Active Directory Authentification

**SilverEagle** · Sep 27th, 2007, 04:20 AM

Hi,

I'm trying to authenticate myself against an Active Directory LDAP server using the SAMAccount and the password.

Before everybody starts to point out that there are gazillions of posts related to this issue, please notice that I've searched through them without success. There are a lot of side problems discussed, but I didn't found this issue solved in any of them.

So, let's say you have a simple AD user:

CN=John Smith, CN=users, DC=company, DC=com
It's SAMAccount is "john.smith"

You can login using "John Smith" as username and it's password. But how do you authenticate yourself using it SAMAccount ?

Of course, something like this doesn't work for the SAMAccount

Code:

        LdapContextSource ldapContextSource = new LdapContextSource();
        ldapContextSource.setUrl( url );
        ldapContextSource.setBase( base );
        ldapContextSource.setUserName( userName );
        ldapContextSource.setPassword( password );
        ldapContextSource.setDirObjectFactory( new DefaultDirObjectFactory().getClass() );
        ldapContextSource.setAuthenticationSource( authSource );
        
        try {
            ldapContextSource.afterPropertiesSet();
        } catch (Exception e) {
            throw new RuntimeException(e);
        }

        LdapTemplate ldapTemplate = new LdapTemplate( ldapContextSource );
        ldapTemplate.setIgnorePartialResultException( true );

Any comment here would be really welcome.

**rasky** · Sep 27th, 2007, 07:00 AM

Try setting the userName to the SamAccountName (possibly with a "/" in the front). I think I've seen that work. Or maybe that's what you did already?

**SilverEagle** · Oct 1st, 2007, 06:11 AM

Rasky, thank you for your help.

Unfortunately I wasn't able to log in using just SamAccountName (or the userPrincipal). It seems to be a bit more complex than this...

**rasky** · Oct 1st, 2007, 07:08 AM

Well, if that doesn't work you'll need to use the samaccountname in a search to find the actual entry it belongs to and then use that entry's DN as input to the ContextSource.

**SilverEagle** · Oct 1st, 2007, 07:17 AM

Yes, but that does mean that you need an additional account with read permissions. I'd like to avoid it and just use the account of the user who is trying to log in...

**SilverEagle** · Oct 1st, 2007, 08:10 AM

Since it's taking a long time, I'll settle with the two accounts approach (one for the administrator to check the user and the one you want to log).

I've been following the excellent blog entry from Niklas that provided all the info I needed.

The final code is:

Code:

private String _managerDn         = "CN=manager, CN=users, DC=domain, DC=com";
private String _managerPassword = "managerPassword";
private String _url             = "ldap://ldapServer:389";
private String _userBase         = "CN=users, DC=domain, DC=com";

DefaultInitialDirContextFactory ctxFactory = new DefaultInitialDirContextFactory(_url);
ctxFactory.setManagerDn( _managerDn );
ctxFactory.setManagerPassword( _managerPassword );

FilterBasedLdapUserSearch userSearch = new FilterBasedLdapUserSearch(_userBase, "(sAMAccountName={0})", ctxFactory);
userSearch.setSearchSubtree( true );

BindAuthenticator bindAuthenticator = new BindAuthenticator(ctxFactory);
bindAuthenticator.setUserSearch( userSearch );
try {
    bindAuthenticator.afterPropertiesSet();
    bindAuthenticator.authenticate( "userName", "userPassword");
} catch ( Exception e ) {
    throw new RuntimeException( e );
}

Best regards and thanks for the help !
Juan Medín

Thread: Active Directory Authentification

Thread Tools

Display

Active Directory Authentification

Posting Permissions