I am trying to bind to ADAM instance with a windows user through JNDI and it keeps failing. My ADAM and AD is running on same Windows 2k3 server.
But, through LDP I am able to bind with the same windows user successfully and browse through the entire tree successfully.
The error is as below
Kerberos username [CHOUKSE]:
Kerberos password for CHOUKSE: password
Context initialization attempt failed
javax.naming.AuthenticationException: [LDAP: error code 49 - 8009030C: LdapErr: DSID-0C090441, comment: AcceptSecurityContext error, data 56, vece]
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknow n Source)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknow n Source)
at com.sun.jndi.ldap.LdapCtx.connect(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.<init>(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(Unkno wn Source)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(Unkn own Source)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstanc e(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext (Unknown Source)
at javax.naming.spi.NamingManager.getInitialContext(U nknown Source)
at javax.naming.InitialContext.getDefaultInitCtx(Unkn own Source)
at javax.naming.InitialContext.init(Unknown Source)
at javax.naming.InitialContext.<init>(Unknown Source)
at javax.naming.directory.InitialDirContext.<init>(Un known Source)
at com.nortel.kerberos.action.JndiAction.performJndiO peration(JndiAction.java:63)
at com.nortel.kerberos.action.JndiAction.run(JndiActi on.java:27)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Unknown Source)
at com.nortel.kerberos.cli.KerberosAuthenticator.main (KerberosAuthenticator.java:87)
My code is as follows
Expand|Select|Wrap|Line Numbers
- package com.nortel.kerberos.cli;
- import java.util.Hashtable;
- import javax.naming.Context;
- import javax.naming.NamingException;
- import javax.naming.directory.DirContext;
- import javax.naming.directory.InitialDirContext;
- import javax.security.auth.Subject;
- import javax.security.auth.login.LoginContext;
- import javax.security.auth.login.LoginException;
- import com.nortel.kerberos.handler.KerberosCallBackHandler;
- public class KerberosAuthenticator1
- {
- public static void main(String[] args) {
- // 1. Log in (to Kerberos)
- LoginContext lc = null;
- try
- {
- lc = new LoginContext(KerberosAuthenticator.class.getName(),
- new KerberosCallBackHandler());
- // Attempt authentication
- lc.login();
- }
- catch (LoginException le) {
- System.err.println("Authentication attempt failed " + le);
- System.exit(-1);
- }
- // 2. Perform JNDI work as logged in subject
- Subject.doAs(lc.getSubject(), new JndiAction1(args));
- }
- }
- class JndiAction1 implements java.security.PrivilegedAction
- {
- private String[] args;
- public JndiAction1(String[] origArgs)
- {
- this.args = (String[])origArgs.clone();
- }
- public Object run()
- {
- performJndiOperation(args);
- return null;
- }
- private static void performJndiOperation(String[] args)
- {
- String dn;
- // Set up environment for creating initial context
- Hashtable<String, String> env = new Hashtable<String, String>();
- env.put(Context.INITIAL_CONTEXT_FACTORY,
- "com.sun.jndi.ldap.LdapCtxFactory");
- // Must use fully qualified hostname
- env.put(Context.PROVIDER_URL,
- "ldap://ac007899.shell.com:50000");
- // Request the use of the "GSSAPI" SASL mechanism
- // Authenticate by using already established Kerberos credentials
- env.put(Context.SECURITY_AUTHENTICATION, "GSSAPI");
- // Optional first argument is comma-separated list of auth, auth-int,
- // auth-conf
- if (args.length > 0) {
- env.put("javax.security.sasl.qop", args[0]);
- dn = args[1];
- } else {
- dn = "O=Nortel,C=CA";
- }
- try
- {
- /* Create initial context */
- DirContext ctx = new InitialDirContext(env);
- System.out.println(ctx.getAttributes(dn));
- // Close the context when we're done
- ctx.close();
- }
- catch (NamingException e)
- {
- System.err.println("Context initialization attempt failed");
- e.printStackTrace();
- }
- }
- }
Expand|Select|Wrap|Line Numbers
- package com.nortel.kerberos.handler;
- import javax.security.auth.callback.*;
- import java.io.IOException;
- import java.io.BufferedReader;
- import java.io.InputStreamReader;
- /**
- * KerberosCallBackHandler a callback handler for use with SASL. Used with
- * KerberosAuthenticator.java.
- */
- public class KerberosCallBackHandler implements CallbackHandler
- {
- public void handle( Callback[] callbacks ) throws java.io.IOException,
- UnsupportedCallbackException
- {
- for (int i = 0; i < callbacks.length; i++)
- {
- if (callbacks[i] instanceof NameCallback)
- {
- NameCallback cb = (NameCallback) callbacks[i];
- cb.setName( getInput( cb.getPrompt() ) );
- }
- else if (callbacks[i] instanceof PasswordCallback)
- {
- PasswordCallback cb = (PasswordCallback) callbacks[i];
- String pw = getInput( cb.getPrompt() );
- char[] passwd = new char[pw.length()];
- pw.getChars( 0, passwd.length, passwd, 0 );
- cb.setPassword( passwd );
- }
- else
- {
- throw new UnsupportedCallbackException( callbacks[i] );
- }
- }
- }
- /**
- * A reader from Standard Input. In real world apps, this would typically
- * be a TextComponent or similar widget.
- */
- private String getInput( String prompt ) throws IOException
- {
- System.out.print( prompt );
- BufferedReader in = new BufferedReader( new InputStreamReader(
- System.in ) );
- return in.readLine();
- }
- }
Expand|Select|Wrap|Line Numbers
- #krb5.conf
- [libdefaults]
- default_realm = SHELL.COM
- default_checksum = rsa-md5
- [realms]
- SHELL.COM = {
- kdc = ac007899.shell.com
- admin_server = ac007899.shell.com
- default_domain = shell.com
- }
- [domain_realm]
- .shell.com= SHELL.COM
- shell.com= SHELL.COM
- [appdefaults]
- kinit = {
- renewable = true
- forwardable= true
- }
Expand|Select|Wrap|Line Numbers
- // Connect to the AD instance
- String ldapURL = "ldap://ac007899.shell.com:389";
- env.put(Context.PROVIDER_URL,ldapURL);
- ....
- //Specify the Base for the search
- dn = "DC=shell,DC=com";
Please let me know, if I am missing anything.
Please help me out, I am stuck with this problem.