In this article I will briefly describe the steps needed for creating a user login for an application with users registered in an Active Directory. Login will be done via LDAP protocol, and the credentials will be matched against the Active Directory registered user’s credentials.
Active Directory (AD) provides a variety of network services including LDAP-like directory services. Everything that an AD holds is an object. An object can be a user, system, resource, or service. The generic term object is used because AD is capable of tracking a variety of items, and these items have attributes.
There are some common LDAP attributes on which programming languages rely to create or modify objects in AD. As the word distinguished suggests, this is THE LDAP attribute that uniquely defines an object (DN – distinguished name). A list with other LDAP attributes can be found here. We will make use of some of these attributes when using the java API inside ‘javax.naming’ package for connecting via LDAP.
First, here is how a registered AD user properties look like:
You can manually set here properties like: name, email, telephone number, group he belongs to,etc.
For using the LDAP service in Java, we need to create a context. This context needs a parameter hashtable like the following:
import javax.naming.Context; ... Hashtable ldapMap = new Hashtable(); ldapMap.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory"); ldapMap.put(Context.SECURITY_AUTHENTICATION, "simple"); ldapMap.put(Context.PROVIDER_URL, "ldap://" + ldapURL + ":" + ldapPort); ldapMap.put(Context.SECURITY_PRINCIPAL, distinguisedName); ldapMap.put(Context.SECURITY_CREDENTIALS, password); Context context = new InitialLdapContext(LDAPSettings.ldapMap, null); |
Basically it holds information about the context factory to be used, the security authentication method usesd, the LDAP url (that starts with ‘ldap://’) to connect to, and the user and password. You can see a more detailed description for these Context attributes here
Now, to get the DN (distinguished name) attribute for a user, remember that it’s not just the username you entered for this user at creation time. The DN attribute has different components: CN=common name, OU = organizational unit. DC often comes with two entries, DC=domain, DC=COM. Note that DC=domain.COM would be wrong.
Ok, now to get it right, you can open a command prompt on your AD machine, and get an exported .txt file with information about AD objects (a list of properties for them from which you can see the exact DN property you should write inside your code).
This is the command:
ldifde -f c:\export.txt |
You will get something like
dn: CN=Test Tester,CN=Users,DC=domain name,DC=extension |
This whole string is needed to be set in the configuration map for the Context.SECURITY_PRINCIPAL key.
Note !
you can never see, or obtain, the password for an AD user.The only thing you can do as an administrator is reset the password, but you can never identify the current password, unless the user tells you it. But you don’t need to. As a programmer you just only validate against it. When the user enters his credentials inside the login form the code will throw an Authentication exception when trying to initialize the javax.naming.Context
Now that you successfully logged to AD, you can search for AD objects, and work with them as you please. Enjoy!
References:
About Active Directory
About LDAP
Finally, there’s another very important peculiarity of what does Cialis that brings it so high above its alternatives. It is the only med that is available in two versions – one intended for use on as-needed basis and one intended for daily use. As you might know, Viagra and Levitra only come in the latter of these two forms and should be consumed shortly before expected sexual activity to ensure best effect. Daily Cialis, in its turn, contains low doses of Tadalafil, which allows to build its concentration up in your system gradually over time and maintain it on acceptable levels, which, consequently, makes it possible for you to enjoy sex at any moment without having to time it.