Announcement Announcement Module
No announcement yet.
Active Directory Authentification Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Active Directory Authentification


    I'm trying to authenticate myself against an Active Directory LDAP server using the SAMAccount and the password.

    Before everybody starts to point out that there are gazillions of posts related to this issue, please notice that I've searched through them without success. There are a lot of side problems discussed, but I didn't found this issue solved in any of them.

    So, let's say you have a simple AD user:

    CN=John Smith, CN=users, DC=company, DC=com
    It's SAMAccount is "john.smith"

    You can login using "John Smith" as username and it's password. But how do you authenticate yourself using it SAMAccount ?

    Of course, something like this doesn't work for the SAMAccount

            LdapContextSource ldapContextSource = new LdapContextSource();
            ldapContextSource.setUrl( url );
            ldapContextSource.setBase( base );
            ldapContextSource.setUserName( userName );
            ldapContextSource.setPassword( password );
            ldapContextSource.setDirObjectFactory( new DefaultDirObjectFactory().getClass() );
            ldapContextSource.setAuthenticationSource( authSource );
            try {
            } catch (Exception e) {
                throw new RuntimeException(e);
            LdapTemplate ldapTemplate = new LdapTemplate( ldapContextSource );
            ldapTemplate.setIgnorePartialResultException( true );
    Any comment here would be really welcome.

  • #2
    Try setting the userName to the SamAccountName (possibly with a "/" in the front). I think I've seen that work. Or maybe that's what you did already?


    • #3
      Rasky, thank you for your help.

      Unfortunately I wasn't able to log in using just SamAccountName (or the userPrincipal). It seems to be a bit more complex than this...


      • #4
        Well, if that doesn't work you'll need to use the samaccountname in a search to find the actual entry it belongs to and then use that entry's DN as input to the ContextSource.


        • #5
          Yes, but that does mean that you need an additional account with read permissions. I'd like to avoid it and just use the account of the user who is trying to log in...


          • #6
            Since it's taking a long time, I'll settle with the two accounts approach (one for the administrator to check the user and the one you want to log).

            I've been following the excellent blog entry from Niklas that provided all the info I needed.

            The final code is:

            private String _managerDn         = "CN=manager, CN=users, DC=domain, DC=com";
            private String _managerPassword = "managerPassword";
            private String _url             = "ldap://ldapServer:389";
            private String _userBase         = "CN=users, DC=domain, DC=com";
            DefaultInitialDirContextFactory ctxFactory = new DefaultInitialDirContextFactory(_url);
            ctxFactory.setManagerDn( _managerDn );
            ctxFactory.setManagerPassword( _managerPassword );
            FilterBasedLdapUserSearch userSearch = new FilterBasedLdapUserSearch(_userBase, "(sAMAccountName={0})", ctxFactory);
            userSearch.setSearchSubtree( true );
            BindAuthenticator bindAuthenticator = new BindAuthenticator(ctxFactory);
            bindAuthenticator.setUserSearch( userSearch );
            try {
                bindAuthenticator.authenticate( "userName", "userPassword");
            } catch ( Exception e ) {
                throw new RuntimeException( e );
            Best regards and thanks for the help !
            Juan Medín