0

I'm trying to connect to an active directory server using credentials that were created for a linux server. There's a web interface on the server for providing the credentials and I'm unable to connect with the credentials I'm providing. To troubleshoot I'm just trying to connect from my local machine in Java using the same method the code on the server is using.

 public static void main(String[] args) throws NamingException {

        final String ldapAdServer = "ldap://server:port";
        final String ldapSearchBase = "OU=Users,OU=xxx,DC=yyy,DC=zzz,DC=aaa,DC=com";

        final String ldapUsername = "user";
        final String ldapPassword = "password";

        final String ldapAccountToLookup = "lookup";
        final String dc = ",DC=yyy,DC=zzz,DC=aaa,DC=com";
        final String ou = ",OU=Uncommon Users,OU=xxx";

        Hashtable<String, Object> env = new Hashtable<String, Object>();
        env.put(Context.SECURITY_AUTHENTICATION, "simple");
        if(ldapUsername != null) {
            env.put(Context.SECURITY_PRINCIPAL, "CN=" + ldapUsername + ou + dc);
        }
        if(ldapPassword != null) {
            env.put(Context.SECURITY_CREDENTIALS, ldapPassword);
        }
        env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
        env.put(Context.PROVIDER_URL, ldapAdServer);

        // the following is helpful in debugging errors
        //env.put("com.sun.jndi.ldap.trace.ber", System.err);

        LdapContext ctx = new InitialLdapContext(env, null);
        ConnectLdap ldap = new ConnectLdap();

        try {
            ldap.findUsers(ctx, ldapSearchBase);
            ldap.findAccountByAccountName(ctx, ldapSearchBase, ldapAccountToLookup);
        } catch(Exception e) {
            e.printStackTrace();
        }
    }

there are many questions out there with similar problems like this one Java ldap authentication issue for which cn should be used instead of uid. This one Randomly getting LDAP Error 49, data 52e on random users? and this one LDAP + Java Aplication Authentication error code 49 - 52e where the AD does not allow anonymous binding which I don't think I'm trying to do since I'm providing the username and password. This one LDAP: error code 49 - Simple Bind Failed: NT_STATUS_LOGON_FAILURE where the problem is trying to connect using a relative distinguished name which I also don't think I'm doing. I can connect using this username and password with a client, navigate to the user I connected with and get the full distinguished name of the user. This full dn is what I'm providing in the security_principal, what am I missing?

Here is the exception which occurs when trying to construct the InitialLdapContext

Exception in thread "main" javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1
Community
  • 1
  • 1
gary69
  • 3,620
  • 6
  • 36
  • 50
  • "...and I'm unable to connect..." - we're going to need a bit more than that. What error message/code do you get back? Is there an exception or stack trace available? – adelphus Aug 05 '15 at 17:51
  • I'm sorry I forgot to post the excpetion, just added it – gary69 Aug 05 '15 at 18:58
  • There is a space in one of my OU's, according to this article http://social.technet.microsoft.com/wiki/contents/articles/5312.active-directory-characters-to-escape.aspx you only need to escape leading and trailing spaces – gary69 Aug 05 '15 at 19:34
  • Also tried CN=server\username and uid={0} in place of CN with no luck – gary69 Aug 06 '15 at 19:05

1 Answers1

0

This line

env.put(Context.SECURITY_PRINCIPAL, "CN=" + ldapUsername + ou + dc);

should be

env.put(Context.SECURITY_PRINCIPAL, ldapUsername@dc1.dc2.dc3.dc4);

if you're using a client its the userPrincipalName in the properties of the user

gary69
  • 3,620
  • 6
  • 36
  • 50
  • This is not necessary, AD allows LDAP binds with the UPN, but a 'normal' bind would use the qualified DN just like the OP is doing. – mvreijn Aug 10 '15 at 19:49