1
votes

I have writeen a test code for authenticating user through Active Directory server. I am able to authenticate using bind dn using code below.

public static void main(String[] args) {

    LdapContext ldapContext = null;

    Hashtable<String, String> env = new Hashtable<String, String>();

    env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
    env.put(Context.PROVIDER_URL, "ldaps://10.121.85.24:636");
    env.put(Context.SECURITY_PROTOCOL, "ssl");
    env.put(Context.SECURITY_PRINCIPAL, "EXTLDAPTEST\batty"); // line 1
    env.put(Context.SECURITY_CREDENTIALS, "mypassword");
    env.put("com.sun.jndi.ldap.read.timeout", Integer.toString(8000));
    env.put("java.naming.ldap.factory.socket", "com.auth.server.TrustAllSSLSocketFactory" );

    try {
        ldapContext = new InitialLdapContext(env, null);
    } catch (Exception e) {
        e.printStackTrace();
    }

    if (ldapContext != null)
    {
        System.out.println("Authenticatied");
    }
}

But when I replace line 1 with

env.put(Context.SECURITY_PRINCIPAL, "CN=batty,OU=Unsorted,OU=EDN Users,OU=User accounts,DC=extLDAPTest,DC=local"); // line 1

it throws exception as

javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1

AD's tree structure is :

enter image description here

Am I doing something wrong when trying to use full dn for authentication?

EDIT 1: When I use service account to get full dn using

NamingEnumeration<?> aa = context.list("OU=Unsorted,OU=EDN Users,OU=User accounts,DC=extLDAPTest,DC=local");

I get following result:

CN=batty,OU=Unsorted,OU=EDN Users,OU=User accounts,DC=extLDAPTest,DC=local

Which is same as I passed for authentication.

EDIT 2 : the reason I am using full dn is, I will be given service account and dn of an sub-tree. Now, same user can exists in different subtrees. So I want to authenticate it from a specific sub tree.

2

2 Answers

0
votes

The error code 49 related to LDAP is caused by the invalid credentials.

but you can use applications like ADSI Edit or AD Explorer to get the DN for an object. You can either just use them to view the "distinguishedName" attribute of the object in question, or use other methods that are specific to each application.

or user LDAPExplorerTool 2. and find out the CN you wabt to get dn of. you can get its value in secDN attribute:

enter image description here

0
votes

I was wondering why do you need to use a full DN to specify user name ? You can use either DOMAIN\USER or USER@DOMAIN format to authenticate against AD.

I personally never used any other format but RFC 2829 specifies the following DN based authentication identity format: dn: DN. In your case, SECURITY.PRINCIPAL would look dn: CN=batty,OU=Unsorted,OU=EDN Users,OU=User accounts,DC=extLDAPTest,DC=local. Once again, I never used DN format but try it out and see if the proposed solution works.

Hope this helps.