Java and active directory can be fun

I have a new toy at work – a Microsoft Exchange server. OK, so I can’t “play” with it in any conventional sense of the word (my superiors would shudder at the thought), but it has made for a lot of fun in that computer-geeky, hey-I’m-learning-something-new sort of way. I’d like to share with you the result of one of my more productive poking around sessions, but first, a little bit of background:

LDAP stands for “Lightweight Directory Access Protocol.” As the name suggests, it is used for communicating with directory services, such as the Active Directory on a Microsoft server.

Java applications make use of LDAP through the Java Naming and Directory Interface (JDNI). This column demonstrates how a Java program can authenticate users in an Active Directory and retrieve user attributes.

The Hashtable created on code lines 11 to 17 sets up the InitialContext. Think of the InitialContext as a starting point for accessing the directory. Line 13 specifies an InitialContextFactory for LDAP.

Line 14 specifies the server URL. The default port for LDAP connections is 389. If you are using SSL with LDAP, it will probably be port 636. The rest of the connection string following the URL is the base for directory operations. More on this will follow.

Line 15 specifies the authentication method. “Simple” could be replaced with “SSL” to authenticate using Secure Socket Layer.

The next two lines provide login information for a valid user on the server. The username and password entered here will be authenticated when the entire Hashtable is passed into the new InitialDirContext on line 19.

If you can code this far and run your program without throwing an exception, you’re doing a lot better than I did on my first 15 million or so tries.

If you’re connecting to the server successfully, but are unable to authenticate, chances are the problem is with the directory base appearing after the server URL. Any directory objects you refer to in your program are relative to this base. When I use cn=Cooney\\, Robert as a username, the actual username is cn=Cooney\\, Robert, OU=Users, DC=servername, DC=com (Think: Robert Cooney in the “Users” directory on servername.com) . When trying to diagnose an authentication problem, focus your efforts on lines 14 and 16 (the directory base and the username). You may wish to completely remove the directory base (leaving only the server URL on line 14), and simply work with a long username string.

There is a great LDAP tool available on the Windows 2000 CD that can help you figure out what name strings to use. It is called ldp.exe and should be located in the support\tools folder.

As we near the end of the code example, line 21 retrieves a list of all the attributes associated with my username. On line 22, I print the “mail” attribute to the screen, and my e-mail address is displayed. In the same way, I can extract any of the other attributes associated with my directory object – attributes such as address, telephone number, etc. Consult documentation from Microsoft for a list of valid attribute names in Exchange.

The best advice I can leave you with is to be patient. It may take a fair bit of trial and error to find the right naming conventions for your network. Never before have I spent so much time getting so few lines of code to work, but it was worth it in the end. I felt a giddy compulsion to high-five some unsuspecting co-workers when I finally met with success.

Cooney works as a programmer/analyst for a major Canadian book publisher. He can be reached at robert_cooney@hotmail.com.