You are viewing a plain text version of this content. The canonical link for it is here.
Posted to api@directory.apache.org by Arvind N <Ar...@citrix.com> on 2010/09/06 15:21:08 UTC
Using LDAPConnection class...
Hi,
Just downloaded the ldap client api version 0.1 and wrote sample program to
connect to a Active Directory seem to hit a weird problem.
The tutorial does not provide much info so thought of checking in the list.
Do let me know if I have got the wrong list.
The piece that is failing is
LdapConnection connection = new LdapConnection(svrIP, new Integer(svrPort));
BindRequest request = new BindRequest();
request.setCredentials(password);
request.setName("cn=Arvind N");
BindResponse resp = connection.bind(request);
LdapResult result = resp.getLdapResult();
System.out.println("the error message is " + result.getErrorMessage());
For this I always get an error message
** the error message is 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece **
Googled quite a bit to not avail and to dig deeper hit ethereal.
Noticed that in the LDAP protocol extract, the bind request had something like this
....
DN: cn=Arvind N
..
To cross verify if I had done anything wrong...
I downloaded a java based LDAP browser JXplorer and provided the same input of
User DN of "Arvind N" and the same credentials and it logged in just fine
In this login ethereal trace noticed the below difference... and this seems to work always...
....
DN: Arvind N
.....
Other then the above difference I did not notice any other difference in the LDAP packet
between JXplorer(Which logged in just fine) and Apache LDAP Client API( failed to login)....
Do let me know how can I make Apache LDAP client API to send DN: as plain DN: Arvind N,
which I think should make the thing work just fine...
If needed I could share both the .java files...
Thanks
Arvind
RE: Using LDAPConnection class...
Posted by Arvind N <Ar...@citrix.com>.
> -----Original Message-----
> From: Emmanuel Lecharny [mailto:elecharny@gmail.com]
> Sent: Monday, September 06, 2010 7:02 PM
> To: api@directory.apache.org
> Subject: Re: Using LDAPConnection class...
>
> On 9/6/10 3:21 PM, Arvind N wrote:
> > Hi,
> > Just downloaded the ldap client api version 0.1 and wrote sample
> program to
> > connect to a Active Directory seem to hit a weird problem.
> > The tutorial does not provide much info so thought of checking in the
> list.
> > Do let me know if I have got the wrong list.
> >
> > The piece that is failing is
> >
> > LdapConnection connection = new LdapConnection(svrIP,
> new Integer(svrPort));
> > BindRequest request = new BindRequest();
> > request.setCredentials(password);
> > request.setName("cn=Arvind N");
> > BindResponse resp = connection.bind(request);
> > LdapResult result = resp.getLdapResult();
> > System.out.println("the error message is " +
> result.getErrorMessage());
> >
> > For this I always get an error message
> > ** the error message is 80090308: LdapErr: DSID-0C090334, comment:
> AcceptSecurityContext error, data 525, vece **
> > Googled quite a bit to not avail and to dig deeper hit ethereal.
> > Noticed that in the LDAP protocol extract, the bind request had
> something like this
> > ....
> > DN: cn=Arvind N
>
> The user name must be the full DN, ie cn=Arvind N,< ... >, where <...>
> is the DN containing your user.
>
>
Yes, but in case we do not know the Dn and only the value part of an attribute
should'nt the api allow me to set the same as what I want and sent it in the LDAP packet
and let the LDAP server assign the default/any key to it and respond accordingly,
which is what JExplorer seems to be doing when I don't provide cn/sAMAccountName/dn etc...
Note: I am not saying LDAP API is doing anything wrong, just noticed the default behavior between
two products and just thought letting the server decide for this usecase made more sense...
thanks
Arvind
Re: Using LDAPConnection class...
Posted by Emmanuel Lecharny <el...@gmail.com>.
On 9/6/10 3:21 PM, Arvind N wrote:
> Hi,
> Just downloaded the ldap client api version 0.1 and wrote sample program to
> connect to a Active Directory seem to hit a weird problem.
> The tutorial does not provide much info so thought of checking in the list.
> Do let me know if I have got the wrong list.
>
> The piece that is failing is
>
> LdapConnection connection = new LdapConnection(svrIP, new Integer(svrPort));
> BindRequest request = new BindRequest();
> request.setCredentials(password);
> request.setName("cn=Arvind N");
> BindResponse resp = connection.bind(request);
> LdapResult result = resp.getLdapResult();
> System.out.println("the error message is " + result.getErrorMessage());
>
> For this I always get an error message
> ** the error message is 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece **
> Googled quite a bit to not avail and to dig deeper hit ethereal.
