4

I'm building an application where I need to connect to Active Directory using UnboundID. Using an example, I managed to connect a user with their distinguishedName and password.

However I would like to authenticate them using only the domain and the username, similar to how it's done in Windows. Browsing AD using a tool called JXplorer it seems like the sAMAccountName might be the property I need. However replacing the distinguishedName with the sAMAccountName resulted in an AcceptSecurityContext error. Using the "uid=..." syntax shown in the example also yielded the same error.

Is there a way to logon using only the domain, username/sAMAccountName and password. or do I somehow need to search through AD and find the distinguishedName of the user I wish to authenticate, and then bind the connection using their distinguishedName and password?

Hash
  • 4,647
  • 5
  • 21
  • 39
Anders
  • 125
  • 1
  • 3
  • 13
  • 1
    Unlike conventional LDAP which requires the DN in a simple bind, AD permits using the sAMAccountName directly in a simple bind (so no, you don't need to search for the DN). But for a variety of reasons, using LDAP for authentication is not ideal. Something like [Jespa](http://www.ioplex.com/) would be the proper way to do it because it mimics exactly how Windows authenticates clients. – squarewav Apr 08 '15 at 13:31
  • This was an interesting alternative, and I may look into it if we ever plan on using AD to manage user permissions. At the moment neither this nor using IE SSO is an option so it seems a bit overkill. I would like to know how you managed to use the sAMAccountName in a simple bind though. It is after all the purpose of my original question. – Anders Apr 09 '15 at 17:44

2 Answers2

8

As @ioplex said in his comment, AD accepts a bind using the username from the sAMAccountName with the domain name appended to it. Just use it instead of the DN on the bind:

String userId = username + "@" + domain;
SimpleBindRequest adminBindRequest = new SimpleBindRequest(userId, passsword);

The final userId will be something like 'eharris@contoso.local'

Danny Boyd
  • 317
  • 6
  • 13
  • This did not work for me. As far as I could tell using the @ symbol Microsofts AD server attempts to match the e-mail address. This is not wrong since the e-mail address is a unique identifier in AD, but it seems awkward when your e-mail domain differs from your AD domain. In the end I used this approach `String userId = username + "\\" + domain`. Off topic: My initial trouble turned out to be caused by our domain name and the server(s) DNS address being different. Something nobody had remembered to tell me :( – Anders Oct 22 '15 at 11:28
5

You will need to use an account with appropriate permissions to perform a search for samAccountName to locate the user and then bind as the found user using the Distinguished Name.

You need to be sure you only return one entry from the search.

Sample For Demonstration Purposes ONLY!

Parameters would be something like:

"adldap.example.com" "CN=bob,OU=Users,DC=example,DC=com" "connPwd" "OU=Users,DC=example,DC=com" "samAccountName" "findUserValue" "userPassword" 

    /**
 * @author jwilleke <br/>
 *         Use For Demonstration Purposes ONLY!
 * @param args
 */
public static void main(String[] args)
{
String connHost = args[0];
String connID = args[1];
String connPwd = args[2];
String searchBase = args[3];
String findUserByAttribute = args[4];
String findUserValue = args[5];
String userPassword = args[6];
int connPort = 389;

// TODO Auto-generated method stub
String actualLDAPServer = null;
RootDSE rootDSE = null;
// If I were doing this for real, I would use a POOL for Connections

SSLUtil sslUtil = new SSLUtil(new TrustAllTrustManager()); // Use For Demonstration Purposes ONLY!
SSLSocketFactory sslSocketFactory = null;
try
{
    sslSocketFactory = sslUtil.createSSLSocketFactory();
}
catch (GeneralSecurityException e1)
{
    // TODO Auto-generated catch block
    e1.printStackTrace();
}
SimpleBindRequest adminBindRequest = new SimpleBindRequest(connID, connPwd);
LDAPConnection adminConnection = new LDAPConnection(sslSocketFactory);
try
{
    adminConnection = new LDAPConnection(connHost, connPort);
    log.debug("Successful LDAP adminConnection to:" + connHost + ":" + connPort);
    adminConnection.bind(adminBindRequest);
    log.debug("Successful Bind as:" + connID);
}
catch (LDAPException e)
{
    // TODO Auto-generated catch block
    e.printStackTrace();
}

LDAPConnection userConnection = new LDAPConnection(sslSocketFactory);
try
{
    userConnection = new LDAPConnection(connHost, connPort);
    log.debug("Successful LDAP userConnection to:" + connHost + ":" + connPort);
}
catch (LDAPException e)
{
    // TODO Auto-generated catch block
    e.printStackTrace();
}
// Construct Filter to find user
Filter findUserfilter = null;
findUserfilter = Filter.createEqualityFilter(findUserByAttribute, findUserValue);
// Create Search Request
SearchRequest searchRequest = new SearchRequest(searchBase, SearchScope.SUB, findUserfilter);
searchRequest.setSizeLimit(1); // We will error if we get more than one hit
SearchResult searchResult = null;
try
{
    searchResult = adminConnection.search(searchRequest);
}
catch (LDAPSearchException e)
{
    // TODO Auto-generated catch block
    e.printStackTrace();
}
String userDN = null;
if (searchResult.getEntryCount() > 1)
{
    log.error("We got more than one Entry for:" + searchRequest.getFilter());
}
if (searchResult.getEntryCount() == 0)
{
    log.error("We got No Entries for:" + searchRequest.getFilter());
}
for (SearchResultEntry entry : searchResult.getSearchEntries())
{
    userDN = entry.getDN();
    log.debug("Found an Entry: " + userDN);
}
SimpleBindRequest userBindRequest = new SimpleBindRequest(userDN, userPassword);
if (userBindRequest.getBindDN() == null)
{
    log.warn("We got a null for the userBindRequest UserDN and therefore the bind is anonymous !");
}
if (userBindRequest.getPassword() == null)
{
    log.warn("We got a null for the userBindRequest Password and therefore the bind is anonymous !");
}
try
{
    userConnection.bind(userDN, userPassword);
    log.debug("Successful userConnection Bind as:" + userDN);
}
catch (LDAPException e)
{
    // TODO Auto-generated catch block
    e.printStackTrace();
}
}

-jim

jwilleke
  • 10,467
  • 1
  • 30
  • 51
  • Do you have a code example for this. I tried using an adaptation of this: http://stackoverflow.com/questions/11665418/how-to-get-dn-in-ldap-with-user-id-using-unboundid-ldap-sdk, but my search keeps returning a null object. – Anders Apr 09 '15 at 17:53