Antes de eso, por suerte, debí conseguir el siguiente código para validar un usuario, desde Java, contra un Directorio Activo de un Windows Server 2003. Realmente en mi entorno no sé si es un 2003 o un 2008 pero funciona perfectamente. Dejo aquí la versión del código que utilizo en mi Index.java (Acceso seguro a nuestra aplicación con Tapestry y Tomcat 6. Perfilado de páginas.) y debajo la explicación que ofrecía el usuario:
private boolean validarEnElLdap(String usuario, String clave) throws Exception {
boolean autenticadoEnElLDap = true;
Hashtable<String, String> env = new Hashtable<String, String>();
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.PROVIDER_URL, "ldap://servidor_ldap:puerto_ldap");
Control[] connCtls = new Control[] {new FastBindConnectionControl()};
env.put(Context.SECURITY_PRINCIPAL, usuario);
env.put(Context.SECURITY_CREDENTIALS, clave);
try {
LdapContext ctx = new InitialLdapContext(env, connCtls);
ctx.close();
}
catch(AuthenticationException ignorada) {
autenticadoEnElLDap = false;
}
return autenticadoEnElLDap;
}
class FastBindConnectionControl implements Control {
public byte[] getEncodedValue() {
return null;
}
public String getID() {
return "1.2.840.113556.1.4.1781";
}
public boolean isCritical() {
return true;
}
}
Aquí, la explicación, del usuario de los foros de Sun "adler_steven", el 11 de Abril del 2006.
Many developers attempt to use LDAP Directories as an authentication service. While LDAP is a directory protocol primarily designed to search, add, delete and modify entries stored in the directory, implicit in the protocol is the ability to authenticate LDAP connections using a variety of authentication mechanisms.
For example Active Directory supports simple (clear text), HTTP-DIGEST, X.509 Client Certificates and Kerberos (via GSS-API). For details of these mechanisms, refer to other postings in this forum; JNDI, Active Directory and Authentication (parts 1 - 4)
When using a LDAP Directory as a simple authentication service, the typical approach is to gather a user's credentials (username & password) and verify these against the username and password values stored in the directory.
For obvious security reasons Active Directory does not permit read operations against the Windows password attribute( unicodePassword), thereby preventing an attacker from retrieving the password and attempting to crack the password offline. Therefore the only way to verify a user's credentials, is to actually perform a LDAP bind.
Ordinarily when Active Directory authenticates a user, it assembles all of the authorization data and builds a Windows security token containing all of the user's security identifiers (group membership, privileges etc.). While this is appropriate for authenticating user's into a Windows network, it may incur additional performance overhead and may not be appropriate for many Intranet or Extranet application scenarios, where all that is required is a simple verification of a user's name & password.
In order to support this simple scenario, Windows Server 2003 introduced a LDAP Connection Control that does not incur the overhead of assembling all of the user's Windows authorization information during the LDAP bind operation. This control is described at
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ldap/ldap/ldap_server_fast_bind_oid.asp
To use the Active Directory LDAP Fast Bind Control in Java & JNDI, simply request the control during the connection request. In this example of a server side of the application, the LdapContext is initialized with the connection control and subsequent authentication checks are performed by invoking the Context.reconnect method.
Many developers attempt to use LDAP Directories as an authentication service. While LDAP is a directory protocol primarily designed to search, add, delete and modify entries stored in the directory, implicit in the protocol is the ability to authenticate LDAP connections using a variety of authentication mechanisms.
For example Active Directory supports simple (clear text), HTTP-DIGEST, X.509 Client Certificates and Kerberos (via GSS-API). For details of these mechanisms, refer to other postings in this forum; JNDI, Active Directory and Authentication (parts 1 - 4)
When using a LDAP Directory as a simple authentication service, the typical approach is to gather a user's credentials (username & password) and verify these against the username and password values stored in the directory.
For obvious security reasons Active Directory does not permit read operations against the Windows password attribute( unicodePassword), thereby preventing an attacker from retrieving the password and attempting to crack the password offline. Therefore the only way to verify a user's credentials, is to actually perform a LDAP bind.
Ordinarily when Active Directory authenticates a user, it assembles all of the authorization data and builds a Windows security token containing all of the user's security identifiers (group membership, privileges etc.). While this is appropriate for authenticating user's into a Windows network, it may incur additional performance overhead and may not be appropriate for many Intranet or Extranet application scenarios, where all that is required is a simple verification of a user's name & password.
In order to support this simple scenario, Windows Server 2003 introduced a LDAP Connection Control that does not incur the overhead of assembling all of the user's Windows authorization information during the LDAP bind operation. This control is described at
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ldap/ldap/ldap_server_fast_bind_oid.asp
To use the Active Directory LDAP Fast Bind Control in Java & JNDI, simply request the control during the connection request. In this example of a server side of the application, the LdapContext is initialized with the connection control and subsequent authentication checks are performed by invoking the Context.reconnect method.
No hay comentarios:
Publicar un comentario