I have a very simple LDAP auth :
DirContext ctx = null;
try
{
logger.debug("Trying to log with LDAP");
Hashtable<String, String> env = new Hashtable<String, String>();
env.put(javax.naming.Context.INITIAL_CONTEXT_FACTORY, ninjaProperties.get("ldapFactory"));
env.put(javax.naming.Context.PROVIDER_URL, ninjaProperties.get("ldapProvider"));
env.put(javax.naming.Context.SECURITY_AUTHENTICATION, ninjaProperties.get("ldapAuthentication"));
env.put(javax.naming.Context.SECURITY_PRINCIPAL, ninjaProperties.get("ldapDomain") + context.getParameter("login"));
env.put(javax.naming.Context.SECURITY_CREDENTIALS, context.getParameter("password"));
ctx = new InitialDirContext(env);
if(ctx != null){
logger.info( "User [" + context.getParameter("login") + "] logged in successfully." );
ctx.close();
return Results.redirect("/TermeController/consult");
}
}
catch (Exception e)
{
logger.error("LDAP Login failed : " + e.toString());
}
For now, users logg in with a form. I would like to set up an SSO auth, but i can't find a way to set it up easily.
Do i need to use something like CAS or so? Or is there a simple way?
Thx :)
SSO is quite a broad topic, I am not sure what exactly you are trying to achieve here. However if you want SSO for windows users i.e. allowing Windows users that are already authenticated against a domain controller to access your app with the same credentials you could look into WAFFLE which does exactly that.
Related
I'm adding LDAP authentication to the spring-boot application. All set accordingly and I'm getting "LDAP error code 49 AcceptSecurityContext error data 52e v2580" error even after providing correct credentials.
I'm using import javax.naming.Context; and have mentioned the code below.
String url = ldap_url;
String domain = ldap_domain;
String uname = request.getUsername();
String pwd = request.getPassword();
boolean authentication = false;
boolean error = true;
String msg;
String ldapSearchBase = "OU=TEST_OU, DC=DC2, DC=DC1";
// create env for initial context
Hashtable<String, String> env = new Hashtable<String, String>();
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, url);
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.SECURITY_PRINCIPAL, "CN=" + uname + "#" + domain + "," + ldapSearchBase);
env.put(Context.SECURITY_CREDENTIALS, pwd);
NamingEnumeration results = null;
try {
LdapContext ctx = new InitialLdapContext(env, null);
authentication = true;
error = false;
} catch (NamingException e) {
logger.error("LDAP error for :{NamingException}" + e);
return ResponseEntity.ok(new ApiResponse(true, e.getMessage()));
} finally {
if (!error) {
msg = "Login success!!!";
} else {
msg = "Authentication failed!";
}
}
logger.info("exitinig...");
if (authentication) {
return ResponseEntity.ok(new ApiResponse(false, msg));
} else {
return ResponseEntity.ok(new ApiResponse(true, msg));
}
Error is catching as NamingException.
An error response with LDAP error code 49 ... data 52e "Returns when username is valid but password/credential is invalid."
There could be infrastructure issues such as when the domain controller computer account may not be synchronized with the Key Distribution Center (KDC). However you would probably have a lot more other issues when this condition exists.
This can occur when your account requires a SmartCard to sign in.
There is a setting in Active Directory called "Smart card is required for interactive logon".
You might get this error in Active directory (Windows popular implementation of LDAP) if you specify the username but not the windows domain.
This is what you should do:
USERNAME: <YOUR_WINDOWS_DOMAIN>\<YOUR_USERNAME>
PASSWORD: <YOUR_PASSWORD>
I have to authenticate users into my system using LDAP, my problem is that i have many organizations and i dont have a list user-organization.
I have this code working forcing a knowing organization:
ldap.validate("uid=" + this.email + ",ou="+ThisIsTheOrImForcing+",ou=users,dc=myDC,dc=com,dc=br", this.password);
My validation method:
public boolean validate(String principal, String password){
// Set up the environment for creating the initial context
Hashtable env = new Hashtable();
env.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");
//env.put(Context.PROVIDER_URL, "ldap://IP:PORT/DC=opus");
//env.put(Context.PROVIDER_URL, "ldap://IP:PORT/dc=mydc,dc=com,dc=br");
env.put(Context.PROVIDER_URL, "ldap://IP:PORT/dc=mydc,dc=com,dc=br");
//Authenticate as S. User and password
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.SECURITY_PRINCIPAL,principal );
env.put(Context.SECURITY_CREDENTIALS, password);
try{
// Create the initial context
DirContext ctx = new InitialDirContext(env);
return true;
} catch( AuthenticationException ae ) {
return false;
} catch( NamingException ne ) {
return false;
}
}
I have the var ThisIsTheOrImForcing, how can i authenticate the user without knowing his organization, i have to search for it first, how?
Simple bind in LDAP requires you to provide the DN of the user, hence why you need to know the organization.
