Microsoft AD, JNDI and LDAP
Hello,
I working to move an application off of Novell eDirectory onto Microsoft AD. The program successfully binds to AD, the search filter executes correctly and the attributes are returned as expected. However, the final call to searchResults.hasMore() is not returning! In other words, the final call, which should return false, is not returning at all.
Any ideas?
-Bryan
try
hashtable = null;
hashtable = new Hashtable();
hashtable.put("java.naming.ldap.version", "3");
hashtable.put Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
hashtable.put(Context.SECURITY_AUTHENTICATION, "Simple");
hashtable.put(Context.REFERRAL, "follow");
hashtable.put(Context.PROVIDER_URL, url);
hashtable.put(Context.SECURITY_PRINCIPAL, loginDN);
hashtable.put(Context.SECURITY_CREDENTIALS, passwd);
ctx = new InitialLdapContext(hashtable, null);
SearchControls sc = new SearchControls();
sc.setSearchScope(SearchControls.SUBTREE_SCOPE);
sc.setReturningAttributes(new String[] {"mailNickname", "givenName", "sn", "mail"});
NamingEnumeration results = ctx.search(base, filter, sc);
cns = new ArrayList(25);
givenNames = new ArrayList(25);
mails = new ArrayList(25);
surNames = new ArrayList(25);
while (results.hasMore()) // hangup occurring here when hasMore() should return false
SearchResult sr = (SearchResult)results.next();
Attributes attrs = sr.getAttributes();
Enumeration enum = attrs.getAll();
while (enum.hasMoreElements())
System.out.println(enum.nextElement());
cns.add((String)(attrs.get("mailNickname").get()));
givenNames.add((String)(attrs.get("givenName").get()));
surNames.add((String)(attrs.get("sn").get()));
mails.add((String)(attrs.get("mail").get()));
finally
try {ctx.close();}
catch (Exception e) {}
}
I'll take a bit of a stab at this, although your code sample seems to have some typos, missing a few braces and few catches.
Anyway, there are some subtle differences between the behaviour of AD and other LDAP directories. One is that by default AD limits the number of objects that can be returned in a LDAP query to 1000. I think I described this in the post JNDI, Active Directory, Paging and Range Retrieval available at http://forum.java.sun.com/thread.jspa?threadID=578347&tstart=0
Also there are differences in the behaviour of Enumeration.hasMore & Enumeration.hasMoreElements, Enumeration.hasMore throws exception s and will not return false, whereas hasMoreElements does not throw an exception and will return false. Have a look at http://java.sun.com/j2se/1.3/docs/api/javax/naming/NamingEnumeration.html
So I'll assume that AD is causing an exception to be thrown, perhaps a SizeLimitExceededException or PartialResultsException.
Either process the exception, or use hasMoreElements instead.
Similar Messages
-
Hi,
I'm trying to get an InitialLdapContext object to work with LDAP.
Currently I am able to do that by using:
HashTable env = new HashTable();
env.put(Context.INITIAL_CONTEXT_FACTORY, ...);
env.put(Context.PROVIDER_URL, ...);
env.put(Context.REFERRAL, "ignore");
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.SECURITY_PRINCIPAL, ...);
env.put(Context.SECURITY_CREDENTIALS, ...);
InitialLdapContext ctx = new InitialLdapContext(propsHT, null)
I would like to know if it is possible to avoid specifying the 'Context.SECURITY_...' items in the code by using the values specified in the server configuration (console).
I was told to use JNDI lookup. Any ideas?
Thanks in advance,
Tito LopesOr Microsoft Active Directory Application Mode (ADAM). Details are available at http://www.microsoft.com/windowsserver2003/adam/default.mspx and it can be downloaded from a link on that page.
-
I have also posted this on Novell forums and it seems to only happen when the LDAP target is eDirectory.
