I am totally new to this field and not much experienced in java too. I was assigned this task and I could connect in simple mode as admin and retrieve info, but couldnot reset password. I found in many sites that I have to use ssl for that, but couldnt successfully do that as I get a
"simple bind failed"
error I post my code below of what I did and also the codes I commented out(which I tried earlier). Please please please help. I couldnt solve the problem from any source I received. I used a certificate copied from server into my keystore. Is this the right way to use that?? If i remove the ssl part
env.put(Context.SECURITY_PROTOCOL,"ssl");
I get a handshake exception
Problem with TLS: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed
public class ActiveDirectory {
private DirContext ctx;
public boolean connect(String username,String password){
Hashtable<String, String> env = new Hashtable<String, String>();
// Properties env=new Properties();
env.put(Context.SECURITY_PROTOCOL,"ssl");
env.put(Context.INITIAL_CONTEXT_FACTORY,
"com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.PROVIDER_URL, "ldap://192.168.1.199:389");
env.put(Context.REFERRAL, "follow");
// The value of Context.SECURITY_PRINCIPAL must be the logon username
// with the domain name
env.put(Context.SECURITY_PRINCIPAL, username+"#xxxx.net");
// The value of the Context.SECURITY_CREDENTIALS should be the user's
// password
env.put(Context.SECURITY_CREDENTIALS, password);
try {
// Authenticate the logon user
ctx = new InitialLdapContext(env,null);
return true;
}catch(NamingException e){
System.out.println("Error in connecting : " + e.getMessage());
return false;
}
}
public boolean changePasswordAdmin(String userName,String newPassword){
try {
//set password is a ldap modfy operation
//Secure the session with TLS
StartTlsResponse tls = (StartTlsResponse)((LdapContext) ctx).extendedOperation(new StartTlsRequest());
tls.negotiate();
//set password is a ldap modfy operation
ModificationItem[] mods = new ModificationItem[1];
//Replace the "unicdodePwd" attribute with a new value
//Password must be both Unicode and a quoted string
String newQuotedPassword = "\"" + newPassword + "\"";
byte[] newUnicodePassword = newQuotedPassword.getBytes("UTF-16LE");
mods[0] = new ModificationItem(DirContext.REPLACE_ATTRIBUTE, new BasicAttribute("unicodePwd", newUnicodePassword));
// Perform the update
ctx.modifyAttributes(userName, mods);
System.out.println("Reset Password for: " + userName);
tls.close();
ctx.close();
return true;
}
catch (NamingException e) {
System.out.println("Problem resetting password: " + e);
}
catch (UnsupportedEncodingException e) {
System.out.println("Problem encoding password: " + e);
}
catch (IOException e) {
System.out.println("Problem with TLS: " + e);
}
return false;
}
public static void main(String args[]) throws NamingException {
Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
// the keystore that holds trusted root certificates
System.setProperty("javax.net.ssl.trustStore", "C:\\keystore.jks");
System.setProperty("javax.net.ssl.trustStorePassword", "****");
System.setProperty("javax.net.ssl.keyStore", "C:\\keystore.jks");
System.setProperty("javax.net.ssl.keyStorePassword", "****");
ActiveDirectory d= new ActiveDirectory();
d.connect("Administrator", "Group&Team2");
System.out.println(d.fetchData("MG"));
System.out.println(d.changePasswordAdmin("CN=Manager MG. Manager,OU=Manager,DC=xxxxx,DC=net", "Abcd#10"));
}
}
Your active directory doesn't have a valid certificate.
This is probably the case because the root certificate wasn't imported in Java.
Here is a small tutorial how to import certificates into java.
Related
i wanted to make an easy LDAP Connection with using Apache DS and Java, wanted to learn and play a bit with authentification. However, when i start using the my jar file, i always get this error message:
Setting up LDAP connection ...
