How to validate user credentials with active directory using java naming interface (JNDI)

Question

I had done the following code but am not able to get or validate user credentials.

public static void main(String a[]) {

        // set the LDAP authentication method
        String auth_method  = "simple";
        // set the LDAP client Version
        String ldap_version = "3";
        // This is our LDAP Server's IP
        String ldap_host    = "19.16.1.1";
        // This is our LDAP Server's Port
        String ldap_port    = "389";
        // This is our access ID
        String ldap_dn      = "test1";
        // This is our access PW
        String ldap_pw      = "New@123";
        // This is our base DN
        String base_dn      = "DC=example,DC=com";

        DirContext ctx      = null;
        Hashtable env       = new Hashtable();

        // Here we store the returned LDAP object data
        String dn           = "";
        String password           = "";
        // This will hold the returned attribute list
        Attributes attrs;

        env.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");
        env.put(Context.PROVIDER_URL,"ldap://" + ldap_host + ":" + ldap_port);
        env.put(Context.SECURITY_AUTHENTICATION, auth_method);
        env.put(Context.SECURITY_PRINCIPAL, ldap_dn);
        env.put(Context.SECURITY_CREDENTIALS, ldap_pw);
        env.put("java.naming.ldap.version", ldap_version);

        try{
            System.out.println("Connecting to host " + ldap_host + " at port " + ldap_port + "...");
            System.out.println();

            ctx = new InitialDirContext(env);
            System.out.println("LDAP authentication successful!");

            // Specify the attribute list to be returned
             **String MY_ATTRS[] = {"cn", "uid", "sn", "unicodepwd"};**
            SearchControls ctls = new SearchControls();
            ctls.setReturningAttributes(MY_ATTRS);
            ctls.setSearchScope(SearchControls.SUBTREE_SCOPE);

            // Specify the search filter to match
            String filter = "(&(objectClass=user)(sAMAccountName=satya))";

            // Search the subtree for objects using the given filter
            NamingEnumeration answer = ctx.search(base_dn, filter, ctls);

            System.out.println(answer.getClass().getName());

            // Print the answer
            //Search.printSearchEnumeration(answer);

            while (answer.hasMoreElements()) {
                SearchResult sr = (SearchResult)answer.next();
                dn = sr.getName();
                attrs = sr.getAttributes();
    
                System.out.println("Found Object: " + dn + "," + base_dn);
                if (attrs != null) {
                    // we have some attributes for this object
                    NamingEnumeration ae = attrs.getAll();
                    while (ae.hasMoreElements()) {
                        Attribute attr = (Attribute)ae.next();
                        String attrId = attr.getID();
                        
                         Attribute passwd = attrs.get("unicodepwd");
                         **System.out.println("----"+passwd);
                        System.out.println("Found Attribute: " + attrId);**
                        Enumeration vals = attr.getAll();
                        
                        while (vals.hasMoreElements()) {
                            String attr_val = (String)vals.nextElement();
                            System.out.println(attrId + ": " + attr_val);
                        }
                    }
                }
            }

            // Close the context when we're done
            ctx.close();
        } catch (AuthenticationException authEx) {
            authEx.printStackTrace();
            System.out.println("LDAP authentication failed!");
        } catch (NamingException namEx) {
            System.out.println("LDAP connection failed!");
            namEx.printStackTrace();
        } catch (Exception e) {
            e.printStackTrace();
        }
    } //

Am trying with above code but not able to get userpassword or unicodepwd.

output:

Connecting to host 192.168.1.15 at port 389...

LDAP authentication successful!
com.sun.jndi.ldap.LdapSearchEnumeration
Found Object: CN=satya priya,OU=Test,DC=example,DC=com
----null
Found Attribute: sn
sn: priya
----null
Found Attribute: cn
cn: satya priya

rkosegi · Answer 1 · 2021-02-26T11:52:52.060

1

Works as expected.

3.1.1.3.1.5.1 unicodePwd

The unicodePwd attribute is never returned by an LDAP search.

Which make sense, you shouldn't be able to dump all users passwords.

To validate password for particular user, you need to perform BIND using user-provided password and DN returned from search.

Here is detailed answer on how to validate credentials.

edited Feb 26 '21 at 11:52

answered Feb 26 '21 at 11:33

rkosegi

14,165
5
50
83

it working in windows enviroment..But we are tring to connect from linux environment to microsoft AD.Using JNDI-- – Ashok SR Feb 28 '21 at 05:21
@AshokSR The environment you are connecting from is irrelevant. The principle remains the same. You don't retrieve the attributes and check them yourself. You try to bind as that user with those credentials. – user207421 Mar 18 '21 at 00:20

How to validate user credentials with active directory using java naming interface (JNDI)

1 Answers1