Tomcat 5 JNDI Active Directory
Hi:
I've been trying to use JNDI to allow my java applications to log using the Active Directory information. I am using the Tomcat 5 and i hava a Windows 2003 server that holds the AD.
I edited the server.xml file of tomcat conf like this
<Realm className="org.apache.catalina.realm.JNDIRealm"
connectionURL="ldap://[server ip]"
userBase="CN=Users,dc=yage,dc=com,dc=ec"
userSearch="(userPrincipalName={0})"
userRoleName="member"
roleBase="CN=Users,dc=yage,dc=com,dc=ec"
roleName="cn"
roleSearch="(member={0})"
connectionName="CN=[username],CN=Users,DC=yage,DC=com,DC=ec"
connectionPassword="[password]"
roleSubtree="true"
userSubtree="true" />
But everytime i stop and restart the Tomcat it doesn't respond, it just hang for a while and then tells me that the server cannot be found
Anyone knows if there is anything that i am missing to do ?
I am really knew to all of this J2EE stuff so i really need help
Thanks
I am trying to do something similar. I found that the org.apache.catalina.realm.JNDIRealm class doesn't seem to pick up the connectionURL attribute. Make sure you use the alternateURL attribue as well.
Similar Messages
-
Failed JNDI - Active Directory binding
Hello everyone,
First off, forgive me if I'm posting to the wrong place and please let me know where I should post.
I have a very simple Java application (more or less copied from the Sun tutorial on JNDI) and am trying to connect to a Win 2003 R2 domain controller with active directory configured and populated.
No matter what I try I get
Problem searching directory: javax.naming.NamingException: [LDAP: error code 1 - 00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece]; remaining name 'RootDSE'
I can bind using any of the standard win32 programs including ldp.exe. I can also bind and browse using Softerra LDAP Administrator without problems. I'm obviously missing something, but I can't see what. Please help.
There is no authentication info in the code because I'm hoping that's not needed as long as I'm logged into the windows machine I'm running this on.
Here's the code:
package printerfinder00;
import java.util.Hashtable;
import java.util.jar.Attributes;
import javax.naming.Context;
import javax.naming.InitialContext;
import javax.naming.NameClassPair;
import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.directory.DirContext;
import javax.naming.directory.SearchControls;
import javax.naming.directory.SearchResult;
import javax.naming.ldap.InitialLdapContext;
public class Main {
public static void main(String[] args) {
Hashtable env = new Hashtable();
String ldapURL = "ldap://dc01.hr.local:389/";
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, ldapURL);
try {
DirContext ctx = new InitialLdapContext(env, null);
SearchControls searchCtls = new SearchControls();
String returnedAtts[] = {"sn", "givenName", "mail"};
searchCtls.setReturningAttributes(returnedAtts);
searchCtls.setSearchScope(SearchControls.SUBTREE_SCOPE);
String searchFilter = "(&(objectClass=user)(mail=*))";
String searchBase = "RootDSE";
int totalResults = 0;
NamingEnumeration answer = ctx.search(searchBase, searchFilter, searchCtls);
while (answer.hasMoreElements()) {
SearchResult sr = (SearchResult) answer.next();
totalResults++;
System.out.println(">>>" + sr.getName());
Attributes attrs = (Attributes) sr.getAttributes();
if (attrs != null) {
try {
System.out.println(" surname: " + attrs.get("sn").get());
System.out.println(" firstname: " + attrs.get("givenName").get());
System.out.println(" mail: " + attrs.get("mail").get());
} catch (NullPointerException e) {
System.out.println("Errors listing attributes: " + e);
System.out.println("Total results: " + totalResults);
ctx.close();
} catch (NamingException e) {
System.err.println("Problem searching directory: " + e);
}I think the error message is quite descriptive !
Problem searching directory: javax.naming.NamingException: [LDAP: error code 1 - 00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece]; remaining name 'RootDSE'
Firstly you have not supplied any credentials or configured an authentication mechanism, hence you cannot perfom a search.