LDAPException(resultCode=91 (connect error), errorMessage='An error occurred while attempting to resolve address 'ldap://localhost:10389':
UnknownHostException(Der angegebene Host ist unbekannt (ldap://localhost:10389)), ldapSDKVersion=6.0.0, revision=524c20f3bbcc0d83fb56b9e136a2fd3a7f60437d')
My apache DS LDAP server looks like this:
enter image description here
My Java code:
package ldap.test;
import java.security.GeneralSecurityException;
import javax.net.SocketFactory;
import com.unboundid.ldap.sdk.BindRequest;
import com.unboundid.ldap.sdk.BindResult;
import com.unboundid.ldap.sdk.Filter;
import com.unboundid.ldap.sdk.LDAPConnection;
import com.unboundid.ldap.sdk.LDAPException;
import com.unboundid.ldap.sdk.LDAPSearchException;
import com.unboundid.ldap.sdk.ResultCode;
import com.unboundid.ldap.sdk.SearchRequest;
import com.unboundid.ldap.sdk.SearchResult;
import com.unboundid.ldap.sdk.SearchResultEntry;
import com.unboundid.ldap.sdk.SearchScope;
import com.unboundid.ldap.sdk.SimpleBindRequest;
import com.unboundid.util.ssl.SSLUtil;
import com.unboundid.util.ssl.TrustAllTrustManager;
public final class App2 {
// hostname of the ldap instance
public static final String HOSTNAME = "ldap://localhost:10389";
// port of the ldap instance
public static final int PORT = 10389;
public static final void main(String[] args)
{
// lazy hack
if ( args.length != 4 ) {
System.out.println("One or more parameters are missing!");
System.out.println("java -jar App2.jar $cn $sn $employeenumber $password");
System.out.println("Example: java -jar App2.jar Max Mustermann 1 1");
System.exit(1);
}
// Use no key manager, and trust all certificates. This should not be used in non-trivial code!
SSLUtil sslUtil = new SSLUtil(null, new TrustAllTrustManager());
SocketFactory socketFactory;
LDAPConnection ldapConnection = null;
try {
// Create the socket factory that will be used to make a secure
// connection to the server.
socketFactory = sslUtil.createSSLSocketFactory();
System.out.print("Setting up LDAP connection ... ");
ldapConnection = new LDAPConnection(socketFactory, HOSTNAME, PORT);
System.out.println("done!");
}
catch ( LDAPException ldapException ) {
System.err.println(ldapException);
System.exit(ldapException.getResultCode().intValue());
}
catch ( GeneralSecurityException exception ) {
System.err.println(exception);
System.exit(1);
}
// LDAP bindrequest and actual bind for DN search
System.out.print("Search DN for user with employeeNumber: " + args[2] + " ... ");
BindRequest ldapBind = new SimpleBindRequest(args[0], args[1]);
try {
// bind with technical user and password and search for DN
ldapConnection.bind(ldapBind);
String employeeNumber = args[2];
String userPassword = args[3];
Filter ldapFilter = Filter.createANDFilter(Filter.createEqualityFilter("number", employeeNumber));
SearchRequest searchReq = new SearchRequest("ou=users,o=Beispiel", SearchScope.SUB, ldapFilter, "dn");
SearchResult searchResult;
String foundDN = "none";
try
{
searchResult = ldapConnection.search(searchReq);
System.out.println("done!");
for ( SearchResultEntry entry : searchResult.getSearchEntries() )
{
foundDN = entry.getDN();
}
}
catch ( LDAPSearchException lse )
{
System.out.println("... error!");
// The search failed for some reason
searchResult = lse.getSearchResult();
ResultCode resultCode = lse.getResultCode();
System.out.println("Resultcode: " + resultCode);
String errorMessageFromServer = lse.getDiagnosticMessage();
System.out.println("Error message from server: " + errorMessageFromServer);
}
// now check for the foundDN if the given password is correct
if ( !foundDN.equals("none") ) {
System.out.println("Found DN for user with EmployeeNumber: " + employeeNumber + " => " + foundDN);
System.out.println("Now checking if password for user is correct!");
BindRequest userBindReq = new SimpleBindRequest(foundDN, userPassword);
BindResult userBindRes = ldapConnection.bind(userBindReq);
System.out.println("Result: " + userBindRes);
}
else {
System.out.println("No DN found for user with EmployeeNumber: " + employeeNumber);
}
}
catch ( LDAPException ldapException ) {
System.err.println(ldapException);
System.exit(ldapException.getResultCode().intValue());
}
finally {
// Close ldap connection
ldapConnection.close();
}
}
}
No idea why i cant connect to the server...
-----Edit--------
When i change the HOSTNAME to localhost, i get the following error message:
Setting up LDAP connection ... LDAPException(resultCode=91 (connect error),
errorMessage='An error occurred while attempting to connect to server localhost:10389: IOException(LDAPException(resultCode=91 (connect error),
errorMessage='An error occurred while attempting to establish a connection to server localhost/127.0.0.1:10389: SSLException(Unsupported or unrecognized SSL message),
ldapSDKVersion=6.0.0, revision=524c20f3bbcc0d83fb56b9e136a2fd3a7f60437d'))')
Well the good thing is that he can find localhost, but he cant connect to the server
I faced a similar issue, and the problem was solved by calling the LDAPConnection constructor with only two arguments ("localhost",10389). Could you check if this resolves your issue too?
