• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

JNDI : Binding to an Active Directory Global Catalog with auser froma trusted Domain

 
Greenhorn
Posts: 1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I have two domains setup, qumulab and qumulabtrust and a two way trust relationship has been created between the two. I've verified that the Global Catalog contains users from both domains through the dsquery tool, but I'm not able to bind users from alternate domains to global catalog on a given AD instance and I'm not able to find users from the other domain via search -- is this a permission issue with Active Directory or is there something else you have to do in the JNDI code in order to make this work? (I'm not seeing contents from other domains through LDAP browsers like JXplorer or Softera either, BTW) Below is some code I've created for testing purposes -- I am able to bind when the user is a member of the local AD domain (i.e. the first two calls to 'authenticate') but I am unable to bind for the subsequent calls. Further, no search results are returned from the other member of the global catalog when I query with the DN set to "" and I get an error when I set the DN explicitly to the other domain ("DC=qumulabtrist,DC=corp") -- which pretty much is an authentication issue:

searching for users in DC=qumulabtrust,DC=corp with javax.naming.ldap.InitialLdapContext@13f3789
Error conducting search -- [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525,

This is the same error I get when trying to bind a user from another domain.


Here's the code:

public class LdapClient {

private boolean _poolConnections = true;

private String _referrals = LDAPUtil.REFERRALS_FOLLOW;

public static void main(String[] argv) throws Exception{

//System.setProperty("com.sun.jndi.ldap.connect.pool.debug", "all");

String ldap_qumulab = "ldap://10.1.202.23:3268"; //N.B. -- using Global Catalog port
String ldap_qumulabtrust = "ldap://10.1.202.79:3268";
String user_dewey = "QUMULAB\\dewey";
String user_ella = "QUMULABTRUST\\ella";
String password_dewey = "password";
String password_ella = "password";
String user_qumuadmin = "CN=qumuadmin,CN=Users,DC=qumulab,DC=corp";
String password_qumuadmin = "password";

LdapClient client = new LdapClient();

//this succeeds
System.out.println("Authenticating " + user_dewey + " against " + ldap_qumulab);
client.authenticate(ldap_qumulab, user_dewey, password_dewey);

//this succeeds
System.out.println("Authenticating " + user_ella + " against " + ldap_qumulabtrust);
client.authenticate(ldap_qumulabtrust, user_ella, password_ella);

//this fails
System.out.println("Authenticating " + user_dewey + " against " + ldap_qumulabtrust);
client.authenticate(ldap_qumulabtrust, user_dewey, password_dewey);

//this fails
System.out.println("Authenticating " + user_ella + " against " + ldap_qumulab);
client.authenticate(ldap_qumulab, user_ella, password_ella);

//this succeeds
System.out.println("Authenticating " + user_qumuadmin + " against " + ldap_qumulab);
InitialLdapContext initCtx = client.authenticate(ldap_qumulab, user_qumuadmin, password_qumuadmin);

System.out.println("Authenticating " + user_qumuadmin + " against " + ldap_qumulabtrust);
client.authenticate(ldap_qumulabtrust, user_qumuadmin, password_qumuadmin);

System.out.println("Searching qumulab...");
//does not return any users from qumulabtrust
client.search(initCtx, "");

client.search(initCtx, "DC=qumulab,DC=corp");

//fails because of the authentication exception shown above -- seems to be cause I am being given a referral
client.search(initCtx, "DC=qumulabtrust,DC=corp");

System.out.println("\n\nSearching qumulabtrust...");

//this fails, as to the searches (because there is no initial context)
initCtx = client.authenticate(ldap_qumulabtrust, user_qumuadmin, password_qumuadmin);

client.search(initCtx, "");

client.search(initCtx, "DC=qumulab,DC=corp");

client.search(initCtx, "DC=qumulabtrust,DC=corp");
}

public InitialLdapContext authenticate(String url, String name, String credentials) throws Exception {

InitialLdapContext ctx = null;
try{
ctx = getContext(url, name, credentials);
System.out.println("Authentication succeeded.");
}
catch(Exception e){
String message = e.getMessage();
message = message.replaceAll("vece.*", "");
System.out.println("Authentication FAILED - " + message);
}
return ctx;
}

private InitialLdapContext getContext(String url, Object principal, Object credentials)
throws Exception
{
Hashtable<Object, Object> env = new Hashtable<Object, Object>();
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, url);
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.SECURITY_PRINCIPAL, principal);
env.put(Context.SECURITY_CREDENTIALS, credentials);
env.put(Context.REFERRAL,"follow");
try {
return new InitialLdapContext(env, null);
} catch (Throwable t) {
throw new Exception(t);
}
}

public void search(InitialLdapContext initCtx, String searchBase) throws NamingException{
try{
System.out.println("searching for users in " + searchBase + " with " + initCtx.toString());
//Create the search controls
SearchControls searchCtls = new SearchControls();

//Specify the attributes to return
String returnedAtts[]={"distinguishedName","givenName"};
searchCtls.setReturningAttributes(returnedAtts);

//Specify the search scope
searchCtls.setSearchScope(SearchControls.SUBTREE_SCOPE);

//specify the LDAP search filter
String searchFilter = "(&(objectClass=user))";

//Specify the Base for the search
//an empty dn for all objects from all domains in the forest

//initialize counter to total the results
int totalResults = 0;

//Search for objects in the GC using the filter
NamingEnumeration answer = initCtx.search(searchBase, searchFilter, searchCtls);

//Loop through the search results
while (answer.hasMoreElements()) {
SearchResult sr = (SearchResult)answer.next();

totalResults++;

System.out.println(">>>" + sr.getName());

// Print out some of the attributes, catch the exception if the attributes have no values
Attributes attrs = sr.getAttributes();
if (attrs != null && attrs.get("givenName") != null && attrs.get("distinguishedName") != null) {
try {
System.out.println(" name: " + attrs.get("givenName").get() + "\n dn=" + attrs.get("distinguishedName").get()); }
catch (NullPointerException e) {
System.err.println("Problem listing attributes from Global Catalog: " + e + "[.]\n");
}
}
}

System.out.println("search finished.\n");
}
catch(Exception e){
String message = e.getMessage();
if (message != null){
message = message.replaceAll("vece.*", "");
}
System.out.println("Error conducting search -- " + message + "[!]\n");
}
}


}
 
reply
    Bookmark Topic Watch Topic
  • New Topic