For simple authentication, it would be something of the form: String adminName = "FOOBAR\\administrator";
String adminPassword = "xxxxxxx";
//set security credentials, note using simple cleartext authentication
env.put(Context.SECURITY_AUTHENTICATION,"simple");
env.put(Context.SECURITY_PRINCIPAL,adminName);
env.put(Context.SECURITY_CREDENTIALS,adminPassword);Secondly, your search base is incorrect (although you haven't got to the stage where this will generate an error)
BTW, The search base will be a distinguished name of the form:"dc=foobar,dc=com"If you are perfoming this from a Windows client, and want to utilise single sign-on, then you will want to refer to the post titled "JNDI, Active Directory and Authentication (Part 1) (Kerberos)" available at http://forum.java.sun.com/thread.jspa?threadID=579829&tstart=300
Good luck... -
Help Apache Tomcat integrate with Active Directory
Hello ,
I am trying to authenticate users in Apache Tomcat 5.5 from active
directory with no such luck.
The way my users are structured in AD is there's a department root OU
and then sub OU's for each department . The Groups OU is in its own OU.
This is the syntax Im using for the server.xml file. I have created
two groups am and thc and put the neccesary users in the groups.
<Realm className="org.apache.catalina.realm.JNDIRealm" debug="99"
connectionURL="ldap://dc1:389"
alternateURL="ldap://fs6:389"
userRoleName="member"
userBase="OU=Departments,dc=2krecovery,dc=com"
userPattern="cn={0},OU=Departments,dc=2krecovery,dc=com"
UserSubtree="true"
roleBase="OU=Groups,dc=2krecovery,dc=com"
roleName="cn"
roleSearch="(member={0})"
roleSubtree="false"
userSubtree="true"
/>
Could someone tell me if this is right? Running a Windows 2000 native
domain level with 2 windows 2000 dc's and one windows 2003 dc.
Here's the web.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>Tax Housing Compliance</web-resource-name>
<url-pattern>/thc/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>thc</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Asset Management</web-resource-name>
<url-pattern>/am/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>am</role-name>
</auth-constraint>
</security-constraint>Pl do not post duplicates - Use Multi Domain to integrate with Active Directory in R12
-
JNDI, Active Directory and Persistent Searches (part 2)
The original post of this title which was located at http://forum.java.sun.com/thread.jspa?threadID=578342&tstart=200 subsequently disappeared into the ether (as with many other posts).
By request I am reposting the sample code which demonstrates receiving notifications of object changes on the Active Directory.
Further information on both the Active Directory and dirsynch and ldap notification mechanisms can be found at http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ad/ad/overview_of_change_tracking_techniques.asp
* ldapnotify.java
* December 2004
* Sample JNDI application that uses AD LDAP Notification Control.
import java.util.Hashtable;
import java.util.Enumeration;
import javax.naming.*;
import javax.naming.ldap.*;
import com.sun.jndi.ldap.ctl.*;
import javax.naming.directory.*;
class NotifyControl implements Control {
public byte[] getEncodedValue() {
return new byte[] {};
public String getID() {
return "1.2.840.113556.1.4.528";
public boolean isCritical() {
return true;
class ldapnotify {
public static void main(String[] args) {
Hashtable env = new Hashtable();
String adminName = "CN=Administrator,CN=Users,DC=antipodes,DC=com";
String adminPassword = "XXXXXXXX";
String ldapURL = "ldap://mydc.antipodes.com:389";
String searchBase = "DC=antipodes,DC=com";
//For persistent search can only use objectClass=*
String searchFilter = "(objectClass=*)";
env.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");
//set security credentials, note using simple cleartext authentication
env.put(Context.SECURITY_AUTHENTICATION,"simple");
env.put(Context.SECURITY_PRINCIPAL,adminName);
env.put(Context.SECURITY_CREDENTIALS,adminPassword);
//connect to my domain controller
env.put(Context.PROVIDER_URL,ldapURL);
try {
//bind to the domain controller
LdapContext ctx = new InitialLdapContext(env,null);
// Create the search controls
SearchControls searchCtls = new SearchControls();
//Specify the attributes to return
String returnedAtts[] = null;
searchCtls.setReturningAttributes(returnedAtts);
//Specify the search scope
searchCtls.setSearchScope(SearchControls.SUBTREE_SCOPE);
//Specifiy the search time limit, in this case unlimited
searchCtls.setTimeLimit(0);
//Request the LDAP Persistent Search control
Control[] rqstCtls = new Control[]{new NotifyControl()};
ctx.setRequestControls(rqstCtls);
//Now perform the search
NamingEnumeration answer = ctx.search(searchBase,searchFilter,searchCtls);
SearchResult sr;
Attributes attrs;
//Continue waiting for changes....forever
while(true) {
System.out.println("Waiting for changes..., press Ctrl C to exit");
sr = (SearchResult)answer.next();
System.out.println(">>>" + sr.getName());
//Print out the modified attributes
//instanceType and objectGUID are always returned
attrs = sr.getAttributes();
if (attrs != null) {
try {
for (NamingEnumeration ae = attrs.getAll();ae.hasMore();) {
Attribute attr = (Attribute)ae.next();
System.out.println("Attribute: " + attr.getID());
for (NamingEnumeration e = attr.getAll();e.hasMore();System.out.println(" " + e.next().toString()));
catch (NullPointerException e) {
System.err.println("Problem listing attributes: " + e);
catch (NamingException e) {
System.err.println("LDAP Notifications failure. " + e);
}Hi Steven
How can I detect what change was made ? Is there an attribute that tell us ?
