![]() ![]() ![]() ![]() |
Security |
In the LDAP, authentication information is supplied in the "bind" operation. In LDAP v2, a client initiates a connection with the LDAP server by sending the server a "bind" operation containing the authentication information.In LDAP v3, the "bind" operation serves the same purpose but is optional, and may be sent at anytime, possibly more than once, during the connection. A client that sends an LDAP request without doing a "bind" is treated as an anonymous client (see The Anonymous section for details). A client can send a "bind" request in the middle of a connection to change its identity. If the "bind" request is successful, all outstanding requests on the connection that used the old identity are discarded and the connection is associated with the new identity.
The authentication information supplied in the "bind" operation depends on the authentication mechanism that the client chooses. See the next section for a discussion of the authentication mechaisms.
Authenticating to the LDAP Using the JNDI
In the JNDI, authentication information is specified in environment properties. When you create an initial context using the InitialDirContextclass, you supply a set of environment properties, some of which might contain authentication information. The following environment properties specify the authentication information:
When the initial context is created, the underlying LDAP service provider extracts the authentication information from these environment properties and uses the LDAP "bind" operation to pass them to the server.
- Context.SECURITY_AUTHENTICATION
(java.naming.security.authentication) : This property specifies the authentication mechanism to use. For the Sun LDAP service provider, this can be one of the following strings: none, simple, CRAM-MD5. See the next section for a description of these strings.
- Context.SECURITY_PRINCIPAL
(java.naming.security.principal): This property specifies the name of the user/program doing the authentication and depends on the value of Context.SECURITY_AUTHENTICATION property. See the next few sections in this lesson for details and examples.
- Context.SECURITY_CREDENTIALS
(java.naming.security.credentials): This property specifies the credentials of the user/program doing the authentication and depends on the value of Context.SECURITY_AUTHENTICATION property. See the next few sections in this lesson for details and examples.
The following example shows how a client authenticates using a simple clear text password to an LDAP server:
// Set up environment for creating initial context Hashtable env = new Hashtable(); env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory"); env.put(Context.PROVIDER_URL, "ldap://localhost:389/o=JNDITutorial"); // Authenticate as S. User and password "mysecret" env.put(Context.SECURITY_AUTHENTICATION, "simple"); env.put(Context.SECURITY_PRINCIPAL, "cn=S. User, ou=NewHires, o=JNDITutorial"); env.put(Context.SECURITY_CREDENTIALS, "mysecret"); // Create initial context DirContext ctx = new InitialDirContext(env); // ... do something useful with ctxUsing Different Authentication Information for A Context
If you want to use different authentication information for an existing context, you can use the methods Context.addToEnvironment()and Context.removeFromEnvironment()
to update the environment properties containing the authentication information. Subsequent invocations of methods on the context will use the new authentication information when communicating with the server.
The following example shows how the authentication information of a context is changed to "none" after the context has been created.
// Authenticate as S. User and password "mysecret" env.put(Context.SECURITY_AUTHENTICATION, "simple"); env.put(Context.SECURITY_PRINCIPAL, "cn=S. User, ou=NewHires, o=JNDITutorial"); env.put(Context.SECURITY_CREDENTIALS, "mysecret"); // Create initial context DirContext ctx = new InitialDirContext(env); // ... do something useful with ctx // Change to using no authentication ctx.addToEnvironment(Context.SECURITY_AUTHENTICATION, "none"); // ... do something useful with ctxAuthentication Failures
Authentication can fail for a number of reasons.If you supply incorrect authentication information, such as an incorrect password or principal name, the AuthenticationException
is thrown. Here's an example that is a variation of the example above. This time, an incorrect password is supplied and causes the authentication to fail.
This fails with the AuthenticationException:// Authenticate as S. User and give incorrect password env.put(Context.SECURITY_AUTHENTICATION, "simple"); env.put(Context.SECURITY_PRINCIPAL, "cn=S. User, ou=NewHires, o=JNDITutorial"); env.put(Context.SECURITY_CREDENTIALS, "notmysecret");javax.naming.AuthenticationException: [LDAP: Invalid Credentials] at java.lang.Throwable.(Compiled Code) at java.lang.Exception. (Compiled Code) ... Because different servers support different authentication mechanisms, you might be requesting for an authentication mechanism that the server does not support. In that case, an AuthenticationNotSupportedException
would be thrown. Here's an example that is a variation of the example above. This time, an unsupported authentication mechanism ("custom") is supplied and causes the authentication to fail.
This fails with the AuthenticationNotSupportedException:// Authenticate as S. User and password "mysecret" env.put(Context.SECURITY_AUTHENTICATION, "custom"); env.put(Context.SECURITY_PRINCIPAL, "cn=S. User, ou=NewHires, o=JNDITutorial"); env.put(Context.SECURITY_CREDENTIALS, "mysecret");javax.naming.AuthenticationNotSupportedException: Unsupported value for java.naming.security.authentication property. at java.lang.Throwable.(Compiled Code) at java.lang.Exception. (Compiled Code) at javax.naming.NamingException. (Compiled Code) ... Note that the Netscape Directory Server 3.11 sends back the wrong error code when an authentication mechanism it does not support is requested, resulting in a CommunicationException
being thrown instead.
![]() ![]() ![]() ![]() |
Security |