Solution: Active Directory over LDAP over SSL

Similar Messages

• Creating users in Active Directory through LDAP connector

  Hello,
  If we need to create users in Active directory using LDAP connector, what are the options for the following:
  1) Update back into SAP from AD. LDAP connector updates only in one direction i.e from SAP to Active directory.
  2) Can we add additional fields in LDAPMAP which are not standard e.g can we we write our own code to extract data from HR to map the value with an attritube within Active directory?
  Regards,
  Ahmad

  Hello!
  I noticed the email in my inbox and understand the reason for deleting it - checked the rules again - no problem with that.
  Here is the posting again - sanitized this time.
  You can create users in LDAP/AD from SAP without a problem. SAP provides function modules to create/maintain/delete users with LDAP attributes in the correct ou path.
  You can also perform group membership assignment in LDAP from SAP if needed.
  I have done this quite a few times at different companies that use SAP HCM.
  A userid in SAP is created automatically during hiring action with default password e.g. birthday of employee and certain authorization roles based on configured information.
  The userid is then created right away in LDAP in the correct ou path (controlled via custom configuration table) and LDAP group membership is assigned.
  A job runs every 8 hours to perform delta updates in LDAP.
  The userid in SAP and LDAP are locked automatically if the user is terminated using termination action in HR.

• MS Active Directory as LDAP Server - Email & Group variables do not pickup values

  Hello Experts
  We have OBIEE 10.1.3.4.2 using MS Active Directory as LDAP Server. Init Block "Authentication" (4 variables setup - USER, DISPLAYNAME, EMAIL and GROUP) seems to work fine, but when you do a "Test" and supply userid and password , only USER and DISPLAYNAME showup. Email and Group variables are blank.
  Please help .  Thanks  lot in advance.
  Regards.

  Hello Srini
  Just USER and DISPLAYNAME variables get populated and I think they are coming from MSAD. However, the Email and Group membership information from MSAD does not flow back to OBIEE Server.
  Regards

• Filtering Groups on Windows Active Directory using LDAP Authentication

  Hi All,
  I have small module that filters the groups from the Windows AD using LDAP attributes and flushes the data into the DB[code below].
  This module was developed and tested on weblogic 8.1[on windows]and works fine.
  Now the same is moved to another environment- Websphere on Linux Suse. The code fails to retreieve any value from the Windows AD.
  Please note no exception is aslo thrown.
  env.put(Context.INITIAL_CONTEXT_FACTORY,ldapCtxFactory);
            //set security credentials, note using simple cleartext authentication
            env.put(Context.SECURITY_AUTHENTICATION,authentication);
            env.put(Context.SECURITY_PRINCIPAL,adminName);
            env.put(Context.SECURITY_CREDENTIALS,adminPassword);
            //connect to my domain controller
            env.put(Context.PROVIDER_URL, domainController);
            // Create the initial directory context
            try {
                                dirCtx = new InitialDirContext(env);
                 // Create the search controls           
                 SearchControls searchCtls = new SearchControls();
                 //Specify the attributes to return
                 String returnedAtts[]={"member"};
                 searchCtls.setReturningAttributes(returnedAtts);
                 //Specify the search scope
                 searchCtls.setSearchScope(SearchControls.SUBTREE_SCOPE);
                 int totalResults = 0;
                 int iteration=0;
                 // Search for objects using the filter
                 NamingEnumeration results = ctx.search(searchBase, searchFilter, searchCtls);
  In the above code the method exits even before the try block[i could detect this using Sysout's]
  Below is the property file from which the values are read.
  admin=username
  password=password
  #AD search attributes
  searchBase=DC=domainname,DC=domainname
  searchFilter=(&(objectClass=group) (CN=value*))
  #JNDI context attributes
  ldapCtxFactory=com.sun.jndi.ldap.LdapCtxFactory
  authentication=simple
  domainController=ldap://address
  groupPattern=pattern
  Please Assit,
  Thanks in Advance
  Message was edited by:
  radiant
  Message was edited by:
  radiant

  Assuming it is the same Active Directory environment and only your Java platform has changed, the I can only assume that if no exception is thrown, and no data is returned, then the credentials you are using on the new Java platform are being mapped to an anonymous user (perhaps a blank password ?). By default, Windows Server 2003 domains, do not return any results to anonymous users.