Thanks
MHM -
Operation Not Supported Exception in JNDI/Active Directory
Hi all,
When i am trying to change password or create user from JNDI program
on Active Directory i am getting OperationNotSupported Exception.
I wonder i am doing a common mistake in both functions.just when the execution comes to
ctx.createSubcontext("cn=surendra,cn=Users,DC=ABSI,dc=pcs",attrs);
in createUser method and
ctx.modifyAttributes(userString, ctx.REPLACE_ATTRIBUTE, testAttrs);
in changePassword method i am getting the below exception.
javax.naming.OperationNotSupportedException: [LDAP: error code 53 - 00002077: SvcErr: DSID-031D0AAB, problem 5003 (WILL_NOT
_PERFORM), data 0
]; remaining name 'cn=surendra,cn=Users,DC=ABSI,dc=pcs'
at java.lang.Throwable.fillInStackTrace(Native Method)
at java.lang.Throwable.fillInStackTrace(Compiled Code)
at java.lang.Throwable.<init>(Compiled Code)
at java.lang.Exception.<init>(Exception.java:42)
at javax.naming.NamingException.<init>(NamingException.java:106)
at javax.naming.OperationNotSupportedException.<init>(OperationNotSupportedException.java:50)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(Compiled Code)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:657)
at com.sun.jndi.ldap.LdapCtx.c_createSubcontext(Compiled Code)
at com.sun.jndi.toolkit.ComponentDirContext.p_createSubcontext(ComponentDirContext.java:341)
at com.sun.jndi.toolkit.PartialCompositeDirContext.createSubcontext(Compiled Code)
at com.sun.jndi.toolkit.PartialCompositeDirContext.createSubcontext(PartialCompositeDirContext.java:258)
at javax.naming.directory.InitialDirContext.createSubcontext(InitialDirContext.java:183)
Your help is needed to go ahead......
Thanks in advance
NagaHi!
I just happened to stumble across your post today looking for something else, but...
Are you aware that you can only update a password ActiveDirectory/LDAP with a secure network connection? A certificate must be installed on the domain controller and tied to AD, and then the client must support an SSL connection to AD for LDAP. The other attributes in the schema do not have this restriction and can be updated without a secure connection.
Joel Mussman
Smallrock Internet Services -
How to create User in the specific group in Microsoft Active Directory
Hi,
I am using Nestcape LDAP, and want to create user in the user defined group. I have created a new user group "TestUsers" in the "Users" container of Active Directory, I want to add the new user to Test Users group But my problem is that whenever I create a new user
it get added to Domain Users group.
