开发者

How to create a new Active Directory Account from Java (via JNDI)?

开发者 https://www.devze.com 2022-12-27 08:44 出处:网络
Is it possible to create a new user in AD rom Java via JNDI? I tried via trusty Google but nothing came up - maybe I was googling using the wrong terminology (JNDI Active Directory Create User).

Is it possible to create a new user in AD rom Java via JNDI?

I tried via trusty Google but nothing came up - maybe I was googling using the wrong terminology (JNDI Active Directory Create User).

Any tips will be create appreciated.

Current status: I have connected to AD via my Java code and can change attributes of existing AD accounts; next I would like to be able to create AD users from开发者_如何学编程 Java/JNDI.

I am using http://forums.sun.com/thread.jspa?threadID=582103 and I made sure my account had the correct privileges to create an AD account and I am using LDAPS.


This is tricky. You can't set passwords unencrypted, and if you haven't set up all your cryptographic structure, you can't use LDAPS, so you need to use Kerberos instead.

I got it working like this: - do a simple bind to AD - kerberise your session - create a user account with a password but set it expired) now you can use a normal connection to set other properties.

// KRB5 connection details:
    System.setProperty("java.security.krb5.kdc", "domain.com");
    String username = "admin@DOMAIN.COM";
    String realm = "DOMAIN.COM";
    System.setProperty("java.security.krb5.realm", realm);
    System.setProperty("java.security.krb5.debug", "true");
    System.setProperty("sun.security.krb5.debug", "true");

// standard JNDI LDAP stuff:
    env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
    env.put(Context.SECURITY_AUTHENTICATION, "simple");
    env.put(Context.PROVIDER_URL, "ldap://dc01.domain.com:389");
    env.put(Context.SECURITY_PRINCIPAL, username);       
    env.put(Context.SECURITY_CREDENTIALS, "abcd1234");

    ctxt = new InitialLdapContext(env, new Control [0]);

// kerberised connection details:
    LoginModule module;
    module = (LoginModule) Class.forName("com.sun.security.auth.module.Krb5LoginModule").newInstance();
    Subject subject = new Subject();
    Map<String, String> options = new HashMap<String, String>();
    Map<String, Object> sharedState = new HashMap<String, Object>();

    sharedState.put("javax.security.auth.login.password", properties.getProperty("ad.passwd").toCharArray());
    sharedState.put("javax.security.auth.login.name", username);
    options.put("principal", username);
    options.put("storeKey", "true");
    options.put("useFirstPass", "true");

    options.put("debug", "true");

    module.initialize(subject, null, sharedState, options);
    module.login();
    module.commit();       


// now create a user account:
    Subject.doAs(svc.getSubject(), new PrivilegedExceptionAction<Object>() {

            @Override
            public Object run() throws Exception {

                try {
                    String password = "\"Password1\"";
                    final Hashtable<String, String> env = svc.getEnvironment();
                    env.put(Context.SECURITY_AUTHENTICATION, "GSSAPI");
                    LdapContext ctxt = new InitialLdapContext(env, new Control[0]);
                    ModificationItem[] mods = new ModificationItem[1];
                    mods[0] = new     
                    ModificationItem(DirContext.REPLACE_ATTRIBUTE, new              
                    BasicAttribute("userPassword", password.getBytes("UTF-16LE")));
ModificationItem(DirContext.REPLACE_ATTRIBUTE, new     BasicAttribute("userAccountControl", Integer.toString(UF_NORMAL_ACCOUNT + UF_PASSWORD_EXPIRED)));
                    ctxt.modifyAttributes(dn, mods);
                }
                catch (NamingException e) { 
                    System.out.println("Failed to set password.");
                    e.printStackTrace();
                }
                return null;
            }
        });

Now you can change other settings as normal.

Hope that helps.

Jim


From http://forums.sun.com/thread.jspa?threadID=581444&messageID=3313188

Edit: the above link seems broken as a result of the sunoracle merger. The following seems to be the new location for the thread http://forums.oracle.com/forums/thread.jspa?threadID=1155430&start=0&tstart=0

public void addUserToGroup(LdapContext ctx, String userDN, String groupDN)
    throws NamingException {
    ModificationItem[] mods = new ModificationItem[1];
    mods[0] = new ModificationItem(DirContext.ADD_ATTRIBUTE,
            new BasicAttribute("member", userDN));

    ctx.modifyAttributes(groupDN, mods);
}

public void removeUserFromGroup(LdapContext ctx, String userDN,
    String groupDN) throws NamingException {
    ModificationItem[] mods = new ModificationItem[1];
    mods[0] = new ModificationItem(DirContext.REMOVE_ATTRIBUTE,
            new BasicAttribute("member", userDN));

    ctx.modifyAttributes(groupDN, mods);
}
0

精彩评论

暂无评论...
验证码 换一张
取 消