> Noticed that in the LDAP protocol extract, the bind request had something like this
> ....
> DN: cn=Arvind N
The user name must be the full DN, ie cn=Arvind N,< ... >, where <...>
is the DN containing your user.
--
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com
RE: Using LDAPConnection class...
Posted by Arvind N <Ar...@citrix.com>.
> -----Original Message-----
> From: ayyagarikiran@gmail.com [mailto:ayyagarikiran@gmail.com] On
> Behalf Of Kiran Ayyagari
> Sent: Monday, September 06, 2010 7:08 PM
> To: api@directory.apache.org
> Subject: Re: Using LDAPConnection class...
>
> On Mon, Sep 6, 2010 at 6:51 PM, Arvind N <Ar...@citrix.com> wrote:
> > Hi,
> > Just downloaded the ldap client api version 0.1 and wrote sample
> program to
> > connect to a Active Directory seem to hit a weird problem.
> > The tutorial does not provide much info so thought of checking in the
> list.
> > Do let me know if I have got the wrong list.
> >
> > The piece that is failing is
> >
> > LdapConnection connection = new
> LdapConnection(svrIP, new Integer(svrPort));
> > BindRequest request = new BindRequest();
> > request.setCredentials(password);
> > request.setName("cn=Arvind N");
> > BindResponse resp = connection.bind(request);
> > LdapResult result = resp.getLdapResult();
> > System.out.println("the error message is " +
> result.getErrorMessage());
> >
> > For this I always get an error message
> > ** the error message is 80090308: LdapErr: DSID-0C090334, comment:
> AcceptSecurityContext error, data 525, vece **
> > Googled quite a bit to not avail and to dig deeper hit ethereal.
> > Noticed that in the LDAP protocol extract, the bind request had
> something like this
> > ....
> > DN: cn=Arvind N
> > ..
> >
> > To cross verify if I had done anything wrong...
> >
> > I downloaded a java based LDAP browser JXplorer and provided the same
> input of
> > User DN of "Arvind N" and the same credentials and it logged in just
> fine
> > In this login ethereal trace noticed the below difference... and this
> seems to work always...
> >
> > ....
> > DN: Arvind N
> > .....
> >
> >
> > Other then the above difference I did not notice any other difference
> in the LDAP packet
> > between JXplorer(Which logged in just fine) and Apache LDAP Client
> API( failed to login)....
> > Do let me know how can I make Apache LDAP client API to send DN: as
> plain DN: Arvind N,
> > which I think should make the thing work just fine...
> client-api requires the user name in the form of a DN so 'Arvind N'
> cannot be used as it is not a valid DN. JXplorer must be doing some
> behind the scenes work to make it work with AD.
I have the ethereal trace of both the calls, and the only difference is
in the first call itself, when JXplorer was sending plain "Arvind N"
as DN where as Apache LDAP client API was forcing me to attach a variable
to "Arvind N" and was putting whatever I was sending as the value of DN
~A
RE: Using LDAPConnection class...
Posted by Arvind N <Ar...@citrix.com>.
> -----Original Message-----
> From: mail@stefan-seelmann.de [mailto:mail@stefan-seelmann.de] On
> Behalf Of Stefan Seelmann
> Sent: Monday, September 06, 2010 7:33 PM
> To: api@directory.apache.org
> Subject: Re: Using LDAPConnection class...
>
> On Mon, Sep 6, 2010 at 3:37 PM, Kiran Ayyagari <ka...@apache.org>
> wrote:
> > On Mon, Sep 6, 2010 at 6:51 PM, Arvind N <Ar...@citrix.com> wrote:
> >> For this I always get an error message
> >> ** the error message is 80090308: LdapErr: DSID-0C090334, comment:
> AcceptSecurityContext error, data 525, vece **
> >> Googled quite a bit to not avail and to dig deeper hit ethereal.
> >> Noticed that in the LDAP protocol extract, the bind request had
> something like this
> >> ....
> >> DN: cn=Arvind N
> >> ..
> >>
> >> To cross verify if I had done anything wrong...
> >>
> >> I downloaded a java based LDAP browser JXplorer and provided the
> same input of
> >> User DN of "Arvind N" and the same credentials and it logged in just
> fine
> >> In this login ethereal trace noticed the below difference... and
> this seems to work always...
> >>
> >> ....
> >> DN: Arvind N
> >> .....
> >>
> >>
> >> Other then the above difference I did not notice any other
> difference in the LDAP packet
> >> between JXplorer(Which logged in just fine) and Apache LDAP Client
> API( failed to login)....
> >> Do let me know how can I make Apache LDAP client API to send DN: as
> plain DN: Arvind N,
> >> which I think should make the thing work just fine...
> > client-api requires the user name in the form of a DN so 'Arvind N'
> > cannot be used as it is not a valid DN. JXplorer must be doing some
> > behind the scenes work to make it work with AD.
>
> AD accepts either
> - the full DN, that looks typically like "cn=Arvind
> N,cn=Users,dc=MyDomain,dc=com"
> - or the samAccountName and the domain in format "Arvind N@DOMAIN"
>
> @Arvind:
> Could you try to use the full DN of your user?
Yes I will try and do that.. as of now I don't know my full DN ... :(
Just one more info if I am able to do a JNDI login (Context.SECURITY_PRINCIPAL)
with "myDomain\arvindn"
Would my domain in dn be like "arvindn@myDomain" .. sorry really bad knowledge of
LDAP in general.. learning slowly... Once I have this thing running I would love to contribute
the sample code to you guys and maybe you could use it in HOW-TO / FAQ ..
> @Emmanuel, Kiran:
> JXplorer makes the same as Apache Directory Studio: It uses JNDI and
> JNDI accepts a non-DN as principal. I think we should allow the same
> for the new API. WDYT?
>
Yes this was my point... Just to verify this I wrote a sample program to do direct JNDI as shown below
......
String user = "myDomain\\arvindn"
initialContext.addToEnvironment(Context.SECURITY_PRINCIPAL,user);
ctx.addToEnvironment(Context.SECURITY_CREDENTIALS,password);
ctx.reconnect(connControls);
System.out.println(user + " is authenticated");
And Context.SECURITY_PRINCIPAL seems to take "domain\username" too as valid principal and in the ethereal trace the LDAP has DN as
...
DN: myDomain\arvindn
...
And it works like charm too....
HTH
~Arvind
Re: Using LDAPConnection class...
Posted by Emmanuel Lécharny <el...@apache.org>.
On 9/6/10 7:31 PM, Arvind N wrote:
> So in release after the present 0.1, this is what would be released ??
> And when is it being planned ??
I just sent a mail 2 mins ago about a 0.2.0 release :)
> ~A
--
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com
RE: Using LDAPConnection class...
Posted by Arvind N <Ar...@citrix.com>.
> -----Original Message-----
> From: Emmanuel Lécharny [mailto:elecharny@apache.org]
> Sent: Monday, September 06, 2010 8:20 PM
> To: api@directory.apache.org
> Subject: Re: Using LDAPConnection class...
>
> On 9/6/10 4:34 PM, Arvind N wrote:
> >> -----Original Message-----
> >> From: Emmanuel Lecharny [mailto:elecharny@gmail.com]
> >> Sent: Monday, September 06, 2010 7:54 PM
> >> To: api@directory.apache.org
> >> Subject: Re: Using LDAPConnection class...
> >>
> >> On 9/6/10 4:02 PM, Stefan Seelmann wrote:
> >>> AD accepts either
> >>> - the full DN, that looks typically like "cn=Arvind
> >>> N,cn=Users,dc=MyDomain,dc=com"
> >>> - or the samAccountName and the domain in format "Arvind N@DOMAIN"
> >>>
> >>> @Emmanuel, Kiran:
> >>> JXplorer makes the same as Apache Directory Studio: It uses JNDI
> and
> >>> JNDI accepts a non-DN as principal. I think we should allow the
> same
> >>> for the new API. WDYT?
> >> I wonder if the LDAP API screams if you use "Arvind N@DOMAIN" as a
> >> principal. Blind guess : we expect a DN, and we throw an excpetion
> if
> >> it's not. We can fix that.
> >>
> >> In any case, there is no chance that what Arvin used can work, as
> it's
> >> nor a valid DN (ie a full DN), nor a samAccountName. I guess that
> >> JExplorer is guessing about the root context to use (ie, it adds
> >> cn=Users, ... to the given DN).
> > @Kiran, Emmanuel, Stefan
> >
> > First of all thanks for the responses..
> >
> > I think JExplorer is letting the LDAP server (AD in this case) decide
> the KEY here.
> > In the ethereal trace I see it just sets the exact string of what I
> have provided without putting a key to it as in
> >
> >
> > Rather does a
> > ...
> > DN: Arvind N
>
> Makes sense.
>
> > ...
> >
> > Also once I get the full DN I will try and use the same and verify if
> LDAPConnection works fine..
> > Just checked out the API code to hack more and I see LDAPConnection
> is an interface now :(
> > LDAPNetworkConnection seems to have the magic now .. am I missing
> something ??
