Active directory (AD) stores resources, which can be users, systems (computers) or any other resources in object form. But this storage is hierarchal and not relational. There are many databases available which allow us to store objects directly in relational manner. AD is primarily used to store access related information for resources. This information is used to grant access to application users, systems and computers individually or in a group. AD being a hierarchy database storing access related information, accessing this database also requires a mechanism different than conventional SQL access. Lightweight directory access protocol (LDAP) is a protocol used to access directory services running on TCP/IP. Many Java applications require authenticating their users against an existing user database which is in AD. Here we learn the technique of connecting to AD using LDAP from a Java program. We will also try to explore different features provided by Java language to help us in doing this job.

Most of the things we require to connect to AD are available in javax.naming.ldap package of Java. Classes provided in this package encapsulate LDAP protocol specific implementation used to connect AD and traverse through the hierarchy directory structure. Below are the important steps required to authenticate a resource using these classes.

• Create a java.util.HashTable of environment attributes required to connect to AD.
• Create an array of (implementation of) javax.naming.ldap.Controls (these can be BasicControl, ManageReferralControl, PagedResultControl etc.)
• Create LdapContext object using environment attributes and control parameters.

If we don’t have any controls in our simple program, then it will be as given below.

import java.util.Hashtable;

import javax.naming.Context;
import javax.naming.NamingException;
import javax.naming.ldap.InitialLdapContext;
import javax.naming.ldap.LdapContext;

public class LdapContextCreation {
	public static void main(String[] args) {
		LdapContextCreation ldapContxCrtn = new LdapContextCreation();
		LdapContext ctx = ldapContxCrtn.getLdapContext();
	}
	public LdapContext getLdapContext(){
		LdapContext ctx = null;
		try{
			Hashtable env = new Hashtable();
			env.put(Context.INITIAL_CONTEXT_FACTORY,
					"com.sun.jndi.ldap.LdapCtxFactory");
			env.put(Context.SECURITY_AUTHENTICATION, "Simple");
			//it can be <domain\\userid> something that you use for windows login
			//it can also be
			env.put(Context.SECURITY_PRINCIPAL, "Enter user name here");
			env.put(Context.SECURITY_CREDENTIALS, "Password goes here");
			//in following property we specify ldap protocol and connection url.
			//generally the port is 389
			env.put(Context.PROVIDER_URL, "ldap://xxxxxxxx:389");
			ctx = new InitialLdapContext(env, null);
			System.out.println("Connection Successful.");
		}catch(NamingException nex){
			System.out.println("LDAP Connection: FAILED");
			nex.printStackTrace();
		}
		return ctx;
	}

}

Important Points:

1. In above code, if there is an exception while creating context object using given environment parameters, then the context object is not created. Hence the print statement “Connection Successful.” will be printed if and only if the connection is successful.

2. Using this context object we can retrieve any information required even for other users, provided the user used to create context object has enough permissions.

3. But if we want to authenticate any other user, then we will have to repeat the steps above.

4. Avoid keeping connection object open for long time, using close() method, you can close the session.

5. Password should be exactly same as that of the one set in AD.

6. If you make multiple context creation attempts using wrong password in above code, then it might lock the user in AD if the account is configured so. (Though not secure, sometimes we configure users to not lock the account even after multiple wrong attempts.)

More Related Posts in Java, Tech Notes