What are the accepted SECURITY_PRINCIPAL formats for LDAP Authentication against Active Directory?

24
votes

I am trying to authenticate a user through LDAP against Active Directory. Following is the code snippet I use:

private DirContext bindAsUser(String bindPrincipal, String password) {
    Hashtable<String,String> env = new Hashtable<String,String>();
    env.put(Context.SECURITY_AUTHENTICATION, "simple");
    env.put(Context.SECURITY_PRINCIPAL, bindPrincipal);
    env.put(Context.PROVIDER_URL, bindUrl);
    env.put(Context.SECURITY_CREDENTIALS, password);
    env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
    env.put(Context.REFERRAL, "follow");

    try {
        return new InitialLdapContext(env, null);
    } catch (NamingException e) {
        e.printStackTrace()
    }
}

The code for binding works if I provide:

  • Down-Level Logon Name, i.e. NetBIOSDomainName\sAMAccountName (e.g. domain\username), or
  • userPrincipalName (e.g. [email protected]), or
  • distinguishedName (e.g. CN=username,OU=xxx,DC=abc,DC=com), or
  • objectSid (e.g. S-1-5-21-3623811015-3361044348-30300820-1013)

as the SECURITY_PRINCIPAL, while it failed if sAMAccountName (e.g. username) was used (I guess only the names which are unique within the forest are valid).

So what are the accepted patterns for SECURITY_PRINCIPAL? I searched a few similar questions, but none provide reference to official AD/LDAP documents. Or is it a configuration which I could lookup somewhere? Thanks!

2
javaauthenticationactive-directoryldap
Hey @Fung, did you get any solution regarding using sAMAccountName as i am also facing the same issue?sunder

2 Answers

14
votes

From [MS-ADTS: Active Directory Technical Specification], the official doc for AD I guess.

http://msdn.microsoft.com/en-us/library/cc223499.aspx

Section "5.1.1.1.1 Simple Authentication" lists all the name forms supported by simple authentication.

1
votes

I think you need check LDAP Principal Template. It specifies the principal authentication template required by your LDAP server. The principal authentication template is the format in which the authentication information for the security principal (the person who is logging in) must be passed to the LDAP server. The default value is ${email}, which is the format required by Microsoft Active Directory. Other LDAP servers require different authentication templates. Check with your network administrator to learn more about your LDAP server.