• Ordering moment integration with Active Directory or LDAP

  ServiceLink can only be used in the Authorization moment and Service Delivery moments. We have use cases where in the ordering moment we need to make web service calls to AD or query LDAP. We are currently looking at purchasing AJAX libraries or get help with LDAP Bridge JDBC Driver. Has anyone out there already use this technique in production?

  Mark covered OID a while ago in detail:
  http://www.oracle.com/technology/oramag/oracle/08-jan/o18identity.html
  as did Venkat:
  http://oraclebizint.wordpress.com/2007/10/10/oracle-bi-ee-101332-using-ldapoid-authentication/
  http://oraclebizint.wordpress.com/2007/10/12/oracle-bi-ee-101332-and-oid-user-and-group-phase-2/
  Hth,
  C.

• Update email on IT0105 from Active Directory using LDAP connector

  Hi,
  I see lots of  threads in this area, but none on this particular requirement.
  The requirement is simply to retrieve email addresses from AD by feeding the employee number into the LDAP connector. The email address returned would then be used to update the email field on IT0105.  (Our AD is set up with employee number as key)
  Does anyone know if there are any standard reports or functionality around to allow the customer to do this? I would prefer to rule this option completely out before looking at writing an abap to do the job.
  Regards
  Phil

  hi
  check if the below link of any use to you
  http://help.sap.com/saphelp_nw04s/helpdata/en/eb/0bfa3823e5d841e10000000a11402f/frameset.htm
  regards
  sameer

• WLS 5.1, Microsoft Active Directory w/ LDAP Realm redux

  Greetings,
  We are attempting to certify our app against MS ADS and are running into a few problems.
  Let me state up front that we've recoded a wack of the WL classes to provide us with user -> group and group -> user lookups. This is part of our licensing model, so has to be done.
  My main query is that I'm having a real problem distinguishing groups from users. If we get a group, we can enumerate through it to find users, no problem. If a group contains another group, things are less useful.
  The main issue is that under ADS, the default users and groups are under /Users, so our group.dn and user.dn values are identical. Normally, I would use the DN to tell if I'm looking at a group or not, but in this case, we can't.
  Our class chokes if any of the DNs are "", so just leaving it blank is no good for me.
  Any comments, advice or ideas?
  jdv

  good morning:
  this issue was solved by using a fully domain administrator account. the cisco acs server is registered immediately and i can save the query or changes to acs database.
  regards!