I tried adding memberOf attribute with value "TestUsers"
attr = new LDAPAttribute("memberOf", "TestUsers");
attrs.add(attr);
It gives me following error :
code= 53 Exception 0000209A: SvcErr: DSID-031A0D6F, problem 5003 (WILL_NOT_PERFORM), data 0
Following is the code I am using.
public LDAPResult createUserID(
String userId,
String pwd,
String pId,
boolean resetonLogOn,
LDAPConnection ldCon) {
boolean flag = false;
int code=0;
try {
String pwdLastSetVal;
String desName;
String desc;
/* Specify the DN of the new entry. */
String dn =
"CN=" + userId + ",CN=" + this.container + "," + this.baseDN; // container = "Users"
/* Create and add attributes to the attribute set. */
String objectclass_values[] =
{ "top", "person", "organizationalPerson", "user" };
// LDAPEntry findEntry=null;
/* Create a new attribute set for the entry. */
LDAPAttributeSet attrs = new LDAPAttributeSet();
/* Attribute sAMAccountName */
LDAPAttribute attr = new LDAPAttribute(LDAP_SAM_KEY, userId);
attrs.add(attr);
/* Attribute unicodePwd */ // LDAP_PASSWORD_KEY = "unicodePwd"
attr =
new LDAPAttribute(
LDAP_PASSWORD_KEY,
(byte[]) this.encodePassword(pwd));
attrs.add(attr);
/* Attribute Display Name */
desName = userId + ":" + pId;
//desName = userId ;
attr = new LDAPAttribute(LDAP_DIS_NAME_KEY, desName);
attrs.add(attr);
/** Attribute userAccountControl to enable the userid.
attr = new LDAPAttribute(LDAP_ACCOUNT_KEY, LDAP_ACCOUNT_EN_VAL); // LDAP_ACCOUNT_EN_VAL= "548"
attrs.add(attr);
/* Attribute pwdLastSet to reset the password on first logon*/
if (resetonLogOn == true) {
pwdLastSetVal = "0";
} else {
pwdLastSetVal = "-1";
attr = new LDAPAttribute(LDAP_RESET_KEY, pwdLastSetVal);
attrs.add(attr);
/* Attribute Description */
desc = " Account Created by HelpNow App";
attr = new LDAPAttribute(LDAP_DESC_KEY, desc);
attrs.add(attr);
/* Attribute objectclass */
attr = new LDAPAttribute("objectclass", objectclass_values);
attrs.add(attr);
attr = new LDAPAttribute("memberOf", "TestUsers");
attrs.add(attr);
/* Create an entry with this DN and these attributes . */
LDAPEntry myEntry = new LDAPEntry(dn, attrs);
/* Add the entry to the directory. */
ldCon.add(myEntry);
flag = true;
}catch (LDAPException e) {
flag = false;
code=e.getLDAPResultCode();
}catch (Exception e) {
flag = false;
code=LDAPException.OTHER;
}finally {
ldaprs.flag=flag;
ldaprs.code=code;
return ldaprs;
}Refer to the post titled "JNDI, Active Directory and Group Memberships" available at http://forum.java.sun.com/thread.jspa?threadID=581444&tstart=150
-
How to create user in specific user group in Microsoft Active Directory ?
Hi,
I am using Nestcape LDAP, and want to create user in the user defined group. I have created a new user group "TestUsers" in the "Users" container of Active Directory, I want to add the new user to Test Users group But my problem is that whenever I create a new user
it get added to Domain Users group.
Following is the code I am using which adds user to default group Domain Users.
public LDAPResult createUserID(
String userId,
String pwd,
String pId,
boolean resetonLogOn,
LDAPConnection ldCon) {
boolean flag = false;
int code=0;
try {
String pwdLastSetVal;
String desName;
String desc;
/* Specify the DN of the new entry. */
String dn =
"CN=" + userId + ",CN=" + this.container + "," + this.baseDN; // container = "Users"
/* Create and add attributes to the attribute set. */
String objectclass_values[] =
{ "top", "person", "organizationalPerson", "user" };
// LDAPEntry findEntry=null;
/* Create a new attribute set for the entry. */
LDAPAttributeSet attrs = new LDAPAttributeSet();
/* Attribute sAMAccountName */
LDAPAttribute attr = new LDAPAttribute(LDAP_SAM_KEY, userId);
attrs.add(attr);
/* Attribute unicodePwd */ // LDAP_PASSWORD_KEY = "unicodePwd"
attr =
new LDAPAttribute(
LDAP_PASSWORD_KEY,
(byte[]) this.encodePassword(pwd));
attrs.add(attr);
/* Attribute Display Name */
desName = userId + ":" + pId;
//desName = userId ;
attr = new LDAPAttribute(LDAP_DIS_NAME_KEY, desName);
attrs.add(attr);
/** Attribute userAccountControl to enable the userid.
