Authenticate on LDAP with current user in JNDI/Jav

2019-04-03 01:30发布

I thought I'd find more about this topic but I didn't.

I have to write a java application that checks which ou a specific user is part of.

But to authenticate with the server I can't ask for username and password and also can't store it in the source (or some other file).

Is there a way with JNDI and Java to authenticate with the user who is currently logged in?

3条回答
我只想做你的唯一
2楼-- · 2019-04-03 01:40

All you can do is check if there is some user with the same username than the user that is currently logged in your Java application. You won't be able to check anything else without its password. To do this, you'll need the username and password of some ldap user that have permission to list other users. Then you can query the LDAP for your user.

This is an example adapted from something I use, it checks against an active directory, so perhaps it will need some changes:

boolean userFound = user_exits("searchUser",
        "searchPassword",
        "(sAMAccountName={USERNAME})",
        "ldap://ldap.mydomain.com",
        "OU=MYOU,dc=mydomain,dc=com");

private boolean user_exits(String searchUser, String searchPassword,
        String filter, String url, String baseDn) throws NamingException {
DirContext ctx = null;
Hashtable<String, String> env = new Hashtable<String, String>();
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, url);
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.SECURITY_PRINCIPAL, searchUser);
env.put(Context.SECURITY_CREDENTIALS, searchPassword);

try {
    ctx = new InitialDirContext(env);
        String[] attributeFilter = {};
        SearchControls sc = new SearchControls();
        sc.setReturningAttributes(attributeFilter);
        sc.setSearchScope(SearchControls.SUBTREE_SCOPE);

        NamingEnumeration<SearchResult> results = ctx.search(baseDn, filter, sc);
        return results.hasMore();

    } catch (NamingException e) {
        throw e;
    } finally {
        if (ctx != null) {
            try {
                ctx.close();
            } catch (NamingException e) {}
        }
    }       
}
查看更多
聊天终结者
3楼-- · 2019-04-03 01:48

If the LDAP client has an existing connection, use either the who am i? extended request, or the authorization identity request control to determine the authID of an existing connection - LDAP-compliant servers and the UnboundID LDAP SDK will support either method. The who am i? extended request can be used at any time on a connection (assuming the authentication identity has permission to use the extended request) but the authorization identity request control can only be attached to a bind request.

The use of the who am i? extended request and the authorization identity request control are demonstrated in AuthDemo.java.

See Also

查看更多
Luminary・发光体
4楼-- · 2019-04-03 01:56

Since it seems that there is no real solution to this, I now go with requesting Login information at the start of the script/tool and using it when needed.

查看更多
登录 后发表回答