I am writing a JAVA program that uses JNDI to access LDAP data sources and I have run into an interesting problem when accessing eDirectory. The issue is that when I query on objects that involve a multivalue attribute and that multivalue attribute contains a large number of values then I appear to be getting back multiple records in my JNDI result set. For example, when I am going after an object in the LDAP Directory that is a "group" and there is a multivalue object within that record called "member" and if there are large number of member values (say 30,000 or so) then I will get multiple results in the JNDI Result set for the same DN value. The first record will contain all the normal attributes plus the first 650 or so member attribute values. Subsequent records will contain only the member attribute with more values. Each record is assciated with the same DN value. When I do the same type of thing going against an Active Directory the member attribute will be returned with an id of "member;range=0-1499" indicating that a range retrieval is required to get the remaining attributes BUT with AD I only get a single record back in the result set and it is up to my code to make the appropriate calls to get the remaining records. I can understand that each LDAP provider may have a different implementation for this type of large multivalue attribute issue but I have not been able to figure out in the case of eDirectory who is doing this "chunking" of values and how it can be detected or controlled. Can anyone provide me some help understanding how this data is being returned from eDirectory? I have not been able to find an explanation doing searches on JNDI or eDirectory that explains this behavior. In the testing I have done and looking at the TCP/IP dumps it would appear that JNDI is breaking the result coming from LDAP into multiple SearchResult entries. As mentioned, each SearchResult enties contains about 650 of the multi-valued attribute results which total about 20,000 bytes of information. Whoever is doing this knows the data is for the same DN value as the DN returned for all records by SearchResult.getObject()).getNameInNamespace() is the same.Curious if you ever came across a good solution for this?
I'm running up against essentially the same thing; I have an application that needs to traverse potentially tens of thousands of entries within a given search base. Sort order is unimportant, speed is important. Having the directory administrator create vlv indexes is a non-starter.
I did notice that I could have it sort on any attribute, even an attribute not in the schema (e.g., "hooHahFoo"), and get the same performance. Also noted that sorting by "dn" is broken in DS5.1, not in DS5.2. -
Problem with ADS and LDAP
I have installed Win2000 + sp1 and ADS on a computer. This computer is PDC.
After connection via LDAP I cann't get any object ( users or goups etc. ).
I try connect to ADS by java ( JNDI ).
When I use another clients of LDAP ( eg. Maxware Directory Explorer) I have
the same problem - no objects.
Can anybody help me?
Grzegorz Pszona
my e-mail: [email protected]Thanks a lot.
Softerra's browser is really good.
Thanks
Rashmi
"Anant Kadiyala" <[email protected]> wrote:
>
I used Softerra's LDAP browser. The browser is free. There is also a
java baded
LDAP browser from Univ of Michigan. I found the Softerra browser to be
more easier
to use.
-anant
"rashmi" <[email protected]> wrote:
Hi,
Can you please let me know which exact ADS tool that you used to examine
the
DN. I have Active Directory Users and Computers, Sites and Servicesand
Domain
and Trusts installed on my machine but I am not able to figure out how
to get
the DN?
Thanks
Rashmi
for Stephen Davies <[email protected]> wrote:
Grzegorz,
I have had WLS6.1 & ADS working ok using LDAP V2. Mind you it did take
a
fair bit of messing around to get it going. MS does have a few oddities,
for example the Administrators DN might look something like this:
cn=Administrator,cn=Users,dc=eglobal,dc=net
One tool that I found invaluable came with the additional support tools
for Windows 2000. The 'Active Directory Administration Tool' made it
easy to list the directory contents and examine the DNs.
Regards,
Steve
Stephen Davies
Principal Consultant
eGlobal Services Pty. Ltd.
Sydney, Australia
Ph. +61 2 9283 1033
http://www.eglobal.net/ -
XI 3.1 Client Tools and LDAP Authentication
I have Business Objects XI 3.1 SP2 installed. For the web clients (InfoView) single sign on and LDAP authentication are working correctly. However when a user tries to log in using LDAP authentication to one of the client tools (Universe Designer, Webi Rich Client, etc) the error "Cannot access the repository (USR0013)" occurs with the following details:
[repo_proxy 13] SessionFacade::openSessionLogon with user info has failed(Security plugin error: Failed to set parameters on plugin.(hr=#0x80042a01)
Are there troubleshooting or setup guides dealing specifically with LDAP authentication with the various client tools?Make sure that the File and Printer Sharing for Microsoft Networks component is installed and enabled on your clients.
Take a look at note 1272536 (http://service.sap.com/notes)
Regards,
Stratos -
Help please: re proper use of JNDI and Directory services
I'm new to this J2EE/JDev stuff and have spent a few days pouring over Sun's JNDI and J2EE documentation as to how best to accomplish my task. Here's the big picture. I am constructing a web site in my PC at home for eventual deployment in an ISP server. I don't have an LDAP or COS server but ISPs usually do. I've found a public LDAP server I can use but the problem is getting an entry on the server that my JSP client and EJB server code can use to find my Entity bean and SQLServer database server respectively. The best I've been able to come up with is that I need to write my own Applet or client application to register my entries on that LDAPserver with appropriate Java attributes and then code my stuff to look it up using the DirContext class.
As for how I pass my stuff into my EJB bean, I intend to use jndi.properties to specify custom properties that map logicals to the physical resources that DirContext routines act on and use System.getProperty("...") to retrieve them dynamically without having to recode later. I haven't figured out exactly how to do this for Servlets and JSPs yet so they can find the beans.