attr = new LDAPAttribute(LDAP_ACCOUNT_KEY, LDAP_ACCOUNT_EN_VAL); // LDAP_ACCOUNT_EN_VAL= "548"
attrs.add(attr);
/* Attribute pwdLastSet to reset the password on first logon*/
if (resetonLogOn == true) {
pwdLastSetVal = "0";
} else {
pwdLastSetVal = "-1";
attr = new LDAPAttribute(LDAP_RESET_KEY, pwdLastSetVal);
attrs.add(attr);
/* Attribute Description */
desc = " Account Created by HelpNow App";
attr = new LDAPAttribute(LDAP_DESC_KEY, desc);
attrs.add(attr);
/* Attribute objectclass */
attr = new LDAPAttribute("objectclass", objectclass_values);
attrs.add(attr);
/* Create an entry with this DN and these attributes . */
LDAPEntry myEntry = new LDAPEntry(dn, attrs);
/* Add the entry to the directory. */
ldCon.add(myEntry);
flag = true;
}catch (LDAPException e) {
flag = false;
code=e.getLDAPResultCode();
}catch (Exception e) {
flag = false;
code=LDAPException.OTHER;
}finally {
ldaprs.flag=flag;
ldaprs.code=code;
return ldaprs;
}Refer to the post titled "JNDI, Active Directory and Group Memberships" available at http://forum.java.sun.com/thread.jspa?threadID=581444&tstart=150
-
Search Active Directory Entries without password authentication
JNDI, Active Directory
I am newbie to JDNI and Active Directory.
I am trying to create a Web Application
which provides domain users with the information
of the Active Directory group user are belonging.
I know how to access Active Directory and search Entries
with JNDI like below codes.
Hashtable env = new Hashtable();
env.put(Context.PROVIDER_URL, "LDAP://URL:389");
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.SECURITY_AUTHENTICATION,"none");
env.put(Context.REFERRAL, "follow");
env.put("java.naming.ldap.version" , "3" );
env.put(Context.SECURITY_PRINCIPAL, "uid=admin,ou=system");
env.put(Context.SECURITY_CREDENTIALS, "secret");
.....But I want know how to search Entries without Active Directory password
because I don't tell users their Active Directory password.
I don't have any idea. Could you give me good idea?
Sorry for my English. Thank you.
DannoIt means to allow "Anonymous LOGON" and "Everyone" users to search entries in AD, I think.Sorry, can't help. In OpenLDAP it meansallow * searchor possiblyallow * auth
You mean that if I do it, will the codes below be unnecessary in Java?That's not only what I meant, it is what I said, concerning the principal and credentials lines.
You don't need the SECURITY_AUTHENTICATION line, I never use it with LDAP whether I'm providing credentials or not (and in the cases where you are supplying the principal and credentials, it certainly doesn't make any sense to specify 'none'.) -
Hello all,
This topic might have been talked about before but after a lot of searching I still have not found a solution, so I ask for a bit of help.
In our Active Directory there are many OUs where users are kept. There is no one top OU where you can start your search. I don't really know why it was set up this way and I don't have an option to change that. I would really like to have ou=users like most have!
So when I try to authenticate a user (I'm installing DSpace in my uni) I cannot automatically add the OU for the user trying to log in and the users themselves don't know their OU (well, why would they!).
I'm hoping there is some simple solution to this. Maybe JNDI API allows for searching in many OUs at the same time (some fixed list in the code)? Or maybe the OU is not needed at all in the search?
Any help/hints would be appreciated.
best regards, LogiFor searching, you can issue a subtree search will search through the entire subtree, irrespective of how many levels of OU's may exist, by using SearchControls.SUBTREE_SCOPE
Have a look at the tutorial at http://java.sun.com/products/jndi/tutorial/basics/directory/scope.html
For authentication, you can either get the user to enter their:
distinguished name
(cn=Albert Eirnstein, ou=Research,dc=Antipodes,dc=com), although that is not entirely user friendly
their NT style logon name (samAccountName)
ANTIPODES\alberte, more user friendly,
or their Windows 200 style logon name (userPrincipalName),
[email protected], equally as user friendly.
