Overview#

We found These commands to look up and verify DNS SRV Records useful when working with setup for Kerberos clients.

Examples#

Should bring back the entries for the first domain in the /etc/resolve.conf file:

nslookup -type=any _ldap._tcp

Find all "ldap" srv records for a domain:

nslookup -type=any _ldap._tcp.<yourdomain>.net

or using dig

dig srv _ldap._tcp.<yourdomain>.net

dig srv _kerberos._tcp.<yourdomain>.net

dig srv _kerberos._tcp.<yourdomain>.net

Verify DNS Records with JNDI [1]#

This is an JNDI Example a class to authenticate a user in Microsoft Active Directory using LDAP.

First locates the domain controllers (DNS lookup of SRV records for _ldap._tcp.domain), parses out the server part and then tries to authenticate the user against a domain controller.

import java.util.ArrayList;
import java.util.Hashtable;
import java.util.List;
 
import javax.naming.AuthenticationException;
import javax.naming.CommunicationException;
import javax.naming.Context;
import javax.naming.NamingException;
import javax.naming.directory.Attribute;
import javax.naming.directory.Attributes;
import javax.naming.directory.DirContext;
import javax.naming.directory.InitialDirContext;
 
import com.sun.jndi.ldap.LdapCtxFactory;
 
/**
 * LDAPAuthentication class for authenticating Microsoft Active Directory users
 *
 * If the user or password is wrong, you'll get an AuthenticationException If
 * none of the domain controllers are reachable, you'll get a
 * CommunicationException. If a domain controller cannot be located (via DNS)
 * you'll get a NamingException.
 *
 * @author Roger Armstrong, Armstrong Consulting GmbH
 *
 */
public class LDAPAuthentication {
    public static void authenticateUser(String user, String password, String domain) throws AuthenticationException, NamingException {
        List<string> ldapServers = findLDAPServersInWindowsDomain(domain);
        if (ldapServers.isEmpty())
            throw new NamingException("Can't locate an LDAP server (try nslookup type=SRV _ldap._tcp." + domain + ")");
 
        Hashtable<string, String> props = new Hashtable<string, String>();
        String principalName = user + "@" + domain;
        props.put(Context.SECURITY_PRINCIPAL, principalName);
        props.put(Context.SECURITY_CREDENTIALS, password);
        Integer count = 0;
        for (String ldapServer : ldapServers) {
            try {
                count++;
                LdapCtxFactory.getLdapCtxInstance("ldap://" + ldapServer, props);
                return;
            } catch (CommunicationException e) { // this is what'll happen if one of the domain controllers is unreachable
                if (count.equals(ldapServers.size())) {
                    // we've got no more servers to try, so throw the CommunicationException to indicate that we failed to reach an LDAP server
                    throw e;
                }
            }
        }
    }
 
    private static List<string> findLDAPServersInWindowsDomain(String domain) throws NamingException {
        List<string> servers = new ArrayList<string>();
        Hashtable<string, String> env = new Hashtable<string, String>();
        env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.dns.DnsContextFactory");
        env.put("java.naming.provider.url", "dns:");
        DirContext ctx = new InitialDirContext(env);
        Attributes attributes = ctx.getAttributes("_ldap._tcp." + domain, new String[] { "SRV" }); // that's how Windows domain controllers are registered in DNS
        Attribute a = attributes.get("SRV");
        for (int i = 0; i < a.size(); i++) {
            String srvRecord = a.get(i).toString();
            // each SRV record is in the format "0 100 389 dc1.company.com."
            // priority weight port server (space separated)
            servers.add(srvRecord.split(" ")[3]);
        }
        ctx.close();
        return servers;
    }
}

More Information#

There might be more information for this subject on one of the following:

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-5) was last changed on 22-Jun-2016 13:33 by jim