>
> yes, we have split the LdapConnection into two implementations, one
> which is network based, and another one when you embed the server.
>
> In your case, use the LdapNetworkConnection class.
So in release after the present 0.1, this is what would be released ??
And when is it being planned ??
~A
Re: Using LDAPConnection class...
Posted by Emmanuel Lécharny <el...@apache.org>.
On 9/6/10 4:34 PM, Arvind N wrote:
>> -----Original Message-----
>> From: Emmanuel Lecharny [mailto:elecharny@gmail.com]
>> Sent: Monday, September 06, 2010 7:54 PM
>> To: api@directory.apache.org
>> Subject: Re: Using LDAPConnection class...
>>
>> On 9/6/10 4:02 PM, Stefan Seelmann wrote:
>>> AD accepts either
>>> - the full DN, that looks typically like "cn=Arvind
>>> N,cn=Users,dc=MyDomain,dc=com"
>>> - or the samAccountName and the domain in format "Arvind N@DOMAIN"
>>>
>>> @Emmanuel, Kiran:
>>> JXplorer makes the same as Apache Directory Studio: It uses JNDI and
>>> JNDI accepts a non-DN as principal. I think we should allow the same
>>> for the new API. WDYT?
>> I wonder if the LDAP API screams if you use "Arvind N@DOMAIN" as a
>> principal. Blind guess : we expect a DN, and we throw an excpetion if
>> it's not. We can fix that.
>>
>> In any case, there is no chance that what Arvin used can work, as it's
>> nor a valid DN (ie a full DN), nor a samAccountName. I guess that
>> JExplorer is guessing about the root context to use (ie, it adds
>> cn=Users, ... to the given DN).
> @Kiran, Emmanuel, Stefan
>
> First of all thanks for the responses..
>
> I think JExplorer is letting the LDAP server (AD in this case) decide the KEY here.
> In the ethereal trace I see it just sets the exact string of what I have provided without putting a key to it as in
>
>
> Rather does a
> ...
> DN: Arvind N
Makes sense.
> ...
>
> Also once I get the full DN I will try and use the same and verify if LDAPConnection works fine..
> Just checked out the API code to hack more and I see LDAPConnection is an interface now :(
> LDAPNetworkConnection seems to have the magic now .. am I missing something ??
yes, we have split the LdapConnection into two implementations, one
which is network based, and another one when you embed the server.
In your case, use the LdapNetworkConnection class.
--
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com
RE: Using LDAPConnection class...
Posted by Arvind N <Ar...@citrix.com>.
> -----Original Message-----
> From: Emmanuel Lecharny [mailto:elecharny@gmail.com]
> Sent: Monday, September 06, 2010 7:54 PM
> To: api@directory.apache.org
> Subject: Re: Using LDAPConnection class...
>
> On 9/6/10 4:02 PM, Stefan Seelmann wrote:
> > AD accepts either
> > - the full DN, that looks typically like "cn=Arvind
> > N,cn=Users,dc=MyDomain,dc=com"
> > - or the samAccountName and the domain in format "Arvind N@DOMAIN"
> >
> > @Emmanuel, Kiran:
> > JXplorer makes the same as Apache Directory Studio: It uses JNDI and
> > JNDI accepts a non-DN as principal. I think we should allow the same
> > for the new API. WDYT?
> I wonder if the LDAP API screams if you use "Arvind N@DOMAIN" as a
> principal. Blind guess : we expect a DN, and we throw an excpetion if
> it's not. We can fix that.
>
> In any case, there is no chance that what Arvin used can work, as it's
> nor a valid DN (ie a full DN), nor a samAccountName. I guess that
> JExplorer is guessing about the root context to use (ie, it adds
> cn=Users, ... to the given DN).
@Kiran, Emmanuel, Stefan
First of all thanks for the responses..
I think JExplorer is letting the LDAP server (AD in this case) decide the KEY here.
In the ethereal trace I see it just sets the exact string of what I have provided without putting a key to it as in
He does not do a
...
DN: cn=Arvind N
..
Rather does a
...
DN: Arvind N
...
Also once I get the full DN I will try and use the same and verify if LDAPConnection works fine..
Just checked out the API code to hack more and I see LDAPConnection is an interface now :(
LDAPNetworkConnection seems to have the magic now .. am I missing something ??
Thanks
~Arvind
Re: Using LDAPConnection class...
Posted by Emmanuel Lecharny <el...@gmail.com>.
