4

This application will be run on clients that are already authenticated in Active Directory.

Problem: the LDAP protocol (or Active Directory settings) seem to require username and password.

Goal: query Active Directory using LDAP in Java without having to authenticate (ask for username and password).

Gist: all clients who run this application have already logged in. Thus, they are already authenticated (into)/ by Active Directory.

Now that they are logged in and have access to AD outside the application, isn't it possible to "mooch" off of the fact that they are already authenticated and run my LDAP queries in my application?

Errors: while trying to maneuver past authentication; I have become accustomed to binding errors, log4j errors; and almost everything recommended on Stack Overflow, Oracle and Apache.

Methods tried: I have tried anonymous binding, Ldap api's, nada!!

Questions:

  1. Is it possible to query Active Directory without authentication?
  2. Is it possible to query Active Directory by telling the server that "hey, I am already logged into AD, proceed with my queries?" without prompting the user for Username and password?
marc_s
  • 732,580
  • 175
  • 1,330
  • 1,459
Timetrax
  • 1,373
  • 13
  • 15
  • similar question with no resolve: http://stackoverflow.com/questions/37523816/ldap-via-java-without-providing-password – Timetrax Jul 26 '16 at 03:23
  • 1
    There are a few options that are articulated for the SSO here in this thread (https://stackoverflow.com/questions/545667/how-to-use-windows-login-for-single-sign-on-and-for-active-directory-entries-for) . Most of them talk of using a Kerberos / GSS route. There is also an option to try it with Spring Security , there are answers that are accepted , hopefully you can pick it up and take it from there – Ramachandran.A.G Jul 26 '16 at 03:42

2 Answers2

2

Is it possible to query active directory without authentication?

I think no, you cannot as this will violate security. Another way might be to use Single sign on utilities that lets you sign in and then they will provide you the details.

Is it possible to query active directory by telling the server that "hey, I am already logged into AD, proceed with my queries?" without prompting the user for Username and password?

You can try http://spnego.sourceforge.net/ or http://jcifs.samba.org/src/docs/ntlmhttpauth.html to use NTLM

Dev
  • 6,628
  • 2
  • 25
  • 34
1

The following solution (or at least a very similar one) was used to solve this question: 

import com4j.Variant;
import com4j.typelibs.ado20.ClassFactory;
import com4j.typelibs.ado20._Command;
import com4j.typelibs.ado20._Connection;
import com4j.typelibs.ado20._Recordset;

public static void queryADForComputers() throws Exception {

    String query            = "cn,sn,givenName,department";
    String filter           = "(&(objectclass=user)(objectcategory=person))";
    String namingContext    = "OU=Desktops,OU=Workstations,OU=HO,DC=win";
    _Connection conn        = ClassFactory.createConnection();

    conn.provider("ADsDSOObject");
    conn.open("Active Directory Provider","","",-1);

    _Command cmd            = ClassFactory.createCommand();
    cmd.activeConnection(conn);
    cmd.commandText("<LDAP://" + namingContext + ">;" + filter + ";" + query + ";subTree");
    _Recordset rs = cmd.execute(null, Variant.getMissing(), -1);
    System.out.println("Found " + rs.recordCount() + " users/computers/whatever i was looking for");

    //Then here you can use a while loop while(!rs.eof())
    //in which you can get each value as rs.fields().item(i).value();
    //in my case, i did rs.fields().item(i).value().toString()
    //or you can check for its type and go from there. 
}

I worked on this a while ago and don't currently have an active directory to test and verify. but this should get you started.

marc_s
  • 732,580
  • 175
  • 1,330
  • 1,459
Timetrax
  • 1,373
  • 13
  • 15