LDAP Authentication using Java

Question

I need to do LDAP Authentication for an application   I tried the following program   import java util Hashtable     import javax naming Context    import javax naming NamingException    import javax naming ldap InitialLdapContext    import javax naming ldap LdapContext      public class LdapContextCreation         public static void main String   args              LdapContextCreation ldapContxCrtn   new LdapContextCreation              LdapContext ctx   ldapContxCrtn getLdapContext                  public LdapContext getLdapContext              LdapContext ctx   null            try                Hashtable env   new Hashtable                  env put Context INITIAL CONTEXT FACTORY    com sun jndi ldap LdapCtxFactory                  env put Context SECURITY AUTHENTICATION   Simple                    it can be  lt domain  userid gt  something that you use for windows login                 it can also be               env put Context SECURITY PRINCIPAL   username domain com                  env put Context SECURITY CREDENTIALS   password                    in following property we specify ldap protocol and connection url                  generally the port is 389               env put Context PROVIDER URL   ldap   server domain com                  ctx   new InitialLdapContext env  null                 System out println  Connection Successful                catch NamingException nex                 System out println  LDAP Connection  FAILED                  nex printStackTrace                          return ctx                 Getting following exception    LDAP Connection  FAILED javax naming AuthenticationException   LDAP  error code 49 - Invalid Credentials      at com sun jndi ldap LdapCtx mapErrorCode LdapCtx java 3053      at com sun jndi ldap LdapCtx processReturnCode LdapCtx java 2999      at com sun jndi ldap LdapCtx processReturnCode LdapCtx java 2801      at com sun jndi ldap LdapCtx connect LdapCtx java 2715      at com sun jndi ldap LdapCtx  LdapCtx java 305      at com sun jndi ldap LdapCtxFactory getUsingURL LdapCtxFactory java 187      at com sun jndi ldap LdapCtxFactory getUsingURLs LdapCtxFactory java 205      at com sun jndi ldap LdapCtxFactory getLdapCtxInstance LdapCtxFactory java 148      at com sun jndi ldap LdapCtxFactory getInitialContext LdapCtxFactory java 78      at javax naming spi NamingManager getInitialContext NamingManager java 235      at javax naming InitialContext initializeDefaultInitCtx InitialContext java 318      at javax naming InitialContext getDefaultInitCtx InitialContext java 348      at javax naming InitialContext internalInit InitialContext java 286      at javax naming InitialContext init InitialContext java 308      at javax naming ldap InitialLdapContext  InitialLdapContext java 99      at LdapContextCreation getLdapContext LdapContextCreation java 27      at LdapContextCreation main LdapContextCreation java 12    Few more points to consider    Earlier I was using tomcat 5 3 5 but somebody told me that only tomcat 6 supports it so I downloaded tomcat 6 0 35 and currently using this version only  Configured server xml and added the following code -   lt Realm className  org apache catalina realm JNDIRealm                      debug  99                      connectionURL  ldap   server domain com 389                        userPattern   0     gt   Commented the following code from server xml -   lt  -- Commenting for LDAP    lt Realm className  org apache catalina realm UserDatabaseRealm       resourceName  UserDatabase   gt  -- gt   Steps 2 and 3 from article  Someone suggested that there are some jar files that are supposed to be copied to tomcat in order to run ldap authentication  is that something I need to do  And which jar files  Also  I am using the correct credentials for sure  then what is causing this issue  Is there a way I can figure out the correct attributes for LDAP in case I am using incorrect ones

User · Answer

Following Code authenticates from LDAP using pure Java JNDI. The Principle is:-

First Lookup the user using a admin or DN user.
The user object needs to be passed to LDAP again with the user credential
No Exception means - Authenticated Successfully. Else Authentication Failed.

Code Snippet

public static boolean authenticateJndi(String username, String password) throws Exception{
    Properties props = new Properties();
    props.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
    props.put(Context.PROVIDER_URL, "ldap://LDAPSERVER:PORT");
    props.put(Context.SECURITY_PRINCIPAL, "uid=adminuser,ou=special users,o=xx.com");//adminuser - User with special priviledge, dn user
    props.put(Context.SECURITY_CREDENTIALS, "adminpassword");//dn user password


    InitialDirContext context = new InitialDirContext(props);

    SearchControls ctrls = new SearchControls();
    ctrls.setReturningAttributes(new String[] { "givenName", "sn","memberOf" });
    ctrls.setSearchScope(SearchControls.SUBTREE_SCOPE);