On 9/6/10 4:02 PM, Stefan Seelmann wrote:
> AD accepts either
> - the full DN, that looks typically like "cn=Arvind
> N,cn=Users,dc=MyDomain,dc=com"
> - or the samAccountName and the domain in format "Arvind N@DOMAIN"
>
> @Emmanuel, Kiran:
> JXplorer makes the same as Apache Directory Studio: It uses JNDI and
> JNDI accepts a non-DN as principal. I think we should allow the same
> for the new API. WDYT?
I wonder if the LDAP API screams if you use "Arvind N@DOMAIN" as a
principal. Blind guess : we expect a DN, and we throw an excpetion if
it's not. We can fix that.
In any case, there is no chance that what Arvin used can work, as it's
nor a valid DN (ie a full DN), nor a samAccountName. I guess that
JExplorer is guessing about the root context to use (ie, it adds
cn=Users, ... to the given DN).
--
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com
Re: Using LDAPConnection class...
Posted by Stefan Seelmann <se...@apache.org>.
On Mon, Sep 6, 2010 at 3:37 PM, Kiran Ayyagari <ka...@apache.org> wrote:
> On Mon, Sep 6, 2010 at 6:51 PM, Arvind N <Ar...@citrix.com> wrote:
>> For this I always get an error message
>> ** the error message is 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece **
>> Googled quite a bit to not avail and to dig deeper hit ethereal.
>> Noticed that in the LDAP protocol extract, the bind request had something like this
>> ....
>> DN: cn=Arvind N
>> ..
>>
>> To cross verify if I had done anything wrong...
>>
>> I downloaded a java based LDAP browser JXplorer and provided the same input of
>> User DN of "Arvind N" and the same credentials and it logged in just fine
>> In this login ethereal trace noticed the below difference... and this seems to work always...
>>
>> ....
>> DN: Arvind N
>> .....
>>
>>
>> Other then the above difference I did not notice any other difference in the LDAP packet
>> between JXplorer(Which logged in just fine) and Apache LDAP Client API( failed to login)....
>> Do let me know how can I make Apache LDAP client API to send DN: as plain DN: Arvind N,
>> which I think should make the thing work just fine...
> client-api requires the user name in the form of a DN so 'Arvind N'
> cannot be used as it is not a valid DN. JXplorer must be doing some
> behind the scenes work to make it work with AD.
AD accepts either
- the full DN, that looks typically like "cn=Arvind
N,cn=Users,dc=MyDomain,dc=com"
- or the samAccountName and the domain in format "Arvind N@DOMAIN"
@Arvind:
Could you try to use the full DN of your user?
@Emmanuel, Kiran:
JXplorer makes the same as Apache Directory Studio: It uses JNDI and
JNDI accepts a non-DN as principal. I think we should allow the same
for the new API. WDYT?
Kind Regards,
Stefan
Re: Using LDAPConnection class...
Posted by Kiran Ayyagari <ka...@apache.org>.
On Mon, Sep 6, 2010 at 6:51 PM, Arvind N <Ar...@citrix.com> wrote:
> Hi,
> Just downloaded the ldap client api version 0.1 and wrote sample program to
> connect to a Active Directory seem to hit a weird problem.
> The tutorial does not provide much info so thought of checking in the list.
> Do let me know if I have got the wrong list.
>
> The piece that is failing is
>
> LdapConnection connection = new LdapConnection(svrIP, new Integer(svrPort));
> BindRequest request = new BindRequest();
> request.setCredentials(password);
> request.setName("cn=Arvind N");
> BindResponse resp = connection.bind(request);
> LdapResult result = resp.getLdapResult();
> System.out.println("the error message is " + result.getErrorMessage());
>
> For this I always get an error message
> ** the error message is 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece **
> Googled quite a bit to not avail and to dig deeper hit ethereal.
> Noticed that in the LDAP protocol extract, the bind request had something like this
> ....
> DN: cn=Arvind N
> ..
>
> To cross verify if I had done anything wrong...
>
> I downloaded a java based LDAP browser JXplorer and provided the same input of
> User DN of "Arvind N" and the same credentials and it logged in just fine
> In this login ethereal trace noticed the below difference... and this seems to work always...
>
> ....
> DN: Arvind N
> .....
>
>
> Other then the above difference I did not notice any other difference in the LDAP packet
> between JXplorer(Which logged in just fine) and Apache LDAP Client API( failed to login)....
> Do let me know how can I make Apache LDAP client API to send DN: as plain DN: Arvind N,
> which I think should make the thing work just fine...
client-api requires the user name in the form of a DN so 'Arvind N'
cannot be used as it is not a valid DN. JXplorer must be doing some
behind the scenes work to make it work with AD.
Kiran Ayyagari