Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 862
  • Last Modified:

JNDI authentication question

In my code, pasted below, I can get a list of users and their email addresses. I can paste this class into any code and it would get a list of users in a domain. What I DON'T want is for users to have to instantiate the ADConnection class with a username and password.

Is there a way to impersonate a currently logged on user using JNDI? Is there another way to do this?

public class ADConnection {

      private DirContext ldapContext;

      private String baseName;

      private String serverIP;

      private String user;

      private String passwd;

      public ADConnection(String baseDN, String serverIP, String user,
                  String passwd) {

            this.baseName = baseDN;
            this.serverIP = serverIP;
            this.user = user;
            this.passwd = passwd;

            try {
                  Hashtable ldapEnv = new Hashtable(11);

                  ldapEnv.put(Context.INITIAL_CONTEXT_FACTORY,
                              "com.sun.jndi.ldap.LdapCtxFactory");
                  ldapEnv.put(Context.PROVIDER_URL, "ldap://" + serverIP + ":389");
                  if (user != null) {
                        ldapEnv.put(Context.SECURITY_AUTHENTICATION, "simple");
                        ldapEnv.put(Context.SECURITY_PRINCIPAL, user);
                        ldapEnv.put(Context.SECURITY_CREDENTIALS, passwd);
                  }
                  ldapContext = new InitialDirContext(ldapEnv);
            } catch (Exception e) {
                  System.out.println(" bind error: " + e);
                  e.printStackTrace();
                  System.exit(-1);
            }
      }

      public NamingEnumeration search() {
            SearchControls ctls = new SearchControls();

            ctls.setReturningObjFlag(true);
            String filter = "(objectclass=*)";
            NamingEnumeration answer = null;
            try {
                  answer = ldapContext.search(baseName, filter, ctls);
            } catch (NamingException e) {
                  e.printStackTrace();
            }
            //printSearchEnumeration(answer);
            return answer;
      }

      public static void printSearchEnumeration(NamingEnumeration enum) {
            try {
                  while (enum.hasMore()) {
                        SearchResult sr = (SearchResult) enum.next();
                        Attributes attrib = sr.getAttributes();

                        System.out.println(sr.getName() + ": " + attrib.get("mail"));
                  }
            } catch (NamingException e) {
                  e.printStackTrace();
            }
      }

      public static void main(String[] args) {
            ADConnection adc = new ADConnection(
                        "ou=Users, ou=My Domain, dc=dc, dc=local", "domainC",
                        "test@dc.local", "Password123");
            NamingEnumeration searchResult;

            searchResult = adc.search();
            printSearchEnumeration(searchResult);
            System.out.println("done");
      }
}
0
thefallguy
Asked:
thefallguy
  • 4
  • 3
1 Solution
 
girionisCommented:
You can certainly get the username of the suer logged in (using the "user.name" property) but you cannot get the password. I am afraid the users will need to enter the password somehow.
0
 
thefallguyAuthor Commented:
Forgive my ignorance, but how do I access the user.name property.

I guess what i was trying to ask is that if there is any way to do this using Kerberos that wouldnt require any password entry.
0
 
girionisCommented:
Just use:

String userName = System.getProperty("user.name");

and it should return the login name of the user currently logged on.
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
thefallguyAuthor Commented:
is there  a way to use kerberos to impersonate the user??
0
 
girionisCommented:
I am not sure, sorry, I never used kerberos and not sure how it works. Mayeb the following links will help though:

http://www.doc.ic.ac.uk/csg/faqs/servlets/kerbjava.html
http://www-106.ibm.com/developerworks/java/library/j-gssapi/
http://java.sun.com/products/jndi/saslmechs.html
0
 
thefallguyAuthor Commented:
arite... figured it out... need to use the ntloginmodule.
0
 
girionisCommented:
:)
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now