2

I thought I'd find more about this topic but I didn't.

I have to write a java application that checks which ou a specific user is part of.

But to authenticate with the server I can't ask for username and password and also can't store it in the source (or some other file).

Is there a way with JNDI and Java to authenticate with the user who is currently logged in?

ROMANIA_engineer
  • 54,432
  • 29
  • 203
  • 199
Dominik G
  • 1,459
  • 3
  • 17
  • 37
  • Currently logged into what? Your question appears circular. Normally if you have LDAP it is LDAP that you are logged into. – user207421 Jun 11 '12 at 12:07
  • I think the easiest way would be to have a technical user with only read permissions on the users ou tree. and use that user/pass. You can also rely on anonymous ldap access, but that's less secure. – hovanessyan Jun 11 '12 at 12:08
  • @EJP logged in to Windows (I know there might be some code involved that breaks the platform independence). – Dominik G Jun 11 '12 at 12:10
  • @hovanessyan Actually I have only read access myself, and I also thought about asking the Admins for creating some "dummy user", but I think it would be a better solution to search the ldap with some "current Windows user authentication" – Dominik G Jun 11 '12 at 12:12
  • http://stackoverflow.com/questions/5335916/how-to-do-authentication-using-ldap-application-third-party-application-etc – Sanath Jun 11 '12 at 12:13
  • http://stackoverflow.com/questions/337756/what-is-a-good-embeddable-java-ldap-server – Sanath Jun 11 '12 at 12:14
  • @Sanath actually that doesnt help me, the one link is about using a LDAP Server, I only use a client, and the other one is about authenticating against LDAP when using another application, but actually I want to authenticate for LDAP, since I have to search inside the AD – Dominik G Jun 11 '12 at 12:18

3 Answers3

2

All you can do is check if there is some user with the same username than the user that is currently logged in your Java application. You won't be able to check anything else without its password. To do this, you'll need the username and password of some ldap user that have permission to list other users. Then you can query the LDAP for your user.

This is an example adapted from something I use, it checks against an active directory, so perhaps it will need some changes:

boolean userFound = user_exits("searchUser",
        "searchPassword",
        "(sAMAccountName={USERNAME})",
        "ldap://ldap.mydomain.com",
        "OU=MYOU,dc=mydomain,dc=com");

private boolean user_exits(String searchUser, String searchPassword,
        String filter, String url, String baseDn) throws NamingException {
DirContext ctx = null;
Hashtable<String, String> env = new Hashtable<String, String>();
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, url);
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.SECURITY_PRINCIPAL, searchUser);
env.put(Context.SECURITY_CREDENTIALS, searchPassword);

try {
    ctx = new InitialDirContext(env);
        String[] attributeFilter = {};
        SearchControls sc = new SearchControls();
        sc.setReturningAttributes(attributeFilter);
        sc.setSearchScope(SearchControls.SUBTREE_SCOPE);

        NamingEnumeration<SearchResult> results = ctx.search(baseDn, filter, sc);
        return results.hasMore();

    } catch (NamingException e) {
        throw e;
    } finally {
        if (ctx != null) {
            try {
                ctx.close();
            } catch (NamingException e) {}
        }
    }       
}
Pablo
  • 3,655
  • 2
  • 30
  • 44
  • Exactly that is the problem, because I can't use a password of some real user inside the application. – Dominik G Jun 11 '12 at 12:20
  • @DominikG It doesn't need to be a real user. It can be an user created just for this that only have the exact permissions needed. Of course you'll need to store the user and password somewhere. But because it is not a real user, the risk is lower. – Pablo Jun 11 '12 at 12:29
  • I requested some "dummy user". Since I am quite new to LDAP and AD, I have one more small question. For the searchUser as you called it, I have to provide the full dn right? – Dominik G Jun 11 '12 at 12:38
  • if you have not started fully yet with the implementation, check out the UnboundID LDAP SDK http://www.unboundid.com/products/ldap-sdk/ – hovanessyan Jun 11 '12 at 12:56
  • @DominikG Yes, you need the full dn. – Pablo Jun 11 '12 at 13:16
1

If the LDAP client has an existing connection, use either the who am i? extended request, or the authorization identity request control to determine the authID of an existing connection - LDAP-compliant servers and the UnboundID LDAP SDK will support either method. The who am i? extended request can be used at any time on a connection (assuming the authentication identity has permission to use the extended request) but the authorization identity request control can only be attached to a bind request.

The use of the who am i? extended request and the authorization identity request control are demonstrated in AuthDemo.java.

See Also

Terry Gardner
  • 10,957
  • 2
  • 28
  • 38
0

Since it seems that there is no real solution to this, I now go with requesting Login information at the start of the script/tool and using it when needed.

Dominik G
  • 1,459
  • 3
  • 17
  • 37