> -----Original Message-----
> From: mail@stefan-seelmann.de [mailto:mail@stefan-seelmann.de] On
> Behalf Of Stefan Seelmann
> Sent: Monday, September 06, 2010 7:33 PM
> To: api@directory.apache.org
> Subject: Re: Using LDAPConnection class...
>
> On Mon, Sep 6, 2010 at 3:37 PM, Kiran Ayyagari <kayyagari@apache.org>
> wrote:
> > On Mon, Sep 6, 2010 at 6:51 PM, Arvind N <Arvind.N@citrix.com> wrote:
> >> For this I always get an error message
> >> ** the error message is 80090308: LdapErr: DSID-0C090334, comment:
> AcceptSecurityContext error, data 525, vece **
> >> Googled quite a bit to not avail and to dig deeper hit ethereal.
> >> Noticed that in the LDAP protocol extract, the bind request had
> something like this
> >> ....
> >> DN: cn=Arvind N
> >> ..
> >>
> >> To cross verify if I had done anything wrong...
> >>
> >> I downloaded a java based LDAP browser JXplorer and provided the
> same input of
> >> User DN of "Arvind N" and the same credentials and it logged in just
> fine
> >> In this login ethereal trace noticed the below difference... and
> this seems to work always...
> >>
> >> ....
> >> DN: Arvind N
> >> .....
> >>
> >>
> >> Other then the above difference I did not notice any other
> difference in the LDAP packet
> >> between JXplorer(Which logged in just fine) and Apache LDAP Client
> API( failed to login)....
> >> Do let me know how can I make Apache LDAP client API to send DN: as
> plain DN: Arvind N,
> >> which I think should make the thing work just fine...
> > client-api requires the user name in the form of a DN so 'Arvind N'
> > cannot be used as it is not a valid DN. JXplorer must be doing some
> > behind the scenes work to make it work with AD.
>
> AD accepts either
> - the full DN, that looks typically like "cn=Arvind
> N,cn=Users,dc=MyDomain,dc=com"
> - or the samAccountName and the domain in format "Arvind N@DOMAIN"
>
> @Arvind:
> Could you try to use the full DN of your user?
Yes I will try and do that.. as of now I don't know my full DN ... :(
Just one more info if I am able to do a JNDI login (Context.SECURITY_PRINCIPAL)
with "myDomain\arvindn"
Would my domain in dn be like "arvindn@myDomain" .. sorry really bad knowledge of
LDAP in general.. learning slowly... Once I have this thing running I would love to contribute
the sample code to you guys and maybe you could use it in HOW-TO / FAQ ..
> @Emmanuel, Kiran:
> JXplorer makes the same as Apache Directory Studio: It uses JNDI and
> JNDI accepts a non-DN as principal. I think we should allow the same
> for the new API. WDYT?
>
Yes this was my point... Just to verify this I wrote a sample program to do direct JNDI as
shown below
......
String user = "myDomain\\arvindn"
initialContext.addToEnvironment(Context.SECURITY_PRINCIPAL,user);
ctx.addToEnvironment(Context.SECURITY_CREDENTIALS,password);
ctx.reconnect(connControls);
System.out.println(user + " is authenticated");
And Context.SECURITY_PRINCIPAL seems to take "domain\username" too as valid principal and
in the ethereal trace the LDAP has DN as
...
DN: myDomain\arvindn
...
And it works like charm too....
HTH
~Arvind
|