• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

LDAP Authentication using Java

 
Greenhorn
Posts: 23
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi guys,

I am trying to write a login interface for a web based application. The user will input their username and password which will be posted to my servlet. I have a connection to our Novell LDAP server using a generic tree root user. I need to pass the input password and username to the tree and have an authentication against the stored values. I have been looking at the Search in the java LDAP api but it needs an ou value for search. I need to be able to call a search which will traverse the entire tree and return an authentication against username and password. Anybody have any ideas where I should be heading?
 
Ranch Hand
Posts: 884
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Not very sure about Novell, the last LDAP I used was from iPlanet. They usually come with a nice documentation with some simple example. I do have a book on Java programming with LDAP but not so sure if it could help in Novell LDAP though.
 
Connie Kamrowski
Greenhorn
Posts: 23
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thanks for the reply at least.

I am at a loss at the moment, I can find lots of advice on how to login, but that is only 1/2 my issue. I can log my root user in no problem it is only when I need to do a comp[are on the username and password of the second user that I am stuck. The root user gives me a bind and complete access to the tree, I can then search on my user input username and return Attributes from teh User Object but It wont let me do a compare and I am now lost as how to get some sort of authentication on these user inputs.
 
Chengwei Lee
Ranch Hand
Posts: 884
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
What do you mean by 2nd user? First thing first, does your LDAP contains the entry for your 2nd user?
 
Connie Kamrowski
Greenhorn
Posts: 23
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
our LDAP is set up as a tree structure top level is 001 then oho then it etc etc. in order to authenticate you need a context so I was given a test user who has access rights at the top level or tree root ie 001. the user who will be trying to access the application however will be entering a username and password to access. this user could be in any of the containers below the tree root eg I am in 001_oho_IT_CS the guy at the next desk is in 001_DAR_EMP so I can do a bind initially to the tree root at 001 using my test user which gives me access to the whole tree but then I need to authenticate users who will enter username and password but will not enter any context information about where they are in the tree. I hope that makes sense.
 
Ranch Hand
Posts: 62
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
You firs need to find out the structure of your ldap schema. You have to find out where in the hierarchy is the user information stored. Generally it is like this:

[base-dn],ou=dep1,user=xyz

So if this is the case then for getting the user authenticated the relative dn would be ou=dep1,user=xyz.

ou stands for organizational unit.
 
Connie Kamrowski
Greenhorn
Posts: 23
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I guess I am not making myself clear. I need to basically do a contextless login. The system will be available to all users in our department which is around 3500 staff. All of these will be entering via a web page and using their Novell username and password. These users are all in the Novell tree but in different contexts. They will not enter their context on login as most are just basic users and have no idea what that means. So all I will have is a novell username and password which could be anywhere in the tree. I can bind to the tree with a test user which has tree root access but this only gives me access to the tree. I need to then use the username and password I have been given to authenticate. Is that clearer?? I don't have the context to do a bind on the input parameters. I know this is possible as we have custom applications which do it... I just don't know how they do it and so am not sure how to write it.

[ February 24, 2005: Message edited by: Connie Kamrowski ]
[ February 24, 2005: Message edited by: Connie Kamrowski ]
 
Chengwei Lee
Ranch Hand
Posts: 884
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi Connie,

Let me see if I got you right this time, you're saying that the users will never know they're authenticating against a Novell LDAP, all that they know is their User Id & password. Am I right about this?

If I'm right, then regarding your contextless claim, it is not quite right. First of all, you're using an LDAP & these users are employees of the company, hence, they would have a department, you would belong to a company, therefore, any user would have ou='my dept' & o='my company', something like this.

While the end users may not know any of this. You must know them. That is the way how you could look up an user in an LDAP. By having its distinguished name (DN). If you cannot formulate a DN, there's no way you could find the user(s).

You mentioned that there're custom applications in your side that is able to do 'contextless' search. I believe they do know the DNs. Alternatively, they could be hardcoding certain parts of the DN, like ou or o.

Hope I got it right this time.

Let me know if you need more help.

Cheers!
 
Ankur Srivastava
Ranch Hand
Posts: 62
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Ya I completely agree with Cheng that without the context we can not preform the operation but yes one way which I think of is to first perform a search query which gives you the user with the user id by using the query of the kind ou=*,user=xyz and then depending on the result retrieve the ou information and form the dn.

I hope this helps you.
 
Connie Kamrowski
Greenhorn
Posts: 23
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
yes thats what I am saying,

The user will come to a login window and they enter a username and password which I will collect. These then need to be passed to LDAP for authentication. I do not know their DN as they will be coming in from any level of the organisationa nd in some cases via aventail externally. The Login I am trying to write needs to browse the entire tree until it finds the user and then match the password and return with a verified or not. We previously used the Portable Authentication Module to do this but the server needed for PAM is no longer active. There are at least 4 custom applications which authenticate users knowing only username and password but I cannot get into source and find out how. These apps do not hardcode any information about your context so I am assuming they do a search and then bind. This does not seem to work for me however as when I do a search and try to get the cn for the user I get an incorrect format for cn error.

How can I get the ou from a search if for example in ,my case I have 4 entries for ou in my user object.
[ February 27, 2005: Message edited by: Connie Kamrowski ]
 
Chengwei Lee
Ranch Hand
Posts: 884
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi Connie,

Sorry for the late reply. Have you resolved your problem? Had taken a look into my old codes on LDAP (its been around 2+ years since I last touched LDAP) and found some codes that may be of use to you.

Can find your PM nor email, so couldn't message you. If you still need help, drop me a PM or email or some means that I could get in touch with you.

Cheers!
 
Connie Kamrowski
Greenhorn
Posts: 23
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thankyou I would love to have a look at the code you have used. I have a hotmail account you can send to it is jezza181@hotmail.com thats the only address i usually post to forums. Thanks for your help

Connie
 
Greenhorn
Posts: 1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi, Even I am facing the same issue. Can you please share d code (mukta.vp@gmail.com) or give brief idea about solution.
 
Ranch Hand
Posts: 397
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi All,

I was used to connect previously Configured group in LDAP and my application was working fine.

But new group created for new application and i added the LDAP group , LDAP URL and strings.

But my code not executing after the this line as below.

DirContext ctx = new InitialDirContext(env);

and it is returning false in <% DEBUG %> statement in jsp web page.

I am using user id and password from BASIC FORM Authentication is getting validated from tomcat-users.xml but after this i have used the code to validate my id to LDAP servers group wherein my id has been setup.

What could be the reason of not going through the line call.
 
Prabhat Ranjan
Ranch Hand
Posts: 397
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
i have resolved the issue and now got the clear picture of LDAP setup
 
With a little knowledge, a cast iron skillet is non-stick and lasts a lifetime.
reply
    Bookmark Topic Watch Topic
  • New Topic