Ldap bind mechanism in java

**ppo** · 05-19-2010, 07:43 AM

Hello all,
Im facing solution find ldap bind similar to ldap_bind function in php.

it seems easy and nice.
I had look around the web ans some forums and got direction to use this

But this is not similar solution as in php.
ldap_bind use only conection, userName and password dont know nothing about password hash method and will verify credentials as valid or invalid.

Anyone have informaiton or ideas how to do it in java?

Petr, cz

**travishein** · 05-21-2010, 01:39 AM

I have had good luck with the spring-ldap project. Their API can be used on its own (e.g. Java classes), but is also well suited for use with the springframework (e.g. with in an applicationContext.xml configured bunch of beans.

**ppo** · 05-21-2010, 06:40 AM

Originally Posted by travishein

I have had good luck with the spring-ldap project. Their API can be used on its own (e.g. Java classes), but is also well suited for use with the springframework (e.g. with in an applicationContext.xml configured bunch of beans.

Thank, it look good.
Can I use this in no spring application?
How I see I will need configure contextSource, so I will look to API.
Hope that will find info how to use it in non spring project.

Hmm I prepared soem example with manual creating LdapContexSource,

when i will try do ctx = ctxSource.getContext("uid=user,ou=People,dc=firm,d c=cz", "pass");

I will get LDAP: error code 49 - cannot bind the principalDn

Im using ApacheDs 1.5.7, I found that maybe ApachaDs in this version didnt support it
mere about it here
I hope that I understand well, so im try configure open ldap, btw customer use openldap too. So it will help me too.
Im little scare by openLDap configuration :], hope my mind will discover easy way

Thank enjoy Friday.

Petr

**ppo** · 05-21-2010, 10:38 AM

So I install and simple configure openLdap under windows.

I created name context and one user

have this code

Java Code:

 public void testLdapContext() {
        try {
            String dnStrVal = "cn=manager,dc=envinet,dc=cz";
            LdapContextSource ctxSource = new LdapContextSource();
            ctxSource.setUrl("ldap://172.16.40.253:389");
            ctxSource.setUserDn(dnStrVal);
            ctxSource.setPassword("secret");
            ctxSource.setPooled(false);
            ctxSource.afterPropertiesSet();
            ctxSource.getReadWriteContext();

            DirContext ctx = null;
            try {
              ctx = ctxSource.getContext("uid=petr.pokorny,dc=envinet,dc=cz", "pass");

              assertNotNull(ctx);
            } catch (Exception e) {
              // Context creation failed - authentication did not succeed
                e.printStackTrace();
              fail("Neprobehlo");
            } finally {
              // It is imperative that the created DirContext instance is always closed
              LdapUtils.closeContext(ctx);
            }
             
        } catch (Exception e) {
            e.printStackTrace();  //To change body of catch statement use File | Settings | File Templates.
        }

    }

and I got

Java Code:

org.springframework.ldap.AuthenticationException: [LDAP: error code 49 - Invalid Credentials]

Here is text from openLDAp console:

Java Code:

do_bind: version=3 dn="uid=petr.pokorny,dc=envinet,dc=cz" method=128
bdb_dn2entry("uid=petr.pokorny,dc=envinet,dc=cz")
=> bdb_dn2id( "uid=petr.pokorny,dc=envinet,dc=cz" )
<= bdb_dn2id: get failed: DB_NOTFOUND: No matching key/data pair found (-30989)

If I put to the getContext manager data all is ok

Java Code:

ctx = ctxSource.getContext("uid=petr.pokorny,dc=envinet,dc=cz", "pass");

ldap console
do_bind: version=3 dn="cn=manager,dc=envinet,dc=cz" method=128
do_bind: v3 bind: "cn=manager,dc=envinet,dc=cz" to "cn=manager,dc=envinet,dc=cz"

Im no tmuch familiar with openLdap so Now Im think if is problem in openLdap configuration, or in created user in directory, or something in java code?

anyone is welcome for helping with this.

petr,cz

**ppo** · 05-21-2010, 10:57 AM

My example work, now.

I copied full dn from my ldap manager and realized, that I have diferent dn.
And some other atributes are missing, I dont know how it happend, but Im glad that it work now.

thank for showing me spring ldap api.

I cannot use diferent cn or any other atributte for bind.
I need use only cn which is part of RDN.
I will need use uid atribute.

Why it is not possible by this way, do I need configure something in ldap server?

Petr,cz

**travishein** · 06-10-2010, 03:25 AM

I think you need to use the RDN for binding because from the outsite as a non-authenticated user, that is the only unique key to refer to the one user.

You mean, uid is not your RDN. I thought it was uid=xxx, ...

If wonder you want to bind / login using some other unique user attribute, if it would be possible to first search for the user and then determine the rdn and then attempt to bind with this. where to do this we need to configure an administrative ldap user to connect to the ldap repository to invoke this query on the user's behalf.

I have only ever done this with spring framework as well with the spring-ldap, where i make use of their LdapTemplate to help me get the connection to the ldap server.

For example, my authentcate by uid handler

Java Code:

public class LdapAuthenticationManager extends LdapTemplate {

  public boolean isValidAuthCredentials(String uid, String password) {
    
    // uses spring-ldap 3.0 convenience authenticate() method.
    // constructs a filter to find a user object, that is active, and has the given roles.
    AndFilter filter = new AndFilter();
    filter.and(new EqualsFilter("uid", uid));
        
    return authenticate(DistinguishedName.EMPTY_PATH, filter.toString(), password);
  }
  
}

This lets us build more attributes into the filter too, for example, we could instead search on "mail" attribute likely, or perhaps if we had a custom 'active' attribute, we could add these other attributes to this filter criteria to try to find the user by that other criteria.

and the spring bean factory configuration :

Java Code:

<?xml version="1.0" ?>
<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns:aop="http://www.springframework.org/schema/aop"
       xmlns:tx="http://www.springframework.org/schema/tx"
       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.5.xsd>

   <bean id="propertyConfigurer"
    class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer"
    >
    <property name="locations">    
      <list>
        <value>WEB-INF/conf/application.properties</value>
      </list>
    </property>
  </bean>
  
  <bean
    id="contextSource"
    class="org.springframework.ldap.core.support.LdapContextSource">
    <property
      name="url"
      value="${ldap.url}" />
    <property
      name="base"
      value="${ldap.base}" />
    <property
      name="userDn"
      value="${ldap.userDn}" />
    <property
      name="password"
      value="${ldap.password}" />
  </bean>

  <bean
    id="ldapTemplate"
    class="org.springframework.ldap.core.LdapTemplate">
    <property
      name="contextSource"
      ref="contextSource" />
  </bean>

   <bean id="authenticationManager" parent="ldapTemplate"
    class="............LdapAuthenticationManager">
  </bean>
</beans>

where in this case i have that application.properties file in my WEB-INF/conf/ folder to contain the ldap.url, ldap.base, ldap.userDn, and ldap.password settings - this is for connecting to the server, but also the userDn here is the system ldap account that our application uses to connect to and invoke the query with.

I guess you could try to wire up that ldap template without using a spring bean / applicationContext thing too, though the ldaptemplate is in the spring jar.