This week's book giveaways are in the Java EE and JavaScript forums.
We're giving away four copies each of The Java EE 7 Tutorial Volume 1 or Volume 2(winners choice) and jQuery UI in Action and have the authors on-line!
See this thread and this one for details.
The moose likes EJB and other Java EE Technologies and the fly likes JNDI : Binding to an Active Directory Global Catalog with auser froma trusted Domain Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login

Win a copy of The Java EE 7 Tutorial Volume 1 or Volume 2 this week in the Java EE forum
or jQuery UI in Action in the JavaScript forum!
JavaRanch » Java Forums » Java » EJB and other Java EE Technologies
Bookmark "JNDI : Binding to an Active Directory Global Catalog with auser froma trusted Domain" Watch "JNDI : Binding to an Active Directory Global Catalog with auser froma trusted Domain" New topic

JNDI : Binding to an Active Directory Global Catalog with auser froma trusted Domain

Eg Phillips

Joined: Nov 04, 2009
Posts: 1
I have two domains setup, qumulab and qumulabtrust and a two way trust relationship has been created between the two. I've verified that the Global Catalog contains users from both domains through the dsquery tool, but I'm not able to bind users from alternate domains to global catalog on a given AD instance and I'm not able to find users from the other domain via search -- is this a permission issue with Active Directory or is there something else you have to do in the JNDI code in order to make this work? (I'm not seeing contents from other domains through LDAP browsers like JXplorer or Softera either, BTW) Below is some code I've created for testing purposes -- I am able to bind when the user is a member of the local AD domain (i.e. the first two calls to 'authenticate') but I am unable to bind for the subsequent calls. Further, no search results are returned from the other member of the global catalog when I query with the DN set to "" and I get an error when I set the DN explicitly to the other domain ("DC=qumulabtrist,DC=corp") -- which pretty much is an authentication issue:

searching for users in DC=qumulabtrust,DC=corp with javax.naming.ldap.InitialLdapContext@13f3789
Error conducting search -- [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525,

This is the same error I get when trying to bind a user from another domain.

Here's the code:

public class LdapClient {

private boolean _poolConnections = true;

private String _referrals = LDAPUtil.REFERRALS_FOLLOW;

public static void main(String[] argv) throws Exception{

//System.setProperty("com.sun.jndi.ldap.connect.pool.debug", "all");

String ldap_qumulab = "ldap://"; //N.B. -- using Global Catalog port
String ldap_qumulabtrust = "ldap://";
String user_dewey = "QUMULAB\\dewey";
String user_ella = "QUMULABTRUST\\ella";
String password_dewey = "password";
String password_ella = "password";
String user_qumuadmin = "CN=qumuadmin,CN=Users,DC=qumulab,DC=corp";
String password_qumuadmin = "password";

LdapClient client = new LdapClient();

//this succeeds
System.out.println("Authenticating " + user_dewey + " against " + ldap_qumulab);
client.authenticate(ldap_qumulab, user_dewey, password_dewey);

//this succeeds
System.out.println("Authenticating " + user_ella + " against " + ldap_qumulabtrust);
client.authenticate(ldap_qumulabtrust, user_ella, password_ella);

//this fails
System.out.println("Authenticating " + user_dewey + " against " + ldap_qumulabtrust);
client.authenticate(ldap_qumulabtrust, user_dewey, password_dewey);

//this fails
System.out.println("Authenticating " + user_ella + " against " + ldap_qumulab);
client.authenticate(ldap_qumulab, user_ella, password_ella);

//this succeeds
System.out.println("Authenticating " + user_qumuadmin + " against " + ldap_qumulab);
InitialLdapContext initCtx = client.authenticate(ldap_qumulab, user_qumuadmin, password_qumuadmin);

System.out.println("Authenticating " + user_qumuadmin + " against " + ldap_qumulabtrust);
client.authenticate(ldap_qumulabtrust, user_qumuadmin, password_qumuadmin);

System.out.println("Searching qumulab...");
//does not return any users from qumulabtrust, "");, "DC=qumulab,DC=corp");

//fails because of the authentication exception shown above -- seems to be cause I am being given a referral, "DC=qumulabtrust,DC=corp");

System.out.println("\n\nSearching qumulabtrust...");

//this fails, as to the searches (because there is no initial context)
initCtx = client.authenticate(ldap_qumulabtrust, user_qumuadmin, password_qumuadmin);, "");, "DC=qumulab,DC=corp");, "DC=qumulabtrust,DC=corp");

public InitialLdapContext authenticate(String url, String name, String credentials) throws Exception {

InitialLdapContext ctx = null;
ctx = getContext(url, name, credentials);
System.out.println("Authentication succeeded.");
catch(Exception e){
String message = e.getMessage();
message = message.replaceAll("vece.*", "");
System.out.println("Authentication FAILED - " + message);
return ctx;

private InitialLdapContext getContext(String url, Object principal, Object credentials)
throws Exception
Hashtable<Object, Object> env = new Hashtable<Object, Object>();
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, url);
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.SECURITY_PRINCIPAL, principal);
env.put(Context.SECURITY_CREDENTIALS, credentials);
try {
return new InitialLdapContext(env, null);
} catch (Throwable t) {
throw new Exception(t);

public void search(InitialLdapContext initCtx, String searchBase) throws NamingException{
System.out.println("searching for users in " + searchBase + " with " + initCtx.toString());
//Create the search controls
SearchControls searchCtls = new SearchControls();

//Specify the attributes to return
String returnedAtts[]={"distinguishedName","givenName"};

//Specify the search scope

//specify the LDAP search filter
String searchFilter = "(&(objectClass=user))";

//Specify the Base for the search
//an empty dn for all objects from all domains in the forest

//initialize counter to total the results
int totalResults = 0;

//Search for objects in the GC using the filter
NamingEnumeration answer =, searchFilter, searchCtls);

//Loop through the search results
while (answer.hasMoreElements()) {
SearchResult sr = (SearchResult);


System.out.println(">>>" + sr.getName());

// Print out some of the attributes, catch the exception if the attributes have no values
Attributes attrs = sr.getAttributes();
if (attrs != null && attrs.get("givenName") != null && attrs.get("distinguishedName") != null) {
try {
System.out.println(" name: " + attrs.get("givenName").get() + "\n dn=" + attrs.get("distinguishedName").get()); }
catch (NullPointerException e) {
System.err.println("Problem listing attributes from Global Catalog: " + e + "[.]\n");

System.out.println("search finished.\n");
catch(Exception e){
String message = e.getMessage();
if (message != null){
message = message.replaceAll("vece.*", "");
System.out.println("Error conducting search -- " + message + "[!]\n");

I agree. Here's the link:
subject: JNDI : Binding to an Active Directory Global Catalog with auser froma trusted Domain