    NamingEnumeration<javax.naming.directory.SearchResult> answers = context.search("o=xx.com", "(uid=" + username + ")", ctrls);
    javax.naming.directory.SearchResult result = answers.nextElement();

    String user = result.getNameInNamespace();

    try {
        props = new Properties();
        props.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
        props.put(Context.PROVIDER_URL, "ldap://LDAPSERVER:PORT");
        props.put(Context.SECURITY_PRINCIPAL, user);
        props.put(Context.SECURITY_CREDENTIALS, password);

   context = new InitialDirContext(props);
    } catch (Exception e) {
        return false;
    }
    return true;
}

User · Answer

this class will authenticate LDAP UserName or Email     simply call LdapAuth authenticateUserAndGetInfo  username password      Note  Configure ldapURI  requiredAttributes  ADSearchPaths accountSuffex   import java util     import javax naming     import java util regex     import javax naming directory     import javax naming ldap InitialLdapContext   import javax naming ldap LdapContext   public class LdapAuth     private final static String ldapURI    ldap   20 200 200 200 389 DC corp DC local    private final static String contextFactory    com sun jndi ldap LdapCtxFactory    private  static String   requiredAttributes     cn   givenName   sn   displayName   userPrincipalName   sAMAccountName   objectSid   userAccountControl         see you active directory user OU s hirarchy   private  static String   ADSearchPaths              OU O365 Synced Accounts OU ALL USERS         OU Users OU O365 Synced Accounts OU ALL USERS         OU In-House OU Users OU O365 Synced Accounts OU ALL USERS         OU Torbram Users OU Users OU O365 Synced Accounts OU ALL USERS         OU Migrated Users OU TES-Users        private static String accountSuffex     corp local      this will be used if user name is just provided   private static void authenticateUserAndGetInfo  String user  String password  throws Exception        try             Hashtable lt String String gt  env   new Hashtable  lt String String gt              env put Context INITIAL CONTEXT FACTORY  contextFactory            env put Context PROVIDER URL  ldapURI                 env put Context SECURITY AUTHENTICATION   simple             env put Context SECURITY PRINCIPAL  user            env put Context SECURITY CREDENTIALS  password            DirContext ctx   new InitialDirContext env            String filter     sAMAccountName   user          default for search filter username          if user contains           if user name is a email then                         String parts     user split                       use different filter for email             filter     userPrincipalName   user                         SearchControls ctrl   new SearchControls            ctrl setSearchScope SearchControls SUBTREE SCOPE           ctrl setReturningAttributes requiredAttributes            NamingEnumeration userInfo   null            Integer i   0          do                       userInfo   ctx search ADSearchPaths i   filter  ctrl               i               while  userInfo hasMore    amp  amp  i  lt  ADSearchPaths length             if  userInfo hasMore                   SearchResult UserDetails    SearchResult  userInfo next                Attributes userAttr   UserDetails getAttributes   System out println  adEmail     userAttr get  userPrincipalName   get 0  toString                  System out println  adFirstName     userAttr get  givenName   get 0  toString                  System out println  adLastName     userAttr get  sn   get 0  toString                  System out println  name     userAttr get  cn   get 0  toString                  System out println  AdFullName     userAttr get  cn   get 0  toString                         userInfo close               catch  javax naming AuthenticationException e

User · Answer

You will have to provide the entire user dn in SECURITY PRINCIPAL  like this  env put Context SECURITY PRINCIPAL   cn username ou testOu o test