• LDAP over SSL for Solaris 9 / Solaris 10

  I have successfully configured Solaris-10 clients to use Windows 2003 R2 Active Directory for LDAP authentication over SSL. However, my production environment is still running on Solaris-9. I am able to make Kerberos and ldapsearch working on Solaris-9, but I am still NOT able to use PuTTY to make authentication with AD.
  I reviewed all my steps that I configured on Solaris-10, but somewhat I could not make it work on Solaris-9. If anybody sucessfully deployed on Solaris-9, please advices! Any helps greatly appreciated.
  Here are what I got so far on Solaris-9
  =======================================================
  KERBEROS
  =======================================================
  #getent passwd aduser
  aduser:1000:1000:aduser:/export/home/aduser:/bin/sh
  #kinit [email protected]
  Password for [email protected]:
  #klist
  Ticket cache: /tmp/krb5cc_0
  Default principal: [email protected]
  Valid starting Expires Service principal
  Fri Jan 04 17:22:34 2008 Sat Jan 05 03:22:34 2008 krbtgt/[email protected]
  renew until Fri Jan 11 17:22:34 2008
  =======================================================
  LDAPSEARCH / SSL
  =======================================================
  #ldapsearch -v -h sundc1.consoto.com -p 636 -Z -P /var/ldap/cert8.db -D cn=administrator,cn=users,dc=consoto,dc=com -w - -b "dc=consoto,dc=com" -v -s base "objectclass=*"
  Enter bind password:
  ldapsearch: started Fri Jan 4 17:23:52 2008
  LDAP Library Information -
  Highest supported protocol version: 3
  LDAP API revision: 2005
  API vendor name: Sun Microsystems Inc.
  Vendor-specific version: 5.08
  LDAP API Extensions:
  SERVER_SIDE_SORT (revision 1)
  VIRTUAL_LIST_VIEW (revision 1)
  PERSISTENT_SEARCH (revision 1)
  PROXY_AUTHORIZATION (revision 1)
  X_LDERRNO (revision 1)
  X_MEMCACHE (revision 1)
  X_IO_FUNCTIONS (revision 1)
  X_EXTIO_FUNCTIONS (revision 1)
  X_DNS_FUNCTIONS (revision 1)
  X_MEMALLOC_FUNCTIONS (revision 1)
  X_THREAD_FUNCTIONS (revision 1)
  X_EXTHREAD_FUNCTIONS (revision 1)
  X_GETLANGVALUES (revision 1)
  X_CLIENT_SIDE_SORT (revision 1)
  X_URL_FUNCTIONS (revision 1)
  X_FILTER_FUNCTIONS (revision 1)
  ldap_init( sundc1.consoto.com, 636 )
  ldaptool_getcertpath -- /var/ldap/cert8.db
  ldaptool_getkeypath -- .
  ldaptool_getdonglefilename -- (null)
  filter pattern: objectclass=*
  returning: ALL
  filter is: (objectclass=*)
  version: 1
  dn: dc=consoto,dc=com
  objectClass: top
  objectClass: domain
  objectClass: domainDNS
  distinguishedName: DC=consoto,DC=com
  instanceType: 5
  whenCreated: 20071220204021.0Z
  whenChanged: 20071226231851.0Z
  subRefs: DC=ForestDnsZones,DC=consoto,DC=com