You may also want to look at some of the following posts:
JNDI, Active Directory and Authentication (Part 1) (Kerberos)
http://forum.java.sun.com/thread.jspa?threadID=579829&tstart=300
JNDI, Active Directory & Authentication (part 2) (SSL)
http://forum.java.sun.com/thread.jspa?threadID=581425&tstart=50
JNDI, Active Directory & Authentication (part 3) (Digest-MD5)
http://forum.java.sun.com/thread.jspa?threadID=581868&tstart=150
JNDI, Active Directory & Authentication (part 4) (SASL EXTERNAL)
http://forum.java.sun.com/thread.jspa?threadID=641047&tstart=0
JNDI, Active Directory and Authentication (part 5, LDAP Fastbinds)
http://forum.java.sun.com/thread.jspa?threadID=726601&tstart=0
JNDI, Active Directory, Referrals and Global Catalog
http://forum.java.sun.com/thread.jspa?threadID=603815&tstart=15 -
Sync external database with Active Directory
Hi,
We are in the process of consolitating all user information in our systems in Active Directory.
We have a system that can only authenicate users from information stored in a relational database. We are investigating options that would allow us to sync the password in this relational database with the password stored in Active Directory. Whenever the user changes their domain password, we would like for an JNDI application to update the relational database with their new password.
I'm fairly new to JNDI/Active Directory. My research does not look too positive. Does anybody know of any way that we can perform this password synchronization? Any advice would be greatly appreciated!
Thanks!
DaveThere are several mechanisms available that enable AD to authenticate users for your web application.
1. Perform a simple LDAP bind using the user's credentials submitted from a form. If the bind is successful, then you can infer that the credentials are correct.
2. If the users have already performed an interactive logon to Active Directory, provide a Single Sign-On experience by utilizing their existing Kerberos ticket. Refer to JNDI, Active Directory and Authentication (Part 1) (Kerberos)
http://forum.java.sun.com/thread.jspa?threadID=579829&tstart=300
for an explanation of using Kerberos & GSS-API.
3. If the users are not performing an interactive logon to your Active Directory, but you want to provide a federated single sign-on experience, then you may be interested in Active Directory Federation Services which uses SAML 1.0 tokens & WS-* to assert claims. Information on ADFS can be found at http://www.microsoft.com/windowsserver2003/techinfo/overview/adfsoverview.mspx
Two third party ISV's; Vintela and Centrify both provide solutions for non-Windows Web Servers to enable the second & third scenarios. -
Changes in Microsoft Active Directory Services into a file
I am in need of sample code to capture changes in Active Directory services into a flat file.
Here is my requirement:
I would like to capture user information changes from the Active directory server into a flat file.
For an example, When a user is newly created in Actives Directory Server, I need to Capture that user info and write into a flat file. Similarly for update and delete user in Activer Directory server, i need to capture the changes and write into a file.
Would appreciate, if any could help me on this
Thanks in advance
Thanks
KumarRefer to:
JNDI, Active Directory & Persistent Searches (part 1) http://forum.java.sun.com/thread.jspa?threadID=578338&tstart=200
There was another topic that I posted called JNDI, Active Directory and Persistent Searches (part 2) in which I described teh LDAPNotification Control.
It had the following URL http://forum.java.sun.com/thread.jspa?threadID=578342&tstart=200 however it seems as though I have suffered another case of the forum losing my posts. -
How to authenticate using Active directory!
Hi all!
at present im using a code given below, its working fine! currently we are using mixed mode active directory! we are going to migrate that to Native mode!
