabular format
  having all the details of AD (Attributes)

• Connected MDM and LDAP, but but now what? Why user mapping?

  Hi Gurus,
  In my last thread, I posted that I was not able to connect MDM with LDAP. I was finally able to.
  My problem now is I have to define user mapping in SAP Portal for the MDM business iViews to work.
  By connecting MDM and LDAP, I got the benefit that now the authentication and authorization is happening via LDAP.
  But this does eliminate the need for user mapping. If this is the case then why the real benefit of using LDAP?
  In this case this becomes worse as I need to know the user's LDAP Password which no body will share for sure.
  Any ideas? I want to get rid off this user mapping stuff.
  Warn Regards,
  Karan

  without knowing specifics of ur architecture, i can quickly point out two things:
  1)  LDAP is primarily used for authentication, true.
  2) Portal User mapping should not be an issue if u already have portal tied up to the active directory or some kind of single sign on?
  So portal knows the users who has logged it, polls the Active directory for authentication and Active directory logs into MDM with that users role.
  -Sudhir

• ISE and LDAP Integration

  Hello,
  I have a question about the LDAP integration with the ISE:
  Since the ISE has a limitation of reading only 100 groups, I cannot find the groups that I need to use on the authorization, and also the ISE cannot find group if I search for it directly.
  What I mean here, that I can fetch the first 100 groups from the top of the directory, but when I search as example for any group (appear on the list or not) the ISE did not find it.
  Even I tried to change the base DN and the search DN but without luck.
  The ISE version is 1.1.4 installed on VM and the LDAP schema is AD.
  Is there any missing information/tips required in such integration?

  Hello,
  I found a cisco doc that provides resolution of Key Features of Integration of Cisco ISE and LDAP .I hope this helps!
  This section contains the following:
  •Directory  Service
  •Multiple  LDAP Instances
  •Failover
  •LDAP  Connection Management
  •User  Authentication
  •Authentication  Using LDAP
  •Binding  Errors
  •User  Lookup
  •MAC  Address Lookup
  •Group  Membership Information Retrieval
  •Attributes  Retrieval
  •Certificate  Retrieval
  http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_man_id_stores.html#wp1059913