  subRefs: DC=DomainDnsZones,DC=consoto,DC=com
  subRefs: CN=Configuration,DC=consoto,DC=com
  uSNCreated: 4098
  uSNChanged: 16663
  name: consoto
  objectGUID:: bM0hWw8HKEOYCFN3yQ==
  creationTime: 128426572605937500
  forceLogoff: -9223372036854775808
  lockoutDuration: -18000000000
  lockOutObservationWindow: -18000000000
  lockoutThreshold: 0
  maxPwdAge: -37108517437440
  minPwdAge: -864000000000
  minPwdLength: 7
  modifiedCountAtLastProm: 0
  nextRid: 1003
  pwdProperties: 1
  pwdHistoryLength: 24
  objectSid:: AQQAAAAAAAUAAYA4LaLGUspxVHsMP
  serverState: 1
  uASCompat: 1
  modifiedCount: 129
  auditingPolicy:: AAE=
  nTMixedDomain: 0
  rIDManagerReference: CN=RID Manager$,CN=System,DC=consoto,DC=com
  fSMORoleOwner: CN=NTDS Settings,CN=SUNDC1,CN=Servers,CN=Default-First-Site-Nam e,CN=Sites,CN=Configuration,DC=consoto,DC=com
  systemFlags: -1946157056
  wellKnownObjects: B:32:6227F0AF1FC2410D8E3BB10615BB5B0F:CN=NTDS Quotas,DC=sunl
  ab,DC=com
  wellKnownObjects: B:32:F4BE92A4C777485E878E9421D53087DB:CN=Microsoft,CN=Progra
  m Data,DC=consoto,DC=com
  wellKnownObjects: B:32:09460C08AE1E4A4EA0F64AEE7DAA1E5A:CN=Program Data,DC=sun
  lab,DC=com
  wellKnownObjects: B:32:22B70C67D56E4EFB91E9300FCA3DC1AA:CN=ForeignSecurityPrin
  cipals,DC=consoto,DC=com
  wellKnownObjects: B:32:18E2EA80684F11D2B9AA00C04F79F805:CN=Deleted Objects,DC=
  consoto,DC=com
  wellKnownObjects: B:32:2FBAC1870ADE11D297C400C04FD8D5CD:CN=Infrastructure,DC=s
  unlab,DC=com
  wellKnownObjects: B:32:AB8153B7768811D1ADED00C04FD8D5CD:CN=LostAndFound,DC=sun
  lab,DC=com
  wellKnownObjects: B:32:AB1D30F3768811D1ADED00C04FD8D5CD:CN=System,DC=consoto,DC
  =com
  wellKnownObjects: B:32:A361B2FFFFD211D1AA4B00C04FD7D83A:OU=Domain Controllers,
  DC=consoto,DC=com
  wellKnownObjects: B:32:AA312825768811D1ADED00C04FD8D5CD:CN=Computers,DC=consoto
  ,DC=com
  wellKnownObjects: B:32:A9D1CA15768811D1ADED00C04FD8D5CD:CN=Users,DC=consoto,DC=
  com
  objectCategory: CN=Domain-DNS,CN=Schema,CN=Configuration,DC=consoto,DC=com
  isCriticalSystemObject: TRUE
  gPLink: [LDAP://CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=Syste
  m,DC=consoto,DC=com;0]
  masteredBy: CN=NTDS Settings,CN=SUNDC1,CN=Servers,CN=Default-First-Site-Name,C
  N=Sites,CN=Configuration,DC=consoto,DC=com
  ms-DS-MachineAccountQuota: 10
  msDS-Behavior-Version: 2
  msDS-PerUserTrustQuota: 1
  msDS-AllUsersTrustQuota: 1000
  msDS-PerUserTrustTombstonesQuota: 10
  msDs-masteredBy: CN=NTDS Settings,CN=SUNDC1,CN=Servers,CN=Default-First-Site-N
  ame,CN=Sites,CN=Configuration,DC=consoto,DC=com
  dc: consoto
  1 matches
  I am thinking about pam.conf file or ldapclient's configuration file, any suggestion?

