I am using Weblogic, Ejb3.0. Java 1.6
I need to access Active Directory via Java code. I read about several ways (Kerberos, LDAP)
Anyone could advice me on comfortable way of doing so? where could I have some full code examples,
thanks, ray.
- What do you want to access AD for? Kerberos is normally limited to authentication (although AD's Kerberos tickets also contain some of their own extensions, which you might find difficult to read from Java). LDAP can do authentication too, but is also a directory with further information about the user. The main difference is that you can use Kerberos for SSO.Bruno– Bruno2011-12-18 17:54:15 +00:00Commented Dec 18, 2011 at 17:54
- Be more precise what you exactly want.Michael-O– Michael-O2011-12-20 16:54:45 +00:00Commented Dec 20, 2011 at 16:54
- 1See also Authenticating against Active Directory with Java on LinuxVadzim– Vadzim2019-07-22 11:37:52 +00:00Commented Jul 22, 2019 at 11:37
Add a comment |
3 Answers
Here is a simple code that authenticate and make an LDAP search usin JNDI on a W2K3 :
class TestAD { static DirContext ldapContext; public static void main (String[] args) throws NamingException { try { System.out.println("Début du test Active Directory"); Hashtable<String, String> ldapEnv = new Hashtable<String, String>(11); ldapEnv.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory"); //ldapEnv.put(Context.PROVIDER_URL, "ldap://societe.fr:389"); ldapEnv.put(Context.PROVIDER_URL, "ldap://dom.fr:389"); ldapEnv.put(Context.SECURITY_AUTHENTICATION, "simple"); //ldapEnv.put(Context.SECURITY_PRINCIPAL, "cn=administrateur,cn=users,dc=societe,dc=fr"); ldapEnv.put(Context.SECURITY_PRINCIPAL, "cn=jean paul blanc,ou=MonOu,dc=dom,dc=fr"); ldapEnv.put(Context.SECURITY_CREDENTIALS, "pwd"); //ldapEnv.put(Context.SECURITY_PROTOCOL, "ssl"); //ldapEnv.put(Context.SECURITY_PROTOCOL, "simple"); ldapContext = new InitialDirContext(ldapEnv); // Create the search controls SearchControls searchCtls = new SearchControls(); //Specify the attributes to return String returnedAtts[]={"sn","givenName", "samAccountName"}; searchCtls.setReturningAttributes(returnedAtts); //Specify the search scope searchCtls.setSearchScope(SearchControls.SUBTREE_SCOPE); //specify the LDAP search filter String searchFilter = "(&(objectClass=user))"; //Specify the Base for the search String searchBase = "dc=dom,dc=fr"; //initialize counter to total the results int totalResults = 0; // Search for objects using the filter NamingEnumeration<SearchResult> answer = ldapContext.search(searchBase, searchFilter, searchCtls); //Loop through the search results while (answer.hasMoreElements()) { SearchResult sr = (SearchResult)answer.next(); totalResults++; System.out.println(">>>" + sr.getName()); Attributes attrs = sr.getAttributes(); System.out.println(">>>>>>" + attrs.get("samAccountName")); } System.out.println("Total results: " + totalResults); ldapContext.close(); } catch (Exception e) { System.out.println(" Search error: " + e); e.printStackTrace(); System.exit(-1); } } } 
1 Comment
KC Baltz
For the SECURITY_PRINCIPAL value, I was able to get email address to work in place of a DN like "cn=jean paul blanc,ou=MonOu,dc=dom,dc=fr". That was preferable for me because I knew my email address, but not my DN.
You can query Active directory via JNDI and run LDAP operations
http://docs.oracle.com/javase/tutorial/jndi/ldap/authentication.html
http://docs.oracle.com/javase/tutorial/jndi/ldap/operations.html
http://mhimu.wordpress.com/2009/03/18/active-directory-authentication-using-javajndi/
7 Comments
rayman
So which should I decide whether to use LDAP or Kerberos? could be thaat the Active directory I am trying to access doesnt support Kerberos?
clyfe
I have little familiarity with Kerberos tbh. Are you just authenticating against AD or you do more, like read/write data? If second probably LDAP, if first, not really sure.
home
@rayman: Kerberos is about authentication and authorization. If you just want to access some information stored in a directory use LDAP. Your question is a bit broad, maybe you can outline your requirements.
Bruno
@home, Kerberos is only about authentication, not authorization (although there are some non-standard extensions in AD's Kerberos tickets). When using Kerberos for authentication, LDAP is often used for obtaining further attributes.
home
@bruno: thanks, I was not aware that it does not support authorization. Neverthess, it's still unclear what the OP really needs.
|
You can use DDC (Domain Directory Controller). It is a new, easy to use, Java SDK. You don't even need to know LDAP to use it. It exposes an object-oriented API instead.
You can find it here.
