Symantec Access Management

Expand all | Collapse all

Not able to authticate user in CA user directory using java LDAP

  • 1.  Not able to authticate user in CA user directory using java LDAP

    Posted Mar 23, 2017 09:29 AM

    HI, I am not able to authenticate user on CA user directory using LDAP java. Below is my code can you please tell me where i am not correct.

    Hashtable<String, String> env = new Hashtable<String, String>(11);
              
                env.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");
                env.put(Context.REFERRAL, "follow");
                String providerUrl = "ldap://ip:10389";
                env.put(Context.PROVIDER_URL, providerUrl);
                env.put(Context.SECURITY_AUTHENTICATION, "simple");
                env.put(Context.SECURITY_PRINCIPAL, "cn=administrator");
                env.put(Context.SECURITY_CREDENTIALS, "password123");
                Context context = new InitialContext(env);

    Please help.



  • 2.  Re: Not able to authticate user in CA user directory using java LDAP

    Posted Mar 24, 2017 02:30 PM

    I am not sure what API you are using, but I see a couple of things that might be causing your connections so fail:

    In the line: String providerUrl = "ldap://ip:10389";

    It looks to me like the characters "ip" should be replaced with the IP Address or fully qualified hostname of the CA User Directory Server.

    In the line: env.put(Context.SECURITY_PRINCIPAL, "cn=administrator");

    You may need to provide the full DN, not just the cn.

     

    Good luck.

     

    Rick



  • 3.  Re: Not able to authticate user in CA user directory using java LDAP

    Posted Mar 27, 2017 01:51 AM

    Thanks Rick for your response.
    I just remove IP due to security reasons I am providing correct IP.
    I tried for all below combinations:
    ou=users,cn=cspadmin,dc=unitechwireless,dc=com
    cn=cspadmin,dc=unitechwireless,dc=com
    cn=cspadmin

     

    for all these cases it give invalid credentials message  though i can confirm that i am provide correct username and password and able to connect directly in CA directory.


    If provide only "administrator" it shows : LDAP error code 34 - Invalid DN Syntex.



  • 4.  Re: Not able to authticate user in CA user directory using java LDAP

    Posted Mar 26, 2017 10:13 PM

    Hi,

    Are you getting any error or exception?  

     

    "not able to authenticate user on CA user directory using LDAP java" is a bit generic and we don't have hints on where it failed.

     

    Regards,

    Kar Meng



  • 5.  Re: Not able to authticate user in CA user directory using java LDAP

    Posted Mar 27, 2017 01:52 AM

    Thanks Karmeng for your response.
    I just remove IP due to security reasons I am providing correct IP.
    I tried for all below combinations:
    ou=users,cn=cspadmin,dc=unitechwireless,dc=com
    cn=cspadmin,dc=unitechwireless,dc=com
    cn=cspadmin

     

    for all these cases it give invalid credentials message  though i can confirm that i am provide correct username and password and able to connect directly in CA directory.


    If provide only "administrator" it shows : LDAP error code 34 - Invalid DN Syntex.

    Regards.



  • 6.  Re: Not able to authticate user in CA user directory using java LDAP

    Posted Mar 26, 2017 10:24 PM

    Moved to CA Directory forum, not a CA SSO issue..



  • 7.  Re: Not able to authticate user in CA user directory using java LDAP

    Broadcom Employee
    Posted Mar 27, 2017 05:21 PM

    Hello Chandan,

    Try providing the full DN of the 'administrator' account, and attempt to connect.  

    If that doesn't work, use an LDAP Browser and attempt to connect.  

    Testing without the product will help us determine where the source of the issue is, whether it is with the product or an outside environment issue (ex. firewall).

     

    Thank you,

    Alex



  • 8.  Re: Not able to authticate user in CA user directory using java LDAP

    Broadcom Employee
    Posted Mar 28, 2017 10:29 AM

    Chandan,

       Reasearching this issue I came across this write up for the settings of the connection

     

    javax.naming.Context.SECURITY_AUTHENTICATION
    the type of authentication to use when connecting to the LDAP directory server. This value is either none, simple, or strong.

    javax.naming.Context.SECURITY_PRINCIPAL
    the name, such as the distinguished name of a person object in the directory, under which the connection to the LDAP directory server should be made. This property is not required if the value for javax.naming.Context.SECURITY_AUTHENTICATION is none.

    javax.naming.Context.SECURITY_CREDENTIALS
    the credentials, such as a password, corresponding to the principal given as the value of javax.naming.Context.SECURITY_PRINCIPAL. This property is not required if the value for javax.naming.Context.SECURITY_AUTHENTICATION is none.

      have you tried to turn CA directory in the dev environment as anonymous?

      With anon set on CA dir you can change your java to be:

    Hashtable<String, String> env = new Hashtable<String, String>(11);
              
                env.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");
                env.put(Context.REFERRAL, "follow");
                String providerUrl = "ldap://ip:10389";
                env.put(Context.PROVIDER_URL, providerUrl);
                env.put(Context.SECURITY_AUTHENTICATION, "none");
                env.put(Context.SECURITY_PRINCIPAL, "");
                env.put(Context.SECURITY_CREDENTIALS, "");
                Context context = new InitialContext(env);

     

      Compile and test with anonymous access in dev, then you know everything in your code works except the userid/password

     

      After this I would check what the actual dn of the user is.

     

    This is the DN of an ou called users, and is probably invalid because you do not have an ou called cspadmin

    ou=users,cn=cspadmin,dc=unitechwireless,dc=com

       

    This is incorrect because it is not a complete dn:

    cn=cspadmin

     

    This may be correct because it looks like a complete dn, but users usually do not exist at the base of an OU

    cn=cspadmin,dc=unitechwireless,dc=com

     

    Thanks,

    Bill Patton



  • 9.  Re: Not able to authticate user in CA user directory using java LDAP

    Posted Mar 29, 2017 01:37 PM

    Hi Chandan - Did any of the subsequent suggestions help with your issue?  Thanks Mike



  • 10.  Re: Not able to authticate user in CA user directory using java LDAP
    Best Answer

    Posted Mar 31, 2017 07:44 AM

    Distinguished name information was not correct, after providing correct information I am able to connect.
    Thanks all for you kind support, Much appreciated.  



  • 11.  Re: Not able to authticate user in CA user directory using java LDAP

    Broadcom Employee
    Posted Mar 31, 2017 07:49 AM

    Chandan,

      Please share what your user DN looks like now for future people that may run across this issue.

     

    Thanks,

    Bill Patton