  I have now sat down and looked at your suggestion and I am pretty certain we can't implement it ... :( I was hoping it was just going to be configuration files that were copied (maybe a naive hope, but there you go!) This system is going to be deployed as a live service for a government agency so I do not think we can, in all good conscience, have binaries from two different OS releases residing on the same server as it will make the system nigh-on non-patchable.
  Let's hope Sun have somethig constructive to say about our issue which, I am slowly beginning to think, is related to the password.
  If I su to the test AD user we have whilst logged in as a root user (which does not, of course, prompt for a password) it all works nicely - home directory, shell, the id command gives all that is expected of uid and gid. Now, should I be in a as a non-root user and try the same I get prompted for a password and it all fails - despite me providing what should be the correct password.
  If I do a getent for the user the returned data has a blank for the password field (as opposed to the usual x).
  I think that somewhere, somehow, in the transmission of data that the password is getting a level of encryption that the AD is not setup to unravel. The packets are all encrypted through ldap (we are using tls simple) but what of the password within the packet? Does anything encrypt that first, and if so, does AD know how to decrypt it?

• Trying to determine if LDAP over SSL is working using LDP.exe

  Hi,
  I just wanted to confirm that LDAP over SSL is working properly on our domain controller.  When I connect using LDP.exe on my Windows 7 computer, I get the following output:
  ld = ldap_sslinit("dc1.domain.com", 636, 1);
  Error 0 = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, 3);
  Error 0 = ldap_connect(hLdap, NULL);
  Error 0 = ldap_get_option(hLdap,LDAP_OPT_SSL,(void*)&lv);
  Host supports SSL, SSL cipher strength = 128 bits
  Established connection to dc1.domain.com.
  Retrieving base DSA information...
  Getting 1 entries:
  Dn: (RootDSE)
  <unnecessary details>
  It looks like it is working, but I wasn't sure if the Error 0's mean there is some sort of problem.
  Also, when I run a Simple bind with my credentials, I get the following output:
  res = ldap_simple_bind_s(ld, 'myuseraccount-at-domaindotcom', <unavailable>); // v.3
  Authenticated as: 'DOMAIN\myuseraccount'.
  Finally, when I run a Bind as currently logged on user (with Encrypt traffic after bind checked), I get the following output:
  53 = ldap_set_option(ld, LDAP_OPT_ENCRYPT, 1)
  res = ldap_bind_s(ld, NULL, &NtAuthIdentity, NEGOTIATE (1158)); // v.3
  {NtAuthIdentity: User='NULL'; Pwd=<unavailable>; domain = 'NULL'}
  Authenticated as: 'DOMAIN\myuseraccount'.
  I followed all the instructions found in Microsoft article KB-321051 to get LDAP over SSL working with a valid 3rd party certificate on one of our Windows 2008 R2 domain controllers.  However, when I test Active Directory Authentication on our
  WatchGuard Management Server after importing the CA certificate, the test fails.  In order to use Active Directory Authentication, LDAPS (LDAP over SSL) must be enabled in the Active Directory domain and I am not 100% sure that it is enabled properly.
  Any advice or additional insight would be greatly appreciated.
  Thanks!

  Some ideas:
  DNS Name: KB-321051 says that you need the DNS name in either Subject CN or Subject Alternative Name. Which one did you use? Windows clients are fine with an empty CN and only the SAN populated (there the "either or" statement in the article)
  but third-party tools often look for the DNS name in the Subject CN.
  Even if the WatchGuard Server runs on Windows it might use its own certificate checking logic.
  DC certificate(s): Does the DC have more than this certificate? If yes I'd run a network trace to check which one the machine is actually sending in the SSL handshake.
  Chaining issues at your LDAP client / the WatchGuard Management Server:
  Very often such issues are related to the fact that the certificate chain is not validated properly. Some typical issues:
  It is not clear whether the client uses the Windows certificate store (even if it runs on a Windows server).
  Tools / systems / PKI clients can only deal with a single root CA, not with a hierarchy.
  You need to import both Root and intermediate CAs as the client cannot fetch the intermediates from AIA URLs.
  The client cannot access CRL URLs because of firewalls rules or missing access (e.g.: A CRL URL in AD is used but the client does not have an AD user in whose context it would try to fetch the CRL).
  The client has issues with blanks or special characters in CDP or AIA URLs.
  Having a quick look at
  WatchGuard documentation it seems to me that they are using their own certificate stores you need to import CA certificates to. And they only mention a "Root CA" so if your PKI has two levels you might need to import both CAs to the so-called Root store.
  Elke

• How to save HR data in Active Directory using ABAP i.e thru LDAP Connector

  Hi All,
         Can any one please help me out how
         to save HR data in Active directory
         using LDAP Connector ?             
         Please help ASAP as it is very urgent .
  Thanks
  Jitendra

  There are 100 of such scripts are there online.
  here are few tips and codes. you will get more.  
  https://gallery.technet.microsoft.com/scriptcenter/Feeding-data-to-Active-0227d15c
  http://blogs.technet.com/b/heyscriptingguy/archive/2012/10/31/use-powershell-to-modify-existing-user-accounts-in-active-directory.aspx
  http://powershell.org/wp/forums/topic/ad-import-csv-update-attributes-script/
  Please mark this as answer if it helps

• SJSAS7 - Access to Active Directory LDAP

  Hi All
  Is it possible to connect SJSAS7 to Active Directory via LDAP. I know that this can be done with other app servers like WebSphere 4 & 5.
  I would like to use our existing Active Directory infrastructure for authentication of Admin and Application users.
  Does anyone have information how to configure this or can point me to some documents with this info.
  Any help would be much appreciated.
  TIA
  Tony Hawes