import java.util.Properties;
import javax.naming.*;
import javax.naming.directory.*;
import javax.servlet.http.*;
import java.io.*;
import java.util.Vector;
import com.aigss.codegene.utils.PropertyDispatcher;
public class LdapAuthentication//Servlet extends HttpServlet
private java.util.Hashtable cache = new java.util.Hashtable();
* @param loginid
* @param passwrd
* @return boolean
public boolean authenticate(String loginid, String passwrd) {
if(passwrd.trim().equalsIgnoreCase(""))
return false;
Properties props = new Properties();
String ldapHost = "ldap://HDCQ3Q5CDOM01:389";
String DN =
"CN="
+ loginid.trim()+"DN=,CN=Users,DC=pslsdc,DC=legacy,DC=r5,DC=websi,DC=net";
System.out.println("DN: "+DN);
props.put(Context.INITIAL_CONTEXT_FACTORY,com.sun.jndi.ldap.LdapCtxFactory);
props.put(Context.SECURITY_AUTHENTICATION, "simple");
props.put(Context.SECURITY_CREDENTIALS, passwrd);
props.put(Context.SECURITY_PRINCIPAL, DN);
props.put(Context.PROVIDER_URL, ldapHost);
try {
DirContext ctx = new InitialDirContext(props);
System.out.println("successfully authenticate DN: " + DN);
return true;
} catch (Exception ex) {
System.out.println(ex+loginid);
try{
throw new Exception("login failure : "+ex+loginid);
}catch(Exception e){
e.printStackTrace();
return false;
}when i try to connect into Active directory the new one, im unable to get authenticate, user not found error is coming! (data 525)
im unable to continue!
i tried changing the DN to : [email protected]
also DN: mydomain\vijayvignesh
then im getting error:
java.lang.Exception: istar login failure : javax.naming.AuthenticationNotSupportedException: [LDAP: error code 8 - 00002028: LdapErr: DSID-0C09018A, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, vecei almost tried everything!
if any one can find a solution pls do come forward!
remember my code works fine in Mixed mode active directory, when we shift that to native mode, it is not working!If you would read the Active Directory error message, it actually gives you a hint:
"The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection"
There was a security feature introduced in Windows Server 2003 that would allow administrators to only allow connections over encrypted sessions (eg. SSL/TLS or Kerberos signing and sealing). This setting is configured somewhere in the Domain Controller's Group Policy, called something like "LDAP Server signing"
One solution is to use SSL/TLS. Refer to my previous post titled "JNDI, Active Directory & Authentication (part 2) (SSL)" at
http://forum.java.sun.com/thread.jspa?threadID=581425&tstart=50 -
Handling events on Microsoft Active Directory
Hi
Is it somehow possible to catch events made on AD?I did find only that it is not supported.But there must be way to do something like that...Can you help me please?
Thanks for any answer.
AndyRefer to:
JNDI, Active Directory & Persistent Searches (part 1)
http://forum.java.sun.com/thread.jspa?threadID=578338&tstart=200
JNDI, Active Directory and Persistent Searches (part 2)
http://forum.java.sun.com/thread.jspa?threadID=672007&tstart=90 -
Active Directory data replication to database
Hi Guys
Does anybody known how to replicate data from Active Directory (groups and users) direct to database table like Oracle?
My research drive me to code a program that make persistent search on Active Directory monitoring object changes to make insert or update in my table.
Java Technology Forums - JNDI, Active Directory and Persistent Searches (part 1)
http://forum.java.sun.com/thread.jspa?threadID=578338&tstart=200
Java Technology Forums - JNDI, Active Directory and Persistent Searches (part 2)
http://forum.java.sun.com/thread.jspa?forumID=51&threadID=672007
Is it a good idea ?
Thanks
MHMAs I said previously, it depends on how frequently you need to synchronise the database; weekly, daily, hourly, realtime.
LDIFDE, CSVDE can be used to export LDIF or CSV files respectively, which you could then import into a database. That would be a good pragmatic solution for something that needs to be done daily or weekly.
The DIRSYNC control is good for any schedule synchronisation, whereas the LDAP Notification Control is better suited to real time applications.
I am rather flattered that the post you referred to http://www.forumeasy.com/forums/thread.jsp?tid=117381285598&fid=ldapprof2&highlight=LDAP+Persistent+Search+Control+JNDI+Client
is based on my original sample titled "JNDI, Active Directory and Persistent Searches (part 2)" which I posted at
http://forum.java.sun.com/thread.jspa?threadID=672007&tstart=90
BTW, the sample for using the dirscnc control which is titled "JNDI, Active Directory & Persistent Searches (part 1)" is available at
http://forum.java.sun.com/thread.jspa?threadID=578338&tstart=200
Another alternative would be to install another server with Active Directory Application Mode (ADAM) specifically for your "expensive" queries and use a tool such as ADAMSync to populate it from your other Active Directory domain controllers.