I'm interested in any feedback to what I'm doing and how better to achieve my ends.
As an aside, I noticed as I poured through Sun's J2EE container software that they seem to have embedded COS in their deploytool as a nice feature that would effectively solve my problem if JDeveloper could integrate such a capability. Their sample programs were pretty straight-forward in configuring JDBC and the beans. Any thoughts from the JDev team on providing a similar capability for OC4J?
Thanks,
DeanI would first left-click with the mouse on the camera icon (to enable/activate the snap shot feature), then I'd go with the mouse to the area I wanted to take the snapshot, click-and-drag so I would box-in the desired area to be copied/duplicated, then let go off the mouse (a ding wound then sound) and finally I would go to the page where I wanted to reproduce the snapshotted and left-click once with the mouse... And presto!
Not so with 11-Pro. It allows me to paste onto a different program such as MS-Word (or Outliok), but not onto a PDF page.
⚽ is☝ -
Hello experts,
how can I establish a connection between XI and Novell eDirectory or Microsoft Active Directory via LDAP?
Best regards
DavidHi,
You can use one of the below adapters:
1. HTTP(S)
2. SOAP
Regards,
Srilatha. -
Is there any way on an LDAP server to create an LDAP group that can be tied to the WLC for LDAP authentication. I have this url that explains local authentication and LDAP... http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a008093f1b9.shtml . That helps with local authentication but one thing I don't see is any guidance on how to create a group in a DC to communicate with anything on WLC. Any ideas?
You are right. You need a radius server overall that integrates with AD and do AD-to-radius group mapping. This way authentication is allowed/denied from radius, not WLC itself.
If the user can get a radius server to achieve this that will be great (especially if the user is using 802.1x/EAP authenticaion). If not, what I described about OU mapping is the only solution to get the users classified as per what I understood from users requirements.
The user is not only limited to Microsoft RADIUS (IAS or NPS). However, any radius server that supports AD group mapping can be used. with cisco ACS for example this is supported as well. I am not sure if this is also supported with open-source radius (openRadius for example). But if it is then openRadius can also be used. -
Hi to all,
i want to use local-eap+LDAP (microsoft AD) and i'm experiencing some issue.
First of all i'm not able to bind WLC and LDAP...if a perform a debug aaa ldap enable i get this output:
Any idea about how to solve this issue?
Regards
AleIt sounds like .... invalid credentials ? :-)
Please post your LDAP config on WLC.
Is your admin username with which you're binding within the search context that you defined ? this is very important -
Technical Proposal questionnaire on workflow and LDAP
Detail how interfaceing can be done directly between ERP and LDAP servers (Microsoft Active Directory) without using middle ware(Max 10 Points)
Explain SAP provided generic functions available to programmatically manipulate LDAP servers.This is not a "quiz show"... this is a discussion forum... if you have a problem/doubt explain your scenario in detail.
No cross posting
Read the "Rules of Engagement"
Juan -
Exchange and LDAP Installation
On a virtual machine I've installed Creative Suite 2 (Reader Extension, JBoss, MySql, Workbench, Flash, Reader). In regards to Exchange Server and LDAP...what information do I need to provide my Information System server administration to install the two items above. Do I just say I need LDAP Server (Microsoft Active Directory 2003) and Microsoft Exchange 2003? How specific do I need to be?
I'm assuming you mean Microsoft Exchange.
Exchange settings can be accessed through Active Directory (which has an LDAP interface).
Here are the schema details:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/wss/wss/wss_ldf_AD_Schema_intro.asp -
Hello,
I'm trying to use JNDI to access ActiveDirectory on Windows 2000. I am currently successful when providing a username and password using simple authentication, but I want to be able to use the Windows account information that the program is running under.
I've tried to do this by creating a login conf file (using the NTLoginModule) and creating a LoginContext, logging in (I can then view the Principals associated with the Subject).
try
LoginContext lc = new LoginContext (this.getClass ().getName (), null);
lc.login ();
Subject.doAs (lc.getSubject (), new SimpleAction ());
lc.logout ();
catch (LoginException e)
System.err.println (e.getMessage ());
public class SimpleAction implements java.security.PrivilegedAction
public java.lang.Object run ()
Hashtable h = new Hashtable ();
h.put (Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
h.put (Context.PROVIDER_URL, "OU=foo,DC=b,DC=a,DC=r");
h.put (Context.SECURITY_AUTHENTICATION, "GSSAPI");
DirContext ctx = new InitialDirContext (env);
do something interesting
ctx.close ();
Then using JNDI in a Subject.doAs call I set the Context.SECURITY_AUTHENTICATION to "GSSAPI". This throws the following error:
GSSAPI
Error connecting to 'OU=foo,DC=b,DC=a,DC=r' on '<server>'. Please ensure that the LDAP Server is running and that the configuration parameters are correct.
