Reputation: 199
LDAP Authentication queries
- I have problem in Java LDAP Authentication(AD). I'm not understanding how this LDAP Authentication happens
Below the is code where they try to get InitialDirContext with all details of the LDAP Server with the username and password if it throws an exception based on which the return codes are decided.
private void doSimpleAuthentication() {
try {
String hostURL = "ldap://" + hostName + ":" + port + "/";
env.put(Context.PROVIDER_URL, hostURL);
env.put(Context.SECURITY_AUTHENTICATION, "simple");
String principal = userName + "@" + domain;
// First connect to LDAP Server using Directory Manager credentials
DirContext ctx = connectToDirServer(principal, password);
returnCode = VALID_USER;
if (warningPeriod >= 0) {
String filter = "(sAMAccountName=" + userName + ")";
SearchControls ctrl = new SearchControls();
ctrl.setSearchScope(SearchControls.SUBTREE_SCOPE);
NamingEnumeration results = ctx.search(baseDn, filter, ctrl);
if (results != null && results.hasMoreElements()) {
SearchResult result = (SearchResult) results.next();
String attPrincipal = (result).getName() + "," + baseDn;
if ((!isPwdNeverExpires(result)) && isPasswordNearingExpiry(ctx, attPrincipal)) {
returnCode = PASSWORD_NEARING_EXPIRY;
}
}
}
if (ctx != null) ctx.close();
} catch (CommunicationException e) {
errorMessage = e.getMessage();
errorStackTrace = AgsUtil.convertToString(e);
returnCode = SERVER_NOT_AVAILABLE;
} catch (Exception e) {
errorMessage = e.getMessage();
errorStackTrace = AgsUtil.convertToString(e);
returnCode = UNKNOWN_ERROR;
if (errorMessage.indexOf("525") != -1 || errorMessage.indexOf("successful bind must be completed") != -1) {
returnCode = USER_NOT_FOUND;
} else if (errorMessage.indexOf("52e") != -1) {
returnCode = INVALID_PASSWORD;
} else if (errorMessage.indexOf("701") != -1 || errorMessage.indexOf("532") != -1 || errorMessage.indexOf("773") != -1) {
returnCode = PASSWORD_EXPIRED;
} else if (errorMessage.indexOf("533") != -1) {
returnCode = USER_DISABLED;
} else if (errorMessage.indexOf("775") != -1) {
returnCode = USER_LOCKOUT;
} else if (errorMessage.indexOf("530") != -1) {
returnCode = LOGON_DENIED_AT_THIS_TIME;
}
}
}
public DirContext connectToDirServer(String distinguishedName, String password) throws Exception {
env.put(Context.SECURITY_PRINCIPAL, distinguishedName);
env.put(Context.SECURITY_CREDENTIALS, password);
return new InitialDirContext(env);
}
2.There is an issue which i'm facing at customer place where in If the user is not found in LDAP(AD) it is returning the status code as "INVALID_USERID_PASSWORD" instead of "USER_NOT_FOUND".Customer asked me to provide the below info
the query going against application to ldap server or in other terms, what is the request string passing as ldap query. See below some information regarding the LDAP queries.
You can refer here one the reference link for sample..
http://www.google.com/support/enterprise/static/postini/docs/admin/en/dss_admin/prep_ldap.html
How to proceed and i don't find any information on how these queries are used. with the above code.
Upvotes: 2
Views: 2732
Answers (2)
Reputation: 11132
LDAP directory servers might respond with the result code for invalid password when the entry in the BIND request does not exist. It prevents an attacker from knowing whether an entry exists.
Upvotes: 3