  Although I haven't tried it, I would guess that this is possible. We are using the LDAP realm with Sun's directory server and a few years ago I used the standard LDAP provider in the JDK to connect to Active Directory. The only problem I had was that I had to connect with a user that had the form "domain/user" instead of a common name. The online help in the admin console describes the properties you can use.
  HTH,
  Gunnar

• MS Active Directory (LDAP) and SAP Integration

  Hi all!
  don't know if I'm right here in this forum, but:
  I'm using MS Windows Server 2003 and installed Active Directory as LDAP-System on the one hand side, on the other I'm using a 6.20 ABAP Web AS.
  I'd like to synchronize the User Storage on these two systems.
  Does anyone have experience in doing this? I'm facing a tricky exception in depth of my customizing too complex to explain right now. The problem concerns the mapping of LDAP-Fields and SAP-Fields.
  Thankx,
  Christoph

  Hi Christoph,
  This is the mySAP ERP forum. Perhaps you can post your question in the Web AS forum (SAP NetWeaver Application Server).
  For now: here is a link to a video regarding SAP Active Directory integration:
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/documents/a1-8-4/sap active directory integration,%20SSO%20and%20User%20Management%20Webinar.wrf
  I found it by searching on Active Directory here on sdn:
  https://www.sdn.sap.com/sdn/search.sdn?contenttype=url&content=/irj/servlet/prt/portal/prtroot/pcd!3aportal_content!2fSDN!2fiViews!2fFramework!2fcom.sap.sdn.advsearch%3Fprttheme%3DCSIN%26QueryString=active%20directory%26searchDatasource=SDNContent
  Cheers,
  Noel

• Urgent: Configuring LDAP or Active Directory on Windows XP

  I tried authenticating user against infromation stored in Database tables dont know whats the problem its not working, I followed all the required steps for that but not succeed. So I decided to validate the user against LDAP or Active directory. Can anyone tell me how to configure LDAP or Active Directory in Windows XP.
  Please help me out as only one day remained for to submit my project, everything is done except the login page.
  And I dont think I may get even grade C if there is no security for the application. Please help me out in configuring Active Directory or LDAP and ASAP please.

  Yea I agree with you the custom table is easiest way then AD but I was working on the problem from almost a week now and I don't have much time to sort out things with that anymore.
  Help me in configuring AD on Windows XP Professional with SP2, as I'm running out of time.
  the below link is the detailed steps I followed for Custom Authentication:
  Urgent: Custom Database Authentication
  Please help me out for Configuring AD.

• How to authenticate using Active directory!

  Hi all!
  at present im using a code given below, its working fine! currently we are using mixed mode active directory! we are going to migrate that to Native mode!
  import java.util.Properties;
  import javax.naming.*;
  import javax.naming.directory.*;
  import javax.servlet.http.*;
  import java.io.*;
  import java.util.Vector;
  import com.aigss.codegene.utils.PropertyDispatcher;
  public class LdapAuthentication//Servlet extends HttpServlet
       private java.util.Hashtable cache = new java.util.Hashtable();
        * @param loginid
        * @param passwrd
        * @return boolean
       public boolean authenticate(String loginid, String passwrd) {
            if(passwrd.trim().equalsIgnoreCase(""))
            return false;
            Properties props = new Properties();
            String ldapHost = "ldap://HDCQ3Q5CDOM01:389";
            String DN =
                 "CN="
                      + loginid.trim()+"DN=,CN=Users,DC=pslsdc,DC=legacy,DC=r5,DC=websi,DC=net";
            System.out.println("DN: "+DN);     
            props.put(Context.INITIAL_CONTEXT_FACTORY,com.sun.jndi.ldap.LdapCtxFactory);
            props.put(Context.SECURITY_AUTHENTICATION, "simple");
            props.put(Context.SECURITY_CREDENTIALS,  passwrd);
            props.put(Context.SECURITY_PRINCIPAL, DN);
            props.put(Context.PROVIDER_URL, ldapHost);
            try {
                 DirContext ctx = new InitialDirContext(props);
                 System.out.println("successfully authenticate DN: " + DN);
                 return true;
            } catch (Exception ex) {
                 System.out.println(ex+loginid);
                 try{
                      throw new Exception("login failure : "+ex+loginid);
                 }catch(Exception e){
                      e.printStackTrace();
                 return false;
  }when i try to connect into Active directory the new one, im unable to get authenticate, user not found error is coming! (data 525)
  im unable to continue!
  i tried changing the DN to : [email protected]
  also DN: mydomain\vijayvignesh
  then im getting error:
  java.lang.Exception: istar login failure : javax.naming.AuthenticationNotSupportedException: [LDAP: error code 8 - 00002028: LdapErr: DSID-0C09018A, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, vecei almost tried everything!
  if any one can find a solution pls do come forward!
  remember my code works fine in Mixed mode active directory, when we shift that to native mode, it is not working!