I followed (I thought) the examples based on http://java.sun.com/products/jndi/tutorial/ldap/security/src/GssExample.java
and it works fine if I use "simple" authentication.
Any ideas as to why AD throws it back?
RegardsI hope that this helps. Now I am on to seeing about
GSSYes, how did you go with the GSS? I cannot get it to work.
I followed your suggestions as before and my authentication works, now I'm trying to use GSS authentication to my Active Directory through LDAP and I get errors. My JAAS Authentication works fine.
I'm using the following example URL http://java.sun.com/products/jndi/tutorial/ldap/security/gssapi.html
My errors start as follows:
... [authentication info before this]
Credentials acquireServiceCreds: same realm
CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
EType: sun.security.krb5.internal.crypto.DesCbcMd5ETypejavax.naming.AuthenticationException: GSSAPI. Root exception is com.sun.securit
y.sasl.preview.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: _kerberos._udp.OBJADS.OBJECTIVE: _kerberos._udp.OBJADS.OBJECTIVE)]
at com.sun.security.sasl.gsskerb.GssKerberosV5.evaluateChallenge(GssKerberosV5.java:180)
at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(LdapSasl.java:113)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:324)
at com.sun.jndi.ldap.LdapClient.saslBind(LdapClient.java:399)
at com.sun.jndi.ldap.LdapClient.authenticateLdapClient.java:215)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2597)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:275)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLLdapCtxFactory.java:173)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:191
... and so on
Thanks, Philip -
Hello everyone,
I am trying to add entries into an LDAP using JDK 1.2 and JNDI. I have succesfully removed and listed entries(I added the entries by using JDK 1.3), but still cannot add anything to the LDAP.
I have been using an LDAP browser to verify that the entries that I added with JDK 1.3 where indeed added. In conjuction with JDK 1.2, I have been pointing my classpath to the jndi.jar file. I have also added the providerutil.jar, and ldap.jar file to my classpath.
Perhaps I am missing another jar file. I have download and put in my classpath, from sun's JNDI website
(http://www.columbia.edu/~he99/jndi-ext.html) these packages ( meaning all of the jar files contained in
these packages). I put all of them in one folder and pointed to the folder from my classpath:
JNDI 1.2.1
LDAP 1.2.4
DNS 1.2
NIS 1.2.1
FS Context
COS Naming 1.2.1
I also tried using the -classpath option while compiling and running my code to explicitly and individually
point to each jar file. I am aware that there are two different versions of the provierutil.jar file among the
above mentioned packages. The one that is 79 KB is the only one that works, however. I have also tried
pointing to only the individual packages from my classpath. Also, I have tried mixing and matching different
jar files from different packages.
I get the error message printed below this paragraph when trying to add an entry with JDK 1.2(using JNDI), but no error messages when trying to list or remove an entry. With JDK 1.3, I get none of these error messages (Im using the same exact code for both JDK 1.2 and JDK 1.3, with the exception that I add the JNDI and other necessary jar files when using JDK 1.2).
javax.naming.directory.SchemaViolationException: [LDAP: error code 65 - attribute not allowed]; remaining
name 'cn=haro,ou=MDS3'
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(Compiled Code)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(Compiled Code)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(Compiled Code)
at com.sun.jndi.ldap.LdapCtx.c_bind(Compiled Code)
at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_bind(Compiled Code)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.bind(Compiled Code)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.bind(Compiled Code)
at javax.naming.directory.InitialDirContext.bind(Compiled Code)
at AddService.main(Compiled Code)
This may have to do something with what is said here:
http://www.columbia.edu/~he99/jndi-ext.html
Particularly the following:
"When a Reference is read from the naming or directory service and a codebase specifying where to load
the factory class for the reference has been specified, JNDI will attempt to load the class from the
locations specified in code base. In order for the class loading to succeed, you must grant the application
the permissions appropriate for the URLs named in the codebase. For example, if the URL scheme is "http"
or "ftp", you must grant the application the appropriate java.net.SocketPermission; if the URL scheme is
"file", you must grant the application the appropriate java.io.FilePermission.
If you are using JNDI as an installed extension, that is, jndi.jar has been installed in the
$JAVA_HOME/jre/lib/ext directory, you need to take no further action."
