Overview#
We found These commands to look up and verify DNS SRV Records useful when working with setup for Kerberos clients.Examples#
Should bring back the entries for the first domain in the /etc/resolve.conf file:
nslookup -type=any _ldap._tcp
Find all "ldap" srv records for a domain:
- and therefore Domain Controllers
- this is How Domain Controllers Are Located in Windows
nslookup -type=any _ldap._tcp.<yourdomain>.net
or using dig
dig srv _ldap._tcp.<yourdomain>.net
dig srv _kerberos._tcp.<yourdomain>.net
dig srv _kerberos._tcp.<yourdomain>.net
dig ANY _ldap._tcp.<yourdomain>.net +noall +short |awk '{print $NF}' |sort
Verify DNS Records with JNDI [1]#
This is an JNDI Example a class to authenticate a user in Microsoft Active Directory using LDAP.First locates the domain controllers (DNS lookup of SRV records for _ldap._tcp.domain), parses out the server part and then tries to authenticate the user against a domain controller.
import java.util.ArrayList;
import java.util.Hashtable;
import java.util.List;
import javax.naming.AuthenticationException;
import javax.naming.CommunicationException;
import javax.naming.Context;
import javax.naming.NamingException;
import javax.naming.directory.Attribute;
import javax.naming.directory.Attributes;
import javax.naming.directory.DirContext;
import javax.naming.directory.InitialDirContext;
import com.sun.jndi.ldap.LdapCtxFactory;
/**
* LDAPAuthentication class for authenticating Microsoft Active Directory users
*
* If the user or password is wrong, you'll get an AuthenticationException If
* none of the domain controllers are reachable, you'll get a
* CommunicationException. If a domain controller cannot be located (via DNS)
* you'll get a NamingException.
*
* @author Roger Armstrong, Armstrong Consulting GmbH
*
*/
public class LDAPAuthentication {
public static void authenticateUser(String user, String password, String domain) throws AuthenticationException, NamingException {
List<string> ldapServers = findLDAPServersInWindowsDomain(domain);
if (ldapServers.isEmpty())
throw new NamingException("Can't locate an LDAP server (try nslookup type=SRV _ldap._tcp." + domain + ")");
Hashtable<string, String> props = new Hashtable<string, String>();
String principalName = user + "@" + domain;
props.put(Context.SECURITY_PRINCIPAL, principalName);
props.put(Context.SECURITY_CREDENTIALS, password);
Integer count = 0;
for (String ldapServer : ldapServers) {
try {
count++;
LdapCtxFactory.getLdapCtxInstance("ldap://" + ldapServer, props);
return;
} catch (CommunicationException e) { // this is what'll happen if one of the domain controllers is unreachable
if (count.equals(ldapServers.size())) {
// we've got no more servers to try, so throw the CommunicationException to indicate that we failed to reach an LDAP server
throw e;
}
}
}
}
private static List<string> findLDAPServersInWindowsDomain(String domain) throws NamingException {
List<string> servers = new ArrayList<string>();
Hashtable<string, String> env = new Hashtable<string, String>();
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.dns.DnsContextFactory");
env.put("java.naming.provider.url", "dns:");
DirContext ctx = new InitialDirContext(env);
Attributes attributes = ctx.getAttributes("_ldap._tcp." + domain, new String[] { "SRV" }); // that's how Windows domain controllers are registered in DNS
Attribute a = attributes.get("SRV");
for (int i = 0; i < a.size(); i++) {
String srvRecord = a.get(i).toString();
// each SRV record is in the format "0 100 389 dc1.company.com."
// priority weight port server (space separated)
servers.add(srvRecord.split(" ")[3]);
}
ctx.close();
return servers;
}
}
More Information#
There might be more information for this subject on one of the following:- [#1] - LDAP AUTHENTICATION WITH ACTIVE DIRECTORY
- based on data observed:2015-05-18
Please see our Copyright And Intellectual Property Page and Standard Disclaimer Pages!