You have two ways to deal with it :
Make a search on your directory for the user which has the attribute uid = this.email , retrieve his DN, and authenticate with the found DN to validate the user
Use other way to authenticate, such as SASL mechanism : See this for more information. You will also have to look for your Directory configuration which mechanism is supported
Usually, uid is a unique identifier. A search operation is used to map the given uid to its distinguished name, so you don't have to worry about the exact place of an account in the directory.
I currently face the problem that an LDAP-Query is passed to an LDAP-Server and the LDAP-Server does not deliver results.
The query: (&(objectCategory=user)(mail=tester#oop-expert.de))
The given E-Mail is meant to not be found. So an empty result is expected.
In most environment configurations this query will pass perfectly and the LDAP returns an empty result immediately.
I broke down the problem to something that may relate to the network or host from where the query is sent. So the query will be fine if sent from one host/network and from another host/network the LDAP-Server will "starve" my LDAP-Client so the LDAP-Client closes the connection for a client-side timeout.
On the other hand: searching for an email that exists will always lead to an immediate result. Doesn't matter from which host/network.
The LDAP-Server is an Active Directory. There a several domain controllers providing an LDAP-Service, configured "round robin". Access per ip or dns does not make any difference on this subject.
The communication is secured via ssl. (ldaps)
In all situations the connection was established. So authentication and passing the query to the LDAP went fine.
Authorization should not be an issue either. I used the same LDAP user for all situations.
The LDAP client is always a JAVA implementation using InitialContext.
private InitialDirContext createDirContext(String principal, String credentials) throws NamingException {
if (credentials == null || credentials.isEmpty()) {
throw new LDAPLoginException();
}
return new InitialDirContext(createEnvironment(principal, credentials));
}
private Hashtable<String, String> createEnvironment(String principal, String credentials) {
Hashtable<String, String> env = new Hashtable<>();
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, this.ldapUrl);
// To get rid of the PartialResultException when using Active Directory
env.put(Context.REFERRAL, "follow");
// Needed for the Bind (User Authorized to Query the LDAP server)
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.SECURITY_PRINCIPAL, principal);
env.put(Context.SECURITY_CREDENTIALS, credentials);
return env;
}
The code that builds and executes the query:
private LDAPUser getLDAPUserInfoByUniqueField(String attr, String value) {
DirContext serviceUserContext = null;
NamingEnumeration<SearchResult> results = null;
try {
String searchString = "(&(objectCategory=user)(" + attr + "=" + value + "))";
serviceUserContext = createDirContext(this.serviceUserPrincipal, serviceUserCredentials);
results = serviceUserContext.search("", searchString, createSearchControls()); // blocking...
return createLDAPUserInfo(results);
} catch (LDAPLoginException e) {
throw e;
} catch (Exception e) {
throw new LDAPFatalException(e);
} finally {
try {
if (results != null)
results.close();
} catch (NamingException e) {
}
try {
if (serviceUserContext != null)
serviceUserContext.close();
} catch (NamingException e) {
}
}
}
Utility methods:
private LDAPUser createLDAPUserInfo(NamingEnumeration<SearchResult> results) throws NamingException {
LDAPUser ldapUserInfo = null;
if (results.hasMore()) { // blocking here
SearchResult result = (SearchResult) results.next();
String sAMAccountName = extractsAMAccountName(result);
String distinguishName = extractDistinguishName(result);
String department = extractDepartment(result);
String email = extractEmail(result);
ldapUserInfo = new LDAPUser(sAMAccountName, distinguishName, department, email);
}
return ldapUserInfo;
}
private String extractsAMAccountName(SearchResult result) throws NamingException {
Attributes attrs = result.getAttributes();
Attribute attr = attrs.get("sAMAccountName");
return (String) attr.get();
}
The exception:
de.oopexpert.business.ldap.LDAPFatalException: javax.naming.PartialResultException [Root exception is javax.naming.CommunicationException: oopexpert.de:636 [Root exception is java.net.ConnectException: Connection timed out]]
at de.oopexpert.business.ldap.impl.LDAPImpl.getLDAPUserInfoByUniqueField(LDAPImpl.java:90)
at de.oopexpert.business.ldap.impl.LDAPImpl.getLDAPUserInfoByEmail(LDAPImpl.java:57)
Caused by: javax.naming.PartialResultException [Root exception is javax.naming.CommunicationException: oopexpert.de:636 [Root exception is java.net.ConnectException: Connection timed out]]
at com.sun.jndi.ldap.LdapNamingEnumeration.hasMoreImpl(LdapNamingEnumeration.java:242)
at com.sun.jndi.ldap.LdapNamingEnumeration.hasMore(LdapNamingEnumeration.java:189)
at de.oopexpert.business.ldap.impl.LDAPImpl.createLDAPUserInfo(LDAPImpl.java:139)
at de.oopexpert.business.ldap.impl.LDAPImpl.getLDAPUserInfoByUniqueField(LDAPImpl.java:84)
Any hints?