Ofcourse, you should also remove the "ldap//:" prefix too!
When one configure application settings it always useful to show debug/output of the process.
E.g. javax.mail.Session has debug and debugOutput. Is it something similar in parameters/API for InitialDirContext/InitialLdapContext/LdapCtxFactory Java classes?
My goal is to give a user debug info if something is going wrong with LDAP connection.
P.S. Java code is trivial:
Properties properties = new Properties();
properties.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
properties.put(Context.PROVIDER_URL, domainController);
properties.put(Context.SECURITY_AUTHENTICATION, "simple");
properties.put(Context.SECURITY_PRINCIPAL, login);
properties.put(Context.SECURITY_CREDENTIALS, password);
//initializing active directory LDAP connection
InitialDirContext dirContext = null;
try {
dirContext = new InitialDirContext(properties);
System.out.println("OK!");
} catch (NamingException e) {
//ignore auth. exception
System.out.println("Failed!!!");
e.printStackTrace();
}finally{
if(dirContext != null)
try {
dirContext.close();
} catch (NamingException e) {}
}
}
You can set the com.sun.jndi.ldap.connect.pool.debug system property to all and it should provide the information that you need.
https://docs.oracle.com/javase/jndi/tutorial/ldap/connect/config.html
I'm adding LDAP authentication to the spring-boot application. All set accordingly and I'm getting "LDAP error code 49 AcceptSecurityContext error data 52e v2580" error even after providing correct credentials.
I'm using import javax.naming.Context; and have mentioned the code below.
String url = ldap_url;
String domain = ldap_domain;
String uname = request.getUsername();
String pwd = request.getPassword();
boolean authentication = false;
boolean error = true;
String msg;
String ldapSearchBase = "OU=TEST_OU, DC=DC2, DC=DC1";
// create env for initial context
Hashtable<String, String> env = new Hashtable<String, String>();
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, url);
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.SECURITY_PRINCIPAL, "CN=" + uname + "#" + domain + "," + ldapSearchBase);
env.put(Context.SECURITY_CREDENTIALS, pwd);
NamingEnumeration results = null;
try {
LdapContext ctx = new InitialLdapContext(env, null);
authentication = true;
error = false;
} catch (NamingException e) {
logger.error("LDAP error for :{NamingException}" + e);
return ResponseEntity.ok(new ApiResponse(true, e.getMessage()));
} finally {
if (!error) {
msg = "Login success!!!";
} else {
msg = "Authentication failed!";
}
}
logger.info("exitinig...");
if (authentication) {
return ResponseEntity.ok(new ApiResponse(false, msg));
} else {
return ResponseEntity.ok(new ApiResponse(true, msg));
}
Error is catching as NamingException.
An error response with LDAP error code 49 ... data 52e "Returns when username is valid but password/credential is invalid."
There could be infrastructure issues such as when the domain controller computer account may not be synchronized with the Key Distribution Center (KDC). However you would probably have a lot more other issues when this condition exists.
This can occur when your account requires a SmartCard to sign in.
There is a setting in Active Directory called "Smart card is required for interactive logon".
You might get this error in Active directory (Windows popular implementation of LDAP) if you specify the username but not the windows domain.
This is what you should do:
USERNAME: <YOUR_WINDOWS_DOMAIN>\<YOUR_USERNAME>
PASSWORD: <YOUR_PASSWORD>
I'm making a vysper xmpp server.
Here's my code:
public static void main(String[] args) throws Exception {
XMPPServer server = new XMPPServer("myserver.org");
StorageProviderRegistry providerRegistry = new MemoryStorageProviderRegistry();
AccountManagement accountManagement = (AccountManagement) providerRegistry.retrieve(AccountManagement.class);
Entity user = EntityImpl.parseUnchecked("user#myserver.org");
accountManagement.addUser(user, "password");
server.setStorageProviderRegistry(providerRegistry);
server.addEndpoint(new TCPEndpoint())
server.setTLSCertificateInfo(new File("keystore.jks"), "boguspw");
//server.setTLSCertificateInfo(new File("bogus_mina_tls.cert"), "boguspw");
server.start();
System.out.println("Vysper server is running...");
server.addModule(new EntityTimeModule());
server.addModule(new VcardTempModule());
server.addModule(new XmppPingModule());
server.addModule(new PrivateDataModule());
}
I've tried both certificate files. (keystore.jks,bogus_mina_tls.cert)
After I start the server, it connects to it, and tries to login but it can't login.
