2

I am struggling with a problem where I wasn't able to find a lean and generic solution. This is my situation:

I am in a huge AD forest with > 20 sub domains replicating over several hundreds servers. Say the main domain and Kerberos realm is COMPANY.COM and I am working in D1.COMPANY.COM. I do connect from Java to the global catalog and are able to access the entire forrest to support all company users.

My connection URL is like this: ldap://mycompany.com:3268/DC=company,DC=com

The entire stuff is running in a webapp using SPNEGO to authenticate the users which works very well. I.e., after sucessful login I do receive the users UPN/Kerberos principal. Due to some reasons all UPN fields in the forest where altered to match user's email address rather to leave the UPN value intact. This means that I an not able to search for the search by the krb princ but I have to strip out the username and search by sAMAccountName. I presumed the sAMAccountName is unique in the entire forest until a user failed to login yesterday. After some LDAP query magic I figured out that two users have the same sAMAccountName in two different domains. My search fails.

So the issue is, how do I determine the base DN/DC of a realm/sub domain based in the Kerberos realm?

I figured out several approaches with a stripped realm string:

  1. constuct an LDAP URL and connect to and read defaultNamingContext
  2. reformat domain name to DC=d1,DC...

Currently, I am using approach 2 which seems to be the easiest way. Altough some C# post here on stack overflow said that this might fail due to disjoint spaces.

Is anyone aware of a safe solution? The best would be actually to translate Kerberos principals to user principal names.

Michael-O
  • 18,123
  • 6
  • 55
  • 121
  • samAccountName is unique across the forest. Otherwise there is some serious problem in your servers. Probably the GC is out of sync on those two servers? – kalyan Jun 29 '11 at 06:52
  • @kalyan Actually it's not. It has to be according to [this](http://technet.microsoft.com/en-us/library/ee198826.aspx) article. It seems that the admin guys were really sloppy. I double-checked ti and their account creation script verifies against the domain only. This is pita. The accounts where created years ago and the last change time is old. – Michael-O Jun 29 '11 at 07:35

2 Answers2

1

After login you get the UPN which is a email. The username part of it can be used because its not unique. The domain part can not be used because it need to be same as naming context. You may have the dc=mydomain,dc=com but the domain for the email can be like myemaildomain.com. And I can add this as additional UPN as well, i guess this is what happened in your case.

Do not take the second approach. Take the first one. Do a dns srv lookup _ldap._tcp.domain.com Read about DnsQueryConfig to get the configured domain name Get the server name. do a rootDse search requesting namingContext. and construct the ldapurls

Further.., it looks like the emailid in your domain is unique across the forest (?) If so, may be you can mark the email id as PAS attribute so that every GC has the copy of it and do a ldap search on the GC port for emailid. But this is a very bad option as this requires schema changes that too with more than 20 subdomains.

kalyan
  • 3,076
  • 1
  • 22
  • 29
  • Thanks for the reply. I took me some time to make an investigation. I exported all sAMAcountNames and userPrincipalNames and hat > 5000 dups in the first als 3000 in the latter. Most UPNs are duplicate UPNs are serviced incorrectly. The email Id (UPN) is not unique :-( More over, I have no control over the forest. Your guess is absolutely correct, that is causing headaches. – Michael-O Jul 01 '11 at 09:30
  • I tend to the first one as well but I do not completely understand what I have to do. For the first step, I will do [this](http://stackoverflow.com/questions/738750/querying-the-dns-service-records-to-find-the-hostname-and-tcp-ip) but what do I do the second one? – Michael-O Jul 01 '11 at 09:31
  • Wouldn't it be save to bind against the kerberos realm which is dynamically mapped to a concrete replicant and then retrieve defaultNamingContent? This approach would avoid the DNS lookup. – Michael-O Jul 01 '11 at 09:42
  • I am not aware how to bind against the kerberos realm and retrieve defaultNamingContext. If you are talking about some existing APIs then i am lost. – kalyan Jul 04 '11 at 09:30
  • If neither email (or UPN) nor samAccountName is unique, how will you find the user uniquely? atleast fix the the script now and start enforcing samAccountName should be unique across the forest. Is there a way you can fix the samAccountName now? if your target is only to formulate a basedn, get defaultNamingContext list in whatever way you could and use it. – kalyan Jul 04 '11 at 09:35
  • 2
    Unfortunately, neither one is unique. I will file a ticket about the script at work here. I seriously doubt that the admins will fix already created accounts unless an account can be savely renamed, if at all. The only unique way imho is to use the guarantee that the sAMAccountName is unique in one domain so I will extract the Kerberos realm from the KRB principal and will do a DNS lookup or bind against, retrieve the defaultnamingcontext and then I will perform my actual search with the ne base dn. – Michael-O Jul 06 '11 at 07:39
0

Kaylan, the oVirt project (www.ovirt.org) contains Spring-Ldap code that shows you how to authenticate with Kerberos against Active-Directory, RHDS, ipa, and Tivoli-DS. We still need to continue and implement forest functionality (Just asked a question about CLdap implementation in Java for that). In order to get defaultNamingContext you will have to issue a RootDSE query (we have some code for that as well in oVirt) to the desired domain. You can download the sources by performing git clone, or you can browse them using http://gerrit.ovirt.org

Please look at the code under engine\backend\manager\modules\bll\src\main\java\org\ovirt\engine\core\bll\adbroker

You will see there all you need for your this.

Yair Zaslavsky
  • 4,091
  • 4
  • 20
  • 27
  • I have check the source tarball. There is too much code to read in this package. Can you narrow down to any specific classes? – Michael-O Jun 18 '12 at 19:45