I have writeen a test code for authenticating user through Active Directory server. I am able to authenticate using bind dn using code below.
public static void main(String[] args) {
LdapContext ldapContext = null;
Hashtable<String, String> env = new Hashtable<String, String>();
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, "ldaps://10.121.85.24:636");
env.put(Context.SECURITY_PROTOCOL, "ssl");
env.put(Context.SECURITY_PRINCIPAL, "EXTLDAPTEST\batty"); // line 1
env.put(Context.SECURITY_CREDENTIALS, "mypassword");
env.put("com.sun.jndi.ldap.read.timeout", Integer.toString(8000));
env.put("java.naming.ldap.factory.socket", "com.auth.server.TrustAllSSLSocketFactory" );
try {
ldapContext = new InitialLdapContext(env, null);
} catch (Exception e) {
e.printStackTrace();
}
if (ldapContext != null)
{
System.out.println("Authenticatied");
}
}
But when I replace line 1 with
env.put(Context.SECURITY_PRINCIPAL, "CN=batty,OU=Unsorted,OU=EDN Users,OU=User accounts,DC=extLDAPTest,DC=local"); // line 1
it throws exception as
javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1
AD's tree structure is :
Am I doing something wrong when trying to use full dn for authentication?
EDIT 1: When I use service account to get full dn using
NamingEnumeration<?> aa = context.list("OU=Unsorted,OU=EDN Users,OU=User accounts,DC=extLDAPTest,DC=local");
I get following result:
CN=batty,OU=Unsorted,OU=EDN Users,OU=User accounts,DC=extLDAPTest,DC=local
Which is same as I passed for authentication.
EDIT 2 : the reason I am using full dn is, I will be given service account and dn of an sub-tree. Now, same user can exists in different subtrees. So I want to authenticate it from a specific sub tree.