I have created a directory in unix and made a jre folder with lib and ext as a subfolders and then
made the variable "$JAVA_HOME" point to that directory, in which I put all of the jar files from those
packages (with the 79 KB providerutil jar). Still, I get the same error message.
Does anyone know how to resolve this problem? (My development team has coded everything with JDK 1.2 so far and cannot migrate to JDK 1.3 so late in our implementation).ref13E,
I think it's not because of the jdk. I use jdk1.4 and get the same exception.
Wht is the LDAP server that you use? We use AD.
Regards,
George -
SQL FBA and LDAP FBA working on SharePoint2013
Hi,
Is it possible that SQL FBA and LDAP FBA can work together to access SharePoint2013?
If so, how can this be done?
Kind Regards
Trixxter921Following is the link for similar post in SharePoint 2010
http://social.technet.microsoft.com/Forums/sharepoint/en-US/6a485e73-5501-48bc-aac1-9d44a2146393/configuring-forms-based-authentication-using-both-an-ldap-provider-and-a-sql-provider?forum=sharepointadminprevious
Please Mark it as answer if this reply helps you in resolving the issue,It will help other users facing similar problem -
To start at the begining....no, that's not fair, that goes all the way back to March 24th!
My hard drive has been wiped clean twice now...First time was not by MY choice...the guy from India just talked me through it, with no warning of what was going to be the result. What a nightmare!
This 2nd time when I have "retrieved" my files from my external hard drive...my documents are there....just can't open them!
Following messages when opening Word or Outlook:
"Please wait...."etc. "Configuration in Progress Microsoft Office Home and Business".... which takes forever!
Then:
"Your AutoCorrect file: c:\users\Tosi\AppData\Roaming\Microsoft\Office\MSO1033.acl, could not be saved. the file may be read only, or you man not have permission to modify the file."
Then:
"Word cannot open existing file (Normal)
In tyring to open Outlook...
Big Red cirlce with an X in it: Could not install the custom actions. The form Cache file c:\users\Tosi\AppData\Local\Microsoft\Forms\FRMCACHE>DAT is not valid. Contact your administrator.
The same message as Word "Your AutoCorrcet....etc....MSO1033.acl ...etc. "
I have tried to change permissions...no luck. How to I get FULL control over my own computer? Please!
When I do finally get Outlook open, nothing is in there. I looked for my Outlook Data folder and I see that my .pst data file is in 5 places, yet it is not connecting with Outlook. No mail, address or calendar are in there. (to back
track...the first time I retrieved my stuff off the hard drive everything worked)
Microsoft has promissed numerous times to assit me to resolve these problems through very lovely emails but no one has called to follow up and help me. I really need help and I am running out of patience.
Soon I will be saying "Goodbye Microsoft! Goodbye Dell! Hello Apple!"
Help please!
Thank you,
SMTosiAs per your description, seems the installation of Office have got completely corrupted. I would suggest you to completely remove Office 2010 from your computer and then reinstall it.
For how to remove/uninstall Office from your computer, I would suggest you to use Microsoft Fix It tool:
http://support.microsoft.com/kb/971179
After uninstalling Office, please restart your computer then try a reinstallation. If you don't have the Office 2010 installation source or DVD, please go to this website to get Office 2010 installation package:
http://office.microsoft.com/en-us/products/microsoft-office-2010-backup-FX101853122.aspx (you might need to provide the product key of Office 2010)
Hope this helps. Thanks a lot for your patience.
Thanks,
Ethan Hua CHN
TechNet Community Support
Maybe you are looking for
-
DPM 2012: MMC crashes when working with 2 particular protection groups
I have a problem with 2 particular protection groups that will not allow me to perform a backup to tape on them. When I try to, the MMC crashes with the following error logged in the application event log: The description for Event ID 999 from sourc
-
Any ideas how i can sign in?
-
Automatically display the values in textfield
Hii, I have two items. 1.S_NAME (Popup list of values item) 2.S_CODE(Text field). If i select the one "NAME" from pop up list of values then i want to automatically display the corresponding S_CODE of that name ....Pls help me Thanks and Regards, Pre
-
After doing an archive and install, I notice is that in my Applications folder, I have a folder called Applications, which is the Apps from Tiger. I have moved a couple of things out and into the main Apps folder, but I wonder if I can move everythin
-
Screen flickers off - Edge13 intel, ubuntu
I have an edge 13 w/ intel chip running dual boot of windows 7 and ubuntu [just upgraded to 10.10, but was having this problem for a few weeks while still using 10.04]. I rarely use windows, and the problem I'm having happens in Ubuntu. The problem