1

i have a problem while connecting to an Active Directory via ldap using plain Java.

If the displayName begins with a , (Comma e.g. ", name") I get a javax.naming.AuthenticationException. The displayName is never used in the application. Context.SECURITY_PRINCIPAL and Context.SECURITY_CREDENTIALS wich I use dont contain any commas.

Can somebody explain this behaviour to me?

Some Stack:

javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece]
    at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3100)
    at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3046)
    at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2848)
    at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2762)
    at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:329)
    at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:206)
    at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:224)
    at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:167)
    at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:97)

Test-Client (just replace the placeholders):

import java.util.Hashtable;

import javax.naming.Context;
import javax.naming.NamingException;
import javax.naming.directory.DirContext;
import javax.naming.directory.InitialDirContext;

public class LdapClient {

    public static void main( String[] args ) {

        // URL to Active Directory
        String ldapContextUrl = ###URL###;
        //Login
        String ldapContextUserDn = ###USER###;
        //Password
        String ldapContextPassword = ###PASSWORD###;

        Hashtable<String, String> environment = new Hashtable<String, String>();

        environment.put( Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory" );
        environment.put( Context.SECURITY_AUTHENTICATION, "simple" );
        environment.put( Context.STATE_FACTORIES, "PersonStateFactory" );
        environment.put( Context.OBJECT_FACTORIES, "PersonObjectFactory" );

        environment.put( Context.PROVIDER_URL, ldapContextUrl );
        environment.put( Context.SECURITY_PRINCIPAL, ldapContextUserDn );
        environment.put( Context.SECURITY_CREDENTIALS, ldapContextPassword );

        try {
            DirContext ctx = new InitialDirContext( environment ); // Error occures here
        } catch( NamingException e ) {
            e.printStackTrace();
        }
    }
}

Please dont say: Dont use a displayName like this. I am just interested, why the application behaves like described above. Is it a bug, a feature or something between?

You can also reproduce this problem by using Apache Directory Studio or Websphere Application Server (Security configured against LDAP). So the problem seems to be JVM-independent. Oracle and IBM behave similar.

Thanks in advance!

Improve this question
1
  • In "out-of-the-box" AD would create the entry with the DN as: ", name,...,dc=example,dc=domain" I would imagine that the issue is that you have a dn with a comma. Comma's must be escaped within a DN. Commented Jun 3, 2015 at 17:52

2 Answers 2

Reset to default
2

So .. i did some further investigations and got some new details.

It all has to do with the "Modes of Authenticating to LDAP". My client (maybe Apache Directory Studio or Websphere Application Server too) uses the simple Auth-Mode. 

environment.put( Context.SECURITY_AUTHENTICATION, "simple" );

If I change this to a more advanced mode the client is working fine.

environment.put( Context.SECURITY_AUTHENTICATION, "DIGEST-MD5" );

See some Oracle-Doc: https://docs.oracle.com/javase/tutorial/jndi/ldap/authentication.html https://docs.oracle.com/javase/tutorial/jndi/ldap/auth_mechs.html

I dont know why the Auth-Mode has something to do with the DisplayName, but my tests have shown, that Java is not the problem - as sad by olexd before.

For my test I used a console application called AdFind. This app enables me to repoduce the same behaviour as my client with a non-java-application

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

Error code 525 in 

LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece

means "user not found" and is server-side error message. Thus, native Java JNDI or any other LDAP clients have no impacts on it. See Data codes related to 'LDAP: error code 49' with Microsoft Active Directory for more details.

Improve this answer

1 Comment

Hi! I read this some doc für LDAP error codes before, but "user not found" just didnt make any sence to me, because the user was definitely stored in AD. I did some more investigations .. plz have a look at my next answer.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.