I've never been much of an AD or even LDAP expert, but I decided to look into authenticating off of AD directly from my Java application. The best LDAP library I found is Spring LDAP and we already use Spring for all of dependency injection so it was a natural fit. I expected to spend a day or two wading through distinguished names (DNs), properties, AD hierarchies, etc. but to my surprise I was able to get it up and running in a few lines of code as shown here:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// Setup the LDAP client (normally done via Spring context file). | |
LdapContextSource contextSource = new LdapContextSource(); | |
contextSource.setUrl("ldap://adserver.mycompany.com:3268"); | |
contextSource.setBase("DC=AD,DC=MYCOMPANY,DC=COM"); | |
contextSource.setUserDn("readonlyuser@ad.mycompany.com"); | |
contextSource.setPassword("password1"); | |
contextSource.afterPropertiesSet(); | |
LdapTemplate ldapTemplate = new LdapTemplate(contextSource); | |
ldapTemplate.afterPropertiesSet(); | |
// Perform the authentication. | |
Filter filter = new EqualsFilter("sAMAccountName", "mpilone"); | |
boolean authed = ldapTemplate.authenticate("OU=CorpUsers", | |
filter.encode(), | |
"user-entered-password"); | |
// Display the results. | |
System.out.println("Authenticated: " + authed); |
The active directory at my company requires an authenticated user in order to browse the directory so I specify this information as the user DN and password. I can then issue authentication requests against any user in AD. Spring LDAP hides a lot of the gory details of crawling the directory, finding the user, and performing the authentication check. You'll obviously have to tweak the base DN for your own configuration and in a heavily used application, you'll probably also want to look into Spring LDAP's pooling support.
In the long run I'd like to get Crowd more fully configured and supported so I can point a bunch of my internal tools to it (like Git, SVN, Jenkins, etc) but for now I can shut it down and let my one application hit AD directly.