Java : ADS Connectivity Example

Recently, i had to implement a functionality to authenticate and authorize users in ADS. This post deals with my experience on it and shares some code snippets as well. Code shared on github

Business Requirement:

  1. Users will enter their domain credentials and they need to be authenticated in ADS.
  2. Further, the code must also check if entered username is part of a particular group within ADS.
  3. If user is member of the group; then authorized to view the application; else not.

Ldap_Ads_Connectivity

Solution

I had to implement this using Java and studying some internet links suggested that the code is basic and can be accomplished leveraging some Java API. So you start with writing code to connect to ADS providing the user name and password that is entered by the user from mobile app or web page or any other input. Most of the properties you will find in the code are self explanatory besides the following one

properties.put(Context.SECURITY_PRINCIPAL, domain + "\\" + userName);

Setting the correct value for above property was a task for me and can be for anyone who does not have understanding of how ADS works.
In my view, nothing wrong in it; i mean to me ADS is a service provider.
I am developer who cannot get to understand every system i interact with.
Here to set this property, you should get in touch with your ADS administrator and he will provide details on how you should specify this.
Further, do not be mislead by the AuthenticationException and error code 49 saying that invalid credentials were entered.

javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A8, comment: AcceptSecurityContext error, data 52e, v1db1

There is a high possibility that you have not set the correct value for this property and you code is trying connect with correct credentials but its trying to authenticate with a incorrect domain or group.
I struggled for some time before i was able to get the solution that simply mention form the value like this :
String securityPrincipalVal = "domain_name + "\\" + user_name";
// Example : ads\\allzhere

The above details about how authentication can be performed. Complete code base is on github link.
Once authenticated, our next challenge is to check for user’s group membership.
In order to do so, we need to query the ADS.
When we query ADS, we set a search criteria basis on which search will be performed.
We also specify the names of attributes that we want to fetch for matched results.
In order to set the above mentioned properties; it is advisable to get in touch with you ADS admin.
// Setting the attributes that we want to retrieve
private String[] returnAttributes = { "sAMAccountName", "givenName","mail", "memberOf", "displayname", "Useraccountcontrol" };

// Setting the search criteria. In my case; its username
String searchFilter = "(&(sAMAccountName=" + userName + "))";

// Running the query. Here the first parameter value can be suggested by the ADS admin. 
dirContext.search("DC=ads,DC=allzhere,DC=org", searchFilter,searchCtls);

Once you run the query, iterate through the results and fetch the value in attribute “memberOf”.
String userGroups = attributesList.get("memberof").get().toString();

Now, run the following code to check if user is member of the group.
if (userGroups != null && userGroups.indexOf("<ACCESS_CONTROL_GROUP_NAME>") != -1) {
     isAuthorized = true;
}

And this is how you can perform search on ADS and check for authorization.
Complete code example on github

Basically, this example could be found at multiple google searches and possibly you have landed at this page from some link on another site. I listed this to share my experience with it.

@Facebook

Subscribe to Blog via Email

Quick Enquiry

Leave a Reply

Your email address will not be published. Required fields are marked *