  If you would read the Active Directory error message, it actually gives you a hint:
  "The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection"
  There was a security feature introduced in Windows Server 2003 that would allow administrators to only allow connections over encrypted sessions (eg. SSL/TLS or Kerberos signing and sealing). This setting is configured somewhere in the Domain Controller's Group Policy, called something like "LDAP Server signing"
  One solution is to use SSL/TLS. Refer to my previous post titled "JNDI, Active Directory & Authentication (part 2) (SSL)" at
  http://forum.java.sun.com/thread.jspa?threadID=581425&tstart=50

• Active Directory and many OUs

  Hello all,
  This topic might have been talked about before but after a lot of searching I still have not found a solution, so I ask for a bit of help.
  In our Active Directory there are many OUs where users are kept. There is no one top OU where you can start your search. I don't really know why it was set up this way and I don't have an option to change that. I would really like to have ou=users like most have!
  So when I try to authenticate a user (I'm installing DSpace in my uni) I cannot automatically add the OU for the user trying to log in and the users themselves don't know their OU (well, why would they!).
  I'm hoping there is some simple solution to this. Maybe JNDI API allows for searching in many OUs at the same time (some fixed list in the code)? Or maybe the OU is not needed at all in the search?
  Any help/hints would be appreciated.
  best regards, Logi

  For searching, you can issue a subtree search will search through the entire subtree, irrespective of how many levels of OU's may exist, by using SearchControls.SUBTREE_SCOPE
  Have a look at the tutorial at http://java.sun.com/products/jndi/tutorial/basics/directory/scope.html
  For authentication, you can either get the user to enter their:
  distinguished name
  (cn=Albert Eirnstein, ou=Research,dc=Antipodes,dc=com), although that is not entirely user friendly
  their NT style logon name (samAccountName)
  ANTIPODES\alberte, more user friendly,
  or their Windows 200 style logon name (userPrincipalName),
  [email protected], equally as user friendly.
  You may also want to look at some of the following posts:
  JNDI, Active Directory and Authentication (Part 1) (Kerberos)
  http://forum.java.sun.com/thread.jspa?threadID=579829&tstart=300
  JNDI, Active Directory & Authentication (part 2) (SSL)
  http://forum.java.sun.com/thread.jspa?threadID=581425&tstart=50
  JNDI, Active Directory & Authentication (part 3) (Digest-MD5)
  http://forum.java.sun.com/thread.jspa?threadID=581868&tstart=150
  JNDI, Active Directory & Authentication (part 4) (SASL EXTERNAL)
  http://forum.java.sun.com/thread.jspa?threadID=641047&tstart=0
  JNDI, Active Directory and Authentication (part 5, LDAP Fastbinds)
  http://forum.java.sun.com/thread.jspa?threadID=726601&tstart=0
  JNDI, Active Directory, Referrals and Global Catalog
  http://forum.java.sun.com/thread.jspa?threadID=603815&tstart=15