#1
  1. No Profile Picture
    Participant
    Devshed Newbie (0 - 499 posts)

    Join Date
    Sep 2005
    Location
    Hawaii
    Posts
    376
    Rep Power
    21

    Question JNDI / LDAP Authentication


    Quick scenario: I am authenticating users via a browser (JSP) where they enter in username / password and then I pass those credentials to a class file for ldap authentication via bind.

    After some digging on Google, it seems that the ldap bind will only work with the users distinguishedName / password NOT their login / password.

    So I basically wrote another method "getDNfromLogin" that retrieves the DN from the users login and passes it into the authentication method that I wrote to do the bind. This of course has issues because "retrieving" anything in AD is limited to 1000 rows.... and our admin will not set it any higher.

    Question: So is there a way to just do an ldap bind using login / password and not have to look up the distinguishedName?

    thanks

    SK
  2. #2
  3. <- My daily commute :^)
    Devshed Intermediate (1500 - 1999 posts)

    Join Date
    Mar 2005
    Location
    Earth. Welcome.
    Posts
    1,500
    Rep Power
    1703
    This of course has issues because "retrieving" anything in AD is limited to 1000 rows....
    I'm guessing that you are requesting all distinguished names, and then iterating through them trying to find matching common names? Are you aware that you can specify search terms in your search? I don't know which library you are using - but you should be able to specify a search filter. Something along the lines of "cn=jdoe".

    Otherwise, if you (potentially) have more than one thousand "jdoe" entries - I don't know how to help you. And also, wow, I'd hate to have to maintain your tree
    A -> B: Ride.
  4. #3
  5. No Profile Picture
    Participant
    Devshed Newbie (0 - 499 posts)

    Join Date
    Sep 2005
    Location
    Hawaii
    Posts
    376
    Rep Power
    21
    Sorry, I read my post and noticed forgot to put the full scenario, but yes, with the search filter, I'm okay, it returns one user's distinguishedName attribute value and I never go over 1000 rows.

    And either way, regardless of the other problem / scenario, good news, I found a way to bind with the samaccount name.

    The "username" variable on this line:

    Code:
    env.put(Context.SECURITY_PRINCIPAL,username);
    must be passed in with the domain in front. E.G. domain\samAccountName as the value of "username".

    Works like a charm!

    Comments on this post

    • mrider agrees : Rep points for following up.
    • Nemi agrees : Thanks for the solution!

IMN logo majestic logo threadwatch logo seochat tools logo