I am using Weblogic, Ejb3.0. Java 1.6
I need to access Active Directory via Java code. I read about several ways (Kerberos, LDAP)
Anyone could advice me on comfortable way of doing so? where could I have some full code examples,
thanks, ray.
Asked
Active
Viewed 1.3e+01k times
32
-
What do you want to access AD for? Kerberos is normally limited to authentication (although AD's Kerberos tickets also contain some of their own extensions, which you might find difficult to read from Java). LDAP can do authentication too, but is also a directory with further information about the user. The main difference is that you can use Kerberos for SSO. – Bruno Dec 18 '11 at 17:54
-
Be more precise what you exactly want. – Michael-O Dec 20 '11 at 16:54
-
1See also [Authenticating against Active Directory with Java on Linux](https://stackoverflow.com/questions/390150/authenticating-against-active-directory-with-java-on-linux) – Vadzim Jul 22 '19 at 11:37
3 Answers
47
Here is a simple code that authenticate and make an LDAP search usin JNDI on a W2K3 :
class TestAD
{
static DirContext ldapContext;
public static void main (String[] args) throws NamingException
{
try
{
System.out.println("Début du test Active Directory");
Hashtable<String, String> ldapEnv = new Hashtable<String, String>(11);
ldapEnv.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
//ldapEnv.put(Context.PROVIDER_URL, "ldap://societe.fr:389");
ldapEnv.put(Context.PROVIDER_URL, "ldap://dom.fr:389");
ldapEnv.put(Context.SECURITY_AUTHENTICATION, "simple");
//ldapEnv.put(Context.SECURITY_PRINCIPAL, "cn=administrateur,cn=users,dc=societe,dc=fr");
ldapEnv.put(Context.SECURITY_PRINCIPAL, "cn=jean paul blanc,ou=MonOu,dc=dom,dc=fr");
ldapEnv.put(Context.SECURITY_CREDENTIALS, "pwd");
//ldapEnv.put(Context.SECURITY_PROTOCOL, "ssl");
//ldapEnv.put(Context.SECURITY_PROTOCOL, "simple");
ldapContext = new InitialDirContext(ldapEnv);
// Create the search controls
SearchControls searchCtls = new SearchControls();
//Specify the attributes to return
String returnedAtts[]={"sn","givenName", "samAccountName"};
searchCtls.setReturningAttributes(returnedAtts);
//Specify the search scope
searchCtls.setSearchScope(SearchControls.SUBTREE_SCOPE);
//specify the LDAP search filter
String searchFilter = "(&(objectClass=user))";
//Specify the Base for the search
String searchBase = "dc=dom,dc=fr";
//initialize counter to total the results
int totalResults = 0;
// Search for objects using the filter
NamingEnumeration<SearchResult> answer = ldapContext.search(searchBase, searchFilter, searchCtls);
//Loop through the search results
while (answer.hasMoreElements())
{
SearchResult sr = (SearchResult)answer.next();
totalResults++;
System.out.println(">>>" + sr.getName());
Attributes attrs = sr.getAttributes();
System.out.println(">>>>>>" + attrs.get("samAccountName"));
}
System.out.println("Total results: " + totalResults);
ldapContext.close();
}
catch (Exception e)
{
System.out.println(" Search error: " + e);
e.printStackTrace();
System.exit(-1);
}
}
}
JPBlanc
- 70,406
- 17
- 130
- 175
-
For the SECURITY_PRINCIPAL value, I was able to get email address to work in place of a DN like "cn=jean paul blanc,ou=MonOu,dc=dom,dc=fr". That was preferable for me because I knew my email address, but not my DN. – KC Baltz Jun 14 '18 at 16:25
13
You can query Active directory via JNDI and run LDAP operations
http://docs.oracle.com/javase/tutorial/jndi/ldap/authentication.html
http://docs.oracle.com/javase/tutorial/jndi/ldap/operations.html
http://mhimu.wordpress.com/2009/03/18/active-directory-authentication-using-javajndi/
clyfe
- 23,695
- 8
- 85
- 109
-
So which should I decide whether to use LDAP or Kerberos? could be thaat the Active directory I am trying to access doesnt support Kerberos? – rayman Dec 18 '11 at 13:42
-
I have little familiarity with Kerberos tbh. Are you just authenticating against AD or you do more, like read/write data? If second probably LDAP, if first, not really sure. – clyfe Dec 18 '11 at 16:22
-
1@rayman: Kerberos is about authentication and authorization. If you just want to access some information stored in a directory use LDAP. Your question is a bit broad, maybe you can outline your requirements. – home Dec 18 '11 at 16:51
-
@home, Kerberos is only about authentication, not authorization (although there are some non-standard extensions in AD's Kerberos tickets). When using Kerberos for authentication, LDAP is often used for obtaining further attributes. – Bruno Dec 18 '11 at 17:50
-
@bruno: thanks, I was not aware that it does not support authorization. Neverthess, it's still unclear what the OP really needs. – home Dec 19 '11 at 06:29
-
The big concept behind Kerberos is that its about issuing "tickets". Basically your client goes "Hey Kerberos, I have this dude, is he legit", and then kerberos hands you a ticket for him. When you then go to access another resource, you hand over the ticket and the resource goes "Ok, this ticket seems valid, you can pass". LDAP, is basically the database (for want of a better term) to back it all. Often its just easier to use LDAP on its own, but Kerberos buys you network authentication. Best used in pairs! – Shayne Jul 29 '16 at 07:06
-
Adding here that on a pure Microsoft stack, such as using IIS on top of Windows Server, Kerberos will provide both Authentication and Authorization. When the application container is not Windows (such as a J2EE server, or Apache HTTPD), you are limited to using Kerberos only for Authentication and must resort to using LDAP for Authorization. Although in this scenario many opt to use LDAP for both Authentication and Authorization because it's easier to implement, though not necessarily more secure. – T-Heron Feb 04 '17 at 02:40
2
You can use DDC (Domain Directory Controller). It is a new, easy to use, Java SDK. You don't even need to know LDAP to use it. It exposes an object-oriented API instead.
You can find it here.
Smartik.NET
- 136
- 1
- 4