ADAMSync is included with ADAM and you can find the command line options described at http://technet2.microsoft.com/windowsserver/en/library/c64799ab-88c0-4e5a-b296-bc26031141291033.mspx?mfr=true
Personally, I would much prefer to use something like LDIFDE, CSVDE, ADAMSync or a full fledged synchrisation/provision product such as Identity Lifecycle Manager rather than write (and debug/maintain) my own code. -
Authentication on Active Directory using JNDI (A Proffessional Appraoch)
I am using following code for getting authenticated on Active Directory by user logon name.
Can any one tell me a more proffessional and fool proof appraoch for authenticating a user on Active Dir through my web interface ???
thanks in advance
* Created on Nov 10, 2004
package auth;
import java.util.Hashtable;
import javax.naming.AuthenticationException;
import javax.naming.Context;
import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.directory.DirContext;
import javax.naming.directory.InitialDirContext;
import javax.naming.directory.SearchControls;
import javax.naming.directory.SearchResult;
* @author Tushar Agrawal
* Created On Nov 10, 2004
public class UserAuthentication {
public UserAuthentication() {
super();
public NamingEnumeration loginToActiveDirectory(
String logonName,
String password,
String domain) {
boolean success = false;
NamingEnumeration attrs = null;
Hashtable env = new Hashtable(11);
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.PROVIDER_URL, "ldap://domain:389/dc=SECLORE,dc=com");
env.put(Context.SECURITY_PRINCIPAL, logonName + "@" + domain);
env.put(Context.SECURITY_CREDENTIALS, password);
//env.put(Context.SECURITY_PROTOCOL, "ssl");
env.put("java.naming.ldap.version", "3");
env.put(Context.REFERRAL, "follow");
try {
String base = "";
DirContext ctx = new InitialDirContext(env);
SearchControls controls = new SearchControls();
controls.setSearchScope(SearchControls.SUBTREE_SCOPE);
controls.setReturningAttributes(
new String[] {
"sAMAccountName",
"userPrincipalName",
"displayName",
"memberOf",
"objectSid",
"title" });
NamingEnumeration e =
ctx.search(base, "sAMAccountName=" + logonName, controls);
if (e.hasMore()) {
SearchResult r = (SearchResult) e.next();
attrs = r.getAttributes().getAll();
/*while (attrs.hasMore()) {
System.out.println(attrs.next());
ctx.close();
} catch (AuthenticationException e) {
System.err.println("Problem getting attribute: " + e);
success = false;
} catch (NamingException e) {
System.err.println("Problem getting attribute: " + e);
success = false;
return attrs;
tushar agrawalYou''l find more info at :
http://jakarta.apache.org/tomcat/tomcat-5.5-doc/catalina/funcspecs/fs-jndi-realm.html
http://jakarta.apache.org/tomcat/tomcat-4.0-doc/realm-howto.html
That's the right way to do it.
Maybe you are looking for
-
How can I get IPhoto to identify duplicate photos so I can delete them?
I have accidently created copies of hundreds of photos in my library. Not sure how really. Can IPhoto identify the duplicates in my library so I can delete them on mass? Some of the them have three or four copies in different albums. I am concerned i
-
I create a bean(sql result) from a servlet and put it in the request using setAttribute(bean) and then use dispacher to send the request to the display.jsp. In display.jsp i have a <jsp:usebean id="bean" class="beanClass"> but when i use <jsp:getProp
-
I have just purchased Photoshop Elementar in Swedish, but can not open the program.
I have just purchases Photoshop Elementar in Swedish, but can not open the program. Why?
-
Revert Back to the old status from newif error occurs in ServiceDesk Ticket
Go to transaction CRM_DNO_MONITOR. Select a ticket for display. Let the status of the selected ticket be NEW. Now input all information in standard and screen Enhancement(By EEWB) input fields. Now make an action 'assign' After saving the status will
-
Flickr plugin video limits incorrect
The flickr plugin which came with Lightroom 5 still enforces Flickr's video limit of 2 videos per month. Flickr did away with that limitation back in May, according to Flickr support. The result is normally some of my videos do not upload. I'm no