This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthor

Only authorized users are allowed to rename pages.

Only authorized users are allowed to delete pages.

Page revision history

Version Date Modified Size Author Changes ... Change note

Page References

Incoming links Outgoing links
Verify DNS Records
Verify DNS Records

Version management

Difference between version and

At line 1 added 111 lines
!!! Overview
We found These commands to look up and verify [DNS SRV Records] useful when working with setup for [Kerberos] clients.
!! [Examples]
Should bring back the entries for the first domain in the /etc/resolve.conf file:
{{{
nslookup -type=any _ldap._tcp
}}}
Find all "ldap" srv records for a domain:
* and therefore [Domain Controllers]
* this is [How Domain Controllers Are Located in Windows]
{{{
nslookup -type=any _ldap._tcp.<yourdomain>.net
}}}
or using dig
{{{
dig srv _ldap._tcp.<yourdomain>.net
dig srv _kerberos._tcp.<yourdomain>.net
dig srv _kerberos._tcp.<yourdomain>.net
dig ANY _ldap._tcp.<yourdomain>.net +noall +short |awk '{print $NF}' |sort
}}}
!! [{$pagename}] with [JNDI] [1]
This is an [JNDI Example] a class to [authenticate] a user in [Microsoft Active Directory] using [LDAP].
First locates the domain controllers ([DNS] lookup of [SRV] records for _ldap._tcp.domain), parses out the server part and then tries to authenticate the user against a domain controller.
%%prettify
{{{
import java.util.ArrayList;
import java.util.Hashtable;
import java.util.List;
import javax.naming.AuthenticationException;
import javax.naming.CommunicationException;
import javax.naming.Context;
import javax.naming.NamingException;
import javax.naming.directory.Attribute;
import javax.naming.directory.Attributes;
import javax.naming.directory.DirContext;
import javax.naming.directory.InitialDirContext;
import com.sun.jndi.ldap.LdapCtxFactory;
/**
* LDAPAuthentication class for authenticating Microsoft Active Directory users
*
* If the user or password is wrong, you'll get an AuthenticationException If
* none of the domain controllers are reachable, you'll get a
* CommunicationException. If a domain controller cannot be located (via DNS)
* you'll get a NamingException.
*
* @author Roger Armstrong, Armstrong Consulting GmbH
*
*/
public class LDAPAuthentication {
public static void authenticateUser(String user, String password, String domain) throws AuthenticationException, NamingException {
List<string> ldapServers = findLDAPServersInWindowsDomain(domain);
if (ldapServers.isEmpty())
throw new NamingException("Can't locate an LDAP server (try nslookup type=SRV _ldap._tcp." + domain + ")");
Hashtable<string, String> props = new Hashtable<string, String>();
String principalName = user + "@" + domain;
props.put(Context.SECURITY_PRINCIPAL, principalName);
props.put(Context.SECURITY_CREDENTIALS, password);
Integer count = 0;
for (String ldapServer : ldapServers) {
try {
count++;
LdapCtxFactory.getLdapCtxInstance("ldap://" + ldapServer, props);
return;
} catch (CommunicationException e) { // this is what'll happen if one of the domain controllers is unreachable
if (count.equals(ldapServers.size())) {
// we've got no more servers to try, so throw the CommunicationException to indicate that we failed to reach an LDAP server
throw e;
}
}
}
}
private static List<string> findLDAPServersInWindowsDomain(String domain) throws NamingException {
List<string> servers = new ArrayList<string>();
Hashtable<string, String> env = new Hashtable<string, String>();
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.dns.DnsContextFactory");
env.put("java.naming.provider.url", "dns:");
DirContext ctx = new InitialDirContext(env);
Attributes attributes = ctx.getAttributes("_ldap._tcp." + domain, new String[] { "SRV" }); // that's how Windows domain controllers are registered in DNS
Attribute a = attributes.get("SRV");
for (int i = 0; i < a.size(); i++) {
String srvRecord = a.get(i).toString();
// each SRV record is in the format "0 100 389 dc1.company.com."
// priority weight port server (space separated)
servers.add(srvRecord.split(" ")[3]);
}
ctx.close();
return servers;
}
}
}}} /%
!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
----
* [#1] - [LDAP AUTHENTICATION WITH ACTIVE DIRECTORY|http://blog.armstrongconsulting.com/?p=105|target='_blank'] - based on data observed:2015-05-18
This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthorTop