Security

LDAP Authentication

In the LDAP, authentication information is supplied in the "bind" operation. In LDAP v2, a client initiates a connection with the LDAP server by sending the server a "bind" operation containing the authentication information.

In LDAP v3, the "bind" operation serves the same purpose, but it is optional. A client that sends an LDAP request without doing a "bind" is treated as an anonymous client (see the Anonymous Authentication section for details). In LDAP v3, the "bind" operation may be sent at anytime, possibly more than once, during the connection. A client can send a "bind" request in the middle of a connection to change its identity. If the "bind" request is successful, all outstanding requests which use the old identity on the connection are discarded and the connection is associated with the new identity.

The authentication information supplied in the "bind" operation depends on the authentication mechanism that the client chooses. See the next section for a discussion of the authentication mechanism.

Authenticating to the LDAP Using the JNDI

In the JNDI, authentication information is specified in environment properties. When you create an initial context using the InitialDirContext class (or its superclass or subclass), you supply a set of environment properties, some of which might contain authentication information. You can use the following environment properties to specify the authentication information:

• Context.SECURITY_AUTHENTICATION("java.naming.security.authentication") : This property specifies the authentication mechanism to use. For the Sun LDAP service provider, this can be one of the following strings: "none", "simple", sasl_mech, where sasl_mech is a space-separated list of SASL mechanism names. See the next section for a description of these strings.
• Context.SECURITY_PRINCIPAL("java.naming.security.principal"): This property specifies the name of the user/program doing the authentication and depends on the value of Context.SECURITY_AUTHENTICATION property. See the next few sections in this lesson for details and examples.
• Context.SECURITY_CREDENTIALS("java.naming.security.credentials"): This property specifies the credentials of the user/program doing the authentication and depends on the value of Context.SECURITY_AUTHENTICATION property. See the next few sections in this lesson for details and examples.

When the initial context is created, the underlying LDAP service provider extracts the authentication information from these environment properties and uses the LDAP "bind" operation to pass them to the server.

The following example shows how, using a simple clear-text password, a client authenticates to an LDAP server:

// Set up environment for creating initial context
Hashtable env = new Hashtable();
env.put(Context.INITIAL_CONTEXT_FACTORY, 
    "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, "ldap://localhost:389/o=JNDITutorial");

// Authenticate as S. User and password "mysecret"
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.SECURITY_PRINCIPAL, "cn=S. User, ou=NewHires, o=JNDITutorial");
env.put(Context.SECURITY_CREDENTIALS, "mysecret");

// Create initial context
DirContext ctx = new InitialDirContext(env);

// ... do something useful with ctx

Using Different Authentication Information for a Context

If you want to use different authentication information for an existing context, you can use the methods Context.addToEnvironment() and Context.removeFromEnvironment() to update the environment properties containing the authentication information. Subsequent invocations of methods on the context will use the new authentication information to communicate with the server.

The following example shows how the authentication information of a context is changed to "none" after the context has been created:

// Authenticate as S. User and password "mysecret"
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.SECURITY_PRINCIPAL, "cn=S. User, ou=NewHires, o=JNDITutorial");
env.put(Context.SECURITY_CREDENTIALS, "mysecret");

// Create initial context
DirContext ctx = new InitialDirContext(env);

// ... do something useful with ctx

// Change to using no authentication
ctx.addToEnvironment(Context.SECURITY_AUTHENTICATION, "none");

// ... do something useful with ctx

Authentication Failures

Authentication can fail for a number of reasons.

If you supply incorrect authentication information, such as an incorrect password or principal name, the AuthenticationException is thrown. Here's an example that is a variation of the example above. This time, an incorrect password is supplied and causes the authentication to fail.

// Authenticate as S. User and give incorrect password
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.SECURITY_PRINCIPAL, "cn=S. User, ou=NewHires, o=JNDITutorial");
env.put(Context.SECURITY_CREDENTIALS, "notmysecret");

This produces the following output:

javax.naming.AuthenticationException: [LDAP: Invalid Credentials]
        at java.lang.Throwable.(Compiled Code)
        at java.lang.Exception.(Compiled Code)
	...

Because different servers support different authentication mechanisms, you might be requesting an authentication mechanism that the server does not support. In that case, an AuthenticationNotSupportedException would be thrown. Here's an example that is a variation of the example above. This time, an unsupported authentication mechanism ("custom") is supplied and causes the authentication to fail.

// Authenticate as S. User and password "mysecret"
env.put(Context.SECURITY_AUTHENTICATION, "custom");
env.put(Context.SECURITY_PRINCIPAL, "cn=S. User, ou=NewHires, o=JNDITutorial");
env.put(Context.SECURITY_CREDENTIALS, "mysecret");

This produces the following output:

javax.naming.AuthenticationNotSupportedException: Unsupported value for java.naming.security.authentication property.
        at java.lang.Throwable.(Compiled Code)
        at java.lang.Exception.(Compiled Code)
        at javax.naming.NamingException.(Compiled Code)
	...

Security