User · Answer

This is my LDAP Java login test application supporting LDAP    and LDAPS    self-signed test certificate  Code is taken from few SO posts  simplified implementation and removed legacy sun java   imports    how to accept self-signed certificates for JNDI LDAP connections  Authenticating against Active Directory with Java on Linux   Usage I have run this in Windows7 and Linux machines against WinAD directory service  Application prints username and member groups        java -cp classes test LoginLDAP url ldap   1 2 3 4 389  username myname company fi   password mypwd        java -cp classes test LoginLDAP url ldaps   1 2 3 4 636 username myname company fi   password mypwd   Test application supports temporary self-signed test certificates for ldaps    protocol  this DummySSLFactory accepts any server cert so man-in-the-middle is possible  Real life installation should import server certificate to a local JKS keystore file and not using dummy factory   Application uses enduser s username password for initial context and ldap queries  it works for WinAD but don t know if can be used for all ldap server implementations  You could create context with internal username pwd then run queries to see if given enduser is found   LoginLDAP java  package test   import java util    import javax naming    import javax naming directory     public class LoginLDAP        public static void main String   args  throws Exception           Map lt String String gt  params   createParams args            String url   params get  url       ldap   1 2 3 4 389 or ldaps   1 2 3 4 636         String principalName   params get  username       firstname lastname mydomain com         String domainName   params get  domain       mydomain com or empty          if  domainName  null       equals domainName                 int delim   principalName indexOf                   domainName   principalName substring delim 1                      Properties props   new Properties            props put Context INITIAL CONTEXT FACTORY   com sun jndi ldap LdapCtxFactory            props put Context PROVIDER URL  url            props put Context SECURITY PRINCIPAL  principalName            props put Context SECURITY CREDENTIALS  params get  password        secretpwd         if  url toUpperCase   startsWith  LDAPS                     props put Context SECURITY PROTOCOL   ssl                props put Context SECURITY AUTHENTICATION   simple                props put  java naming ldap factory socket    test DummySSLSocketFactory                                InitialDirContext context   new InitialDirContext props           try               SearchControls ctrls   new SearchControls                ctrls setSearchScope SearchControls SUBTREE SCOPE               NamingEnumeration lt SearchResult gt  results   context search toDC domainName     amp   userPrincipalName   principalName    objectClass user     ctrls               if  results hasMore                    throw new AuthenticationException  Principal name not found                 SearchResult result   results next                System out println  distinguisedName      result getNameInNamespace         CN Firstname Lastname OU Mycity DC mydomain DC com              Attribute memberOf   result getAttributes   get  memberOf                if memberOf  null                    for int idx 0  idx lt memberOf size    idx                          System out println  memberOf      memberOf get idx  toString         CN Mygroup CN Users DC mydomain DC com                       Attribute att   context getAttributes memberOf get idx  toString    new String    CN    get  CN                          System out println  att get   toString          CN part of groupname                                           finally               try   context close      catch Exception ex                                             Create  DC sub DC mydomain DC com  string         param domainName    sub mydomain com         return             private static String toDC String domainName            StringBuilder buf   new StringBuilder            for  String token   domainName split                       if token length    0  continue              if buf length   gt 0   buf append                   buf append  DC    append token                     return buf toString               private static Map lt String String gt  createParams String   args            Map lt String String gt  params   new HashMap lt String String gt               for String str   args                int delim   str indexOf                   if  delim gt 0  params put str substring 0  delim  trim    str substring delim 1  trim                 else if  delim  0  params put     str substring 1  trim                 else params put str  null                     return params             And SSL helper class   package test   import java io    import java net    import java security SecureRandom  import java security cert X509Certificate      import javax net    import javax net ssl     public class DummySSLSocketFactory extends SSLSocketFactory       private SSLSocketFactory socketFactory      public DummySSLSocketFactory             try             SSLContext ctx   SSLContext getInstance  TLS              ctx init null  new TrustManager    new DummyTrustManager     new SecureRandom               socketFactory   ctx getSocketFactory              catch   Exception ex    throw new IllegalArgumentException ex                  public static SocketFactory getDefault     return new DummySSLSocketFactory              Override public String   getDefaultCipherSuites     return socketFactory getDefaultCipherSuites             Override public String   getSupportedCipherSuites     return socketFactory getSupportedCipherSuites              Override public Socket createSocket Socket socket  String string  int i  boolean bln  throws IOException           return socketFactory createSocket socket  string  i  bln                  Override public Socket createSocket String string  int i  throws IOException  UnknownHostException           return socketFactory createSocket string  i                  Override public Socket createSocket String string  int i  InetAddress ia  int i1  throws IOException  UnknownHostException           return socketFactory createSocket string  i  ia  i1                  Override public Socket createSocket InetAddress ia  int i  throws IOException           return socketFactory createSocket ia  i                  Override public Socket createSocket InetAddress ia  int i  InetAddress ia1  int i1  throws IOException           return socketFactory createSocket ia  i  ia1  i1              class DummyTrustManager implements X509TrustManager        Override public void checkClientTrusted X509Certificate   xcs  String str               do nothing            Override public void checkServerTrusted X509Certificate   xcs  String str              System out println  checkServerTrusted for authType      str      RSA         for int idx 0  idx lt xcs length  idx                  X509Certificate cert   xcs idx               System out println  X500Principal      cert getSubjectX500Principal   getName                            Override public X509Certificate   getAcceptedIssuers             return new java security cert X509Certificate 0

[java] LDAP Authentication using Java

Examples related to java

Examples related to authentication

Examples related to ldap