directory-api mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Arvind N <Arvin...@citrix.com>
Subject RE: Using LDAPConnection class...
Date Mon, 06 Sep 2010 14:26:23 GMT
> -----Original Message-----
> From: mail@stefan-seelmann.de [mailto:mail@stefan-seelmann.de] On
> Behalf Of Stefan Seelmann
> Sent: Monday, September 06, 2010 7:33 PM
> To: api@directory.apache.org
> Subject: Re: Using LDAPConnection class...
> 
> On Mon, Sep 6, 2010 at 3:37 PM, Kiran Ayyagari <kayyagari@apache.org>
> wrote:
> > On Mon, Sep 6, 2010 at 6:51 PM, Arvind N <Arvind.N@citrix.com> wrote:
> >> For this I always get an error message
> >> ** the error message is 80090308: LdapErr: DSID-0C090334, comment:
> AcceptSecurityContext error, data 525, vece **
> >> Googled quite a bit to not avail and to dig deeper hit ethereal.
> >> Noticed that in the LDAP protocol extract, the bind request had
> something like this
> >> ....
> >> DN: cn=Arvind N
> >> ..
> >>
> >> To cross verify if I had done anything wrong...
> >>
> >> I downloaded a java based LDAP browser JXplorer and provided the
> same input of
> >> User DN of "Arvind N" and the same credentials and it logged in just
> fine
> >> In this login ethereal trace noticed the below difference... and
> this seems to work always...
> >>
> >> ....
> >> DN: Arvind N
> >> .....
> >>
> >>
> >> Other then the above difference I did not notice any other
> difference in the LDAP packet
> >> between JXplorer(Which logged in just fine) and Apache LDAP Client
> API( failed to login)....
> >> Do let me know how can I make Apache LDAP client API to send DN: as
> plain DN: Arvind N,
> >> which I think should make the thing work just fine...
> > client-api requires the user name in the form of a DN so 'Arvind N'
> > cannot be used as it is not a valid DN. JXplorer must be doing some
> > behind the scenes work to make it work with AD.
> 
> AD accepts either
> - the full DN, that looks typically like "cn=Arvind
> N,cn=Users,dc=MyDomain,dc=com"
> - or the samAccountName and the domain in format "Arvind N@DOMAIN"
> 
> @Arvind:
> Could you try to use the full DN of your user?

Yes I will try and do that.. as of now I don't know my full DN ... :( 
Just one more info if I am able to do a JNDI login (Context.SECURITY_PRINCIPAL)
 with "myDomain\arvindn"
Would my domain in dn be like "arvindn@myDomain" .. sorry really bad knowledge of 
LDAP in general.. learning slowly... Once I have this thing running I would love to contribute

the sample code to you guys and maybe you could use it in HOW-TO / FAQ .. 

> @Emmanuel, Kiran:
> JXplorer makes the same as Apache Directory Studio: It uses JNDI and
> JNDI accepts a non-DN as principal. I think we should allow the same
> for the new API. WDYT?
> 

Yes this was my point... Just to verify this I wrote a sample program to do direct JNDI as
shown below 
			......
			String user = "myDomain\\arvindn"
			initialContext.addToEnvironment(Context.SECURITY_PRINCIPAL,user);			
			ctx.addToEnvironment(Context.SECURITY_CREDENTIALS,password);
			ctx.reconnect(connControls);			
			System.out.println(user + " is authenticated");
		
And Context.SECURITY_PRINCIPAL seems to take "domain\username" too as valid principal and
in the ethereal trace the LDAP has DN as
...
DN: myDomain\arvindn
...
And it works like charm too.... 

HTH
~Arvind
Mime
View raw message