开发者

How to create a new Active Directory Account from Java (via JNDI)?

问答 作者:

Is it possible to create a new user in AD rom Java via JNDI?

I tried via trusty Google but nothing came up - maybe I was googling using the wrong terminology (JNDI Active Directory Create User).

Any tips will be create appreciated.

Current status: I have connected to AD via my Java code and can change attributes of existing AD accounts; next I would like to be able to create AD users from开发者_如何学编程 Java/JNDI.

I am using http://forums.sun.com/thread.jspa?threadID=582103 and I made sure my account had the correct privileges to create an AD account and I am using LDAPS.

This is tricky. You can't set passwords unencrypted, and if you haven't set up all your cryptographic structure, you can't use LDAPS, so you need to use Kerberos instead.

I got it working like this: - do a simple bind to AD - kerberise your session - create a user account with a password but set it expired) now you can use a normal connection to set other properties.

// KRB5 connection details:
    System.setProperty("java.security.krb5.kdc", "domain.com");
    String username = "admin@DOMAIN.COM";
    String realm = "DOMAIN.COM";
    System.setProperty("java.security.krb5.realm", realm);
    System.setProperty("java.security.krb5.debug", "true");
    System.setProperty("sun.security.krb5.debug", "true");

// standard JNDI LDAP stuff:
    env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
    env.put(Context.SECURITY_AUTHENTICATION, "simple");
    env.put(Context.PROVIDER_URL, "ldap://dc01.domain.com:389");
    env.put(Context.SECURITY_PRINCIPAL, username);       
    env.put(Context.SECURITY_CREDENTIALS, "abcd1234");

    ctxt = new InitialLdapContext(env, new Control [0]);

// kerberised connection details:
    LoginModule module;
    module = (LoginModule) Class.forName("com.sun.security.auth.module.Krb5LoginModule").newInstance();
    Subject subject = new Subject();
    Map<String, String> options = new HashMap<String, String>();
    Map<String, Object> sharedState = new HashMap<String, Object>();

    sharedState.put("javax.security.auth.login.password", properties.getProperty("ad.passwd").toCharArray());
    sharedState.put("javax.security.auth.login.name", username);
    options.put("principal", username);
    options.put("storeKey", "true");
    options.put("useFirstPass", "true");

    options.put("debug", "true");

    module.initialize(subject, null, sharedState, options);
    module.login();
    module.commit();       


// now create a user account:
    Subject.doAs(svc.getSubject(), new PrivilegedExceptionAction<Object>() {

            @Override
            public Object run() throws Exception {

                try {
                    String password = "\"Password1\"";
                    final Hashtable<String, String> env = svc.getEnvironment();
                    env.put(Context.SECURITY_AUTHENTICATION, "GSSAPI");
                    LdapContext ctxt = new InitialLdapContext(env, new Control[0]);
                    ModificationItem[] mods = new ModificationItem[1];
                    mods[0] = new     
                    ModificationItem(DirContext.REPLACE_ATTRIBUTE, new              
                    BasicAttribute("userPassword", password.getBytes("UTF-16LE")));
ModificationItem(DirContext.REPLACE_ATTRIBUTE, new     BasicAttribute("userAccountControl", Integer.toString(UF_NORMAL_ACCOUNT + UF_PASSWORD_EXPIRED)));
                    ctxt.modifyAttributes(dn, mods);
                }
                catch (NamingException e) { 
                    System.out.println("Failed to set password.");
                    e.printStackTrace();
                }
                return null;
            }
        });

Now you can change other settings as normal.

Hope that helps.

Jim

From http://forums.sun.com/thread.jspa?threadID=581444&messageID=3313188

Edit: the above link seems broken as a result of the sunoracle merger. The following seems to be the new location for the thread http://forums.oracle.com/forums/thread.jspa?threadID=1155430&start=0&tstart=0

public void addUserToGroup(LdapContext ctx, String userDN, String groupDN)
    throws NamingException {
    ModificationItem[] mods = new ModificationItem[1];
    mods[0] = new ModificationItem(DirContext.ADD_ATTRIBUTE,
            new BasicAttribute("member", userDN));

    ctx.modifyAttributes(groupDN, mods);
}

public void removeUserFromGroup(LdapContext ctx, String userDN,
    String groupDN) throws NamingException {
    ModificationItem[] mods = new ModificationItem[1];
    mods[0] = new ModificationItem(DirContext.REMOVE_ATTRIBUTE,
            new BasicAttribute("member", userDN));

    ctx.modifyAttributes(groupDN, mods);
}

继续阅读:active-directoryjndi

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9