SmackConfiguration.setPacketReplyTimeout(5000);
config = new ConnectionConfiguration("myserver.org", port, "localhost");
config.setSelfSignedCertificateEnabled(true);
config.setSecurityMode(ConnectionConfiguration.SecurityMode.enabled);
config.setSASLAuthenticationEnabled(true);
// config.setKeystorePath("keystore.jks");
// config.setTruststorePath("keystore.jks");
config.setKeystorePath("bogus_mina_tls.cert");
config.setTruststorePath("bogus_mina_tls.cert");
config.setTruststorePassword("boguspw");
XMPPConnection.DEBUG_ENABLED = true;
connection = new XMPPConnection(config);
try {
connection.connect();
} catch (XMPPException e) {
System.out.println("Error connect");
e.printStackTrace();
}
System.out.println("Connected: " + connection.isConnected());
try {
System.out.println(connection.isAuthenticated());
connection.login("user", "password");
} catch (XMPPException e) {
System.out.println("Error login");
e.printStackTrace();
}
I catch this exception:
SASL authentication PLAIN failed: incorrect-encoding: at
org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java:337)
at
org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:203)
at org.jivesoftware.smack.Connection.login(Connection.java:348) at
com.protocol7.vysper.intro.WorkingClient.init(WorkingClient.java:57)
at
com.protocol7.vysper.intro.WorkingClient.(WorkingClient.java:27)
at com.protocol7.vysper.intro.Runclient.main(Runclient.java:11)
I've seen these examples (1st, 2nd) but they don't work.
At first please note that the server certificate is not used for user authentication, it is used to provide secure communication channel between client and server.
From the log you can see that your authentication method is "SASL PLAIN", using a user and password.
On the server, you are setting username/password as:
accountManagement.addUser("user#myserver.org", "password");
but on the client you're using
connection.login("user", "password");
This doesn't fit with the error message you are posting, but I'd suggest you try again with correct user/password.
public static void main(String[] args)
{
String INITCTX = "com.sun.jndi.ldap.LdapCtxFactory";
String MY_HOST = "ldap://Localhost:1389";
String MGR_DN = "cn=John,ou=Users,o=IT,dc=QuizPortal";
String MGR_PW = "password";
//Identify service provider to use
Hashtable env = new Hashtable();
env.put(Context.INITIAL_CONTEXT_FACTORY, INITCTX);
env.put(Context.PROVIDER_URL, MY_HOST);
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.SECURITY_PRINCIPAL, MGR_DN);
env.put(Context.SECURITY_CREDENTIALS, MGR_PW);
try
{
// Create the initial directory context
InitialDirContext initialContext = new InitialDirContext(env);
System.out.println("Context Sucessfully Initialized");
}
catch(Exception e)
{
System.err.println(e);
}
}
I would like to ask when I set the MGR_DN = "cn=John,ou=Users,o=IT,dc=QuizPortal" to MGR_DN = "uid=103,ou=Users,o=IT,dc=QuizPortal". Basically changing from cn to uid, I would encounter an error
javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid Credentials]
I am authenticated when is specified as cn=John but not uid=103. Am I not allowed to specify by uid?
If you don't know the exact DN in advance, you should do a search in the LDAP directory first. This can be done more or less like this (make sure you catch the relevant exceptions):
Properties env = new Properties();
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, ldapServerUrl);
env.put(Context.SECURITY_AUTHENTICATION, "none");
SearchControls searchCtrls = new SearchControls();
searchCtrls.setReturningAttributes(new String[] {});
searchCtrls.setSearchScope(SearchControls.SUBTREE_SCOPE);
String filter = "(&(cn=" + identifier + "))";
DirContext ctx = null;
ctx = new InitialDirContext(env);
NamingEnumeration<SearchResult> answer = ctx.search(
ldapBaseDN, filter, searchCtrls);
String fullDN = null;
if (answer.hasMore()) {
fullDN = answer.next().getNameInNamespace();
ctx.close();
ctx = null;
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.SECURITY_PRINCIPAL, fullDN);
env.put(Context.SECURITY_CREDENTIALS, password);
ctx = new InitialDirContext(env);
return true;
}
// Exception otherwise ...
Here, the search filter is "(&(cn=" + identifier + "))" (so, for example (&(cn=John))), but you could use the uid instead. Uniqueness of the results depends on the configuration of the LDAP server. The base DN also depends on the way it's set up (it could be ou=Users,o=IT,dc=QuizPortal in your example).
You have to specify the DN or distinguished name. That's the name the user is bound as in the directory. You can't just select any chain of attributes. If your users are bound via the 'cn' attribute then only the 'cn' attribute is part of the DN.
It looks like a server configuration issue. Here's a similar problem including a solution. Basically you'll have to specify whether to use uid or cn for authentication in ldap-authentication.properties.