We struggled with four persons what is going on. We figured out, that it has something to do with "name resolution problems" on the server side when "following refferals". The customer specific environment configuration inherently prohibits us to prevent this behaviour. So we came up with a workaround.
As we are operating in an active directory domain we have global catalog servers. The important statement to this is from Microsoft "technet":
The global catalog is a distributed data repository that contains a searchable, partial representation of every object in every domain in a multidomain Active Directory Domain Services (AD DS) forest. The global catalog is stored on domain controllers that have been designated as global catalog servers and is distributed through multimaster replication. Searches that are directed to the global catalog are faster because they do not involve referrals to different domain controllers.
(from What Is the Global Catalog?)
The phrase "do not involve refferals" leads us to my JNDI environment configuration where I set the following:
env.put(Context.REFERRAL, "follow");
So as I did that, the LDAP-Server will ask other LDAP-Servers if the result of a query seems to be incomplete. This was confirmed by our administrators when I started the query and they debugged it on TCP-Level.
Somehow, I maybe do not really represent it correctly, the name of the other LDAP-Server could not be resolved which leads the client to starvation as the first LDAP-Server waits for resolution.
We tried to omit the client parameter "Context.Refferals=follow". Here we get immediate response. But the response wasn't as expected:
javax.naming.PartialResultException: Unprocessed Continuation Reference(s); remaining name ''
This came up because the first LDAP-Server has the opinion to return incomplete data.
Our administrators say that this can never be the case, because "every domain controller" is a "Global Catalog Server".
So my workaround is: I will deal with this exception and interprete it as "no result".
I've a java code which uses JNDI to acess a Directory and get user/password to login inside a samba.
What I need is a way to covnert it to .Net code. However I read this MSDN article and couldn't understand. I've tried to use DirectorySearcher class in many different ways.
There's a small piece of java code:
try {
Hashtable<String, String> env = new Hashtable<String, String>();
env.put(Context.INITIAL_CONTEXT_FACTORY, JNDI_FACTORY);
env.put(Context.PROVIDER_URL, jndiServerURL);
ic = new InitialContext(env);
fileSystemProxy = (T3FileSystemProxy) ic.lookup("Credential");
}
catch (Exception e) {
e.printStackTrace();
}
Does somebody know how to implement it?
Unfortunately I couldn't implement JNDI because it's an interface for Java. I've had to get the UNC path and to authenticate using network credential.
using (new UNCPathAccess(Path.GetDirectoryName(pathPdf), username, string.Empty, password))
{
Email.Send(subject, body, email, attachments);
}
I'm using the asmack XMPP with Android, but I have a problem. I would like a player to connect to XMPP server (only if username not already taken), receive all currently connected users and choose a user from the list to play against.
Currently I'm logging into the XMPP server like this:
/* then connect with a newly created username */
try {
if (connection != null && connection.isConnected()) {
connection.login(username, password);
}
} catch (XMPPException e) {
Log.w("[xmpp_login] Cannot connect to XMPP server with username: " + username, "0");
e.printStackTrace();
}
And for the creation of users I'm using the following code:
/* required attributes for creation of a new account */
HashMap<String, String> attr = new HashMap<String, String>();
attr.put("username", username);
attr.put("password", password);
manager.createAccount(username, password, attr);
} catch (XMPPException e) {
Log.w("[create_user] Cannot create new user: XMPP Exception.", "0");
Log.w(e.getMessage(), "0");
e.printStackTrace();
} catch (IllegalStateException e) {
Log.w("[create_user] Cannot create new user: not logged in.", "0");
e.printStackTrace();
}
I have two questions:
How can I check if the username is already taken?
How can I return a list of all currently connected (online) users to each player? Since I've googled and found nothing useful, I guess I'll have to provide that function at serverside. This is where I'm using openfire XMPP server. Is there a plugin for it that I can use that does that - then I could call some function from a client, which would call that specific plugin, which will in turn respond with all the online players.
I guess any tip is appreciated. Thank you
I found a solution. To find an answer you can google "XMPP shared group". Basically I've done the following:
Create a new group in openfire XMPP server.
Under users, make sure that you check "Enable automatically adding of new users to a group."
Of course you'll have to have the right modules enabled for those preferences to even be present.
Then we can just write the following function that will return all users from XMPP server:
/*
* Return a list of #num players currently connected. (if #num == 0: return
* all players)
*/
public ArrayList<String> xmpp_playerlist(int num) {
try {
if (!connection.isConnected())
connection.connect();
if (!connection.isAuthenticated())
connection.login(user, pass);
} catch (XMPPException e) {
Log.w("Cannot connect to XMPP server with default admin username and password.", "0");
e.printStackTrace();
}
ArrayList<String> players = new ArrayList<String>();
roster = connection.getRoster();
Collection<RosterEntry> entries = roster.getEntries();
for (RosterEntry entry : entries) {
players.add(entry.getName());
}
Log.w("**Number Users: " + roster.getEntryCount(), "0");
return players;
}