AD Authentication and Java

Well, it was only a matter of time before my job would require our Java apps to authenticate against Active Directory. For those who don't know what Active Directory (AD) is (myself included up till last year), AD is a Microsoft Windows implementation of LDAP. It is typically used in Windows 2000 based networks to tie together the standard IT resources like mail, calendars, and desktop computers. Those of us who are on a network that uses AD typically have a desktop that authenticates against AD, as well as MS Outlook for email. The good thing about a central authentication source for network credentials is that is allows for a single username and password to be used for things. Which can eventually lead to "Single Sign-On" (which will be discussed later, when I learn how to do it).

Anyway, a central source for authentication credentials also helps with web applications on that network, because now we no longer need to worry about password management, or user registration. That can reduce the project schedule by a week or two, depending on how strict your organization's password and user registration requirements are.

So, how do we do it? Well, it is actually pretty simple. Like I said, AD is basically another version of LDAP, so in Java you can use the Java Naming and Directory Interface (JNDI). There are a bunch of LDAP classes in the javax.naming.ldap package that can help. And because the Java API is so robust, it gives you a ton of flexibility to customize your code as much as possible. At the same time, it can seem a bit intimidating. Sun has some pretty good information on their website about LDAP authentication, which can also be used for AD Authentication. Lets take a look at some code.

Hashtable env = null;
DirContext ctx = null;
boolean isAuthenticated = false;

try {
try {
String loginId = "yourdomain\\avgwebgeek";
env = new Hashtable();   // hash table for your LDAP properties

// set up the LDAP properties
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, "ldap://myadserver.mydomain.com:389");

// Set the authentication mechanism to be simple
env.put(Context.SECURITY_AUTHENTICATION, "simple");

// login credentials
env.put(Context.SECURITY_PRINCIPAL, loginId);
env.put(Context.SECURITY_CREDENTIALS, password);

// the following is helpful in debugging errors from the
// AD server side of things
//env.put("com.sun.jndi.ldap.trace.ber", System.err);

// Create the initial directory context
ctx = new InitialDirContext(env);
isAuthenticated = true;
} catch (AuthenticationException e) {
// this exception is typically found with incorrect credentials
e.printStackTrace();
} catch (NamingException e) {
e.printStackTrace();
}
} catch (Exception e) {
e.printStackTrace();
} finally {  
try {
ctx.close();
}catch (NamingException e) {
e.printStackTrace();
}
}

if (isAuthenticated) {
System.out.println("I am authenticated.");
} else {
System.out.println("I am not authenticated.");
}

This is a very simple application. It does the job, however, it is not very secure. The problem is that I am setting the Context.SECURITY_AUTHENTICATION to "simple". What this means is that your password is being sent over the network through clear text. If someone is running a network sniffer, they can read your password from your IP packets. One way around this is to make sure that your LDAP connection is handled over SSL. In other words, use "ldaps://" with port 636, and not "ldap://" on port 389.

If your server is not setup to handle SSL, or you just want a little extra security, you can change the Context.SECURITY_AUTHENTICATION to "DIGEST-MD5". However, as I found out, AD treats this a little differently. The concept of using "yourdomain\\yourusername" needs to be reduced to just "yourusername". It has something to do with how AD 2003 sets up the HASH for the MD5. This method will use a Hashing algorithm to be verified with the server, that you indeed know your password.

So, that's it for AD authentication. Like I said, the Java API can let you do a lot more. You can set up controls to do searches, find specific user information, and find groups assigned to users. AD groups can be used to help with the Authorization portion of your apps. Take a look at the javax.naming.ldap API, there is a lot there, but it isn't too hard to follow.

PHP and LDAP

The joys of authentication. So, now I am working on running some of our PHP apps to authenticate against Active Directory (AD). Well, my limited knowledge in AD is telling me that it shouldn't be too hard. After all, AD is just a Microsoft interface to LDAP. Right?

Well, it turns out that, yeah, from a PHP perspective, it is. It is actually pretty easy, once you are comfortable with working with an LDAP structure.

So, here is the basics of it. I have a simple page that all it does is print out the results of a simple authentication to an AD server:

<html>
<body> 
<h1>AD Test</h1>
<?php
// Variables to use with ldap_bind
$ldapuser  = 'username@some.domain.com';     // ldap username with suffix
$ldappasswd = 'notmyrealpw';  // associated password

// connect to AD server
$adconn = ldap_connect("ad_controler.myco.com")
or die("Could not connect to LDAP server.");

// if a connection was made attempt a binding
if ($adconn) {

// bind to ldap
$ldapbind = ldap_bind($ldapconn, $ldapuser , $ldappass);  

// Check authentication
if ($ldapbind) {
echo "User is authenticated.";
} else {
echo "User was not authenticated.";
}

// unbind the connection
ldap_unbind($adconn);
}
?>
</body>
</html>

Basically, you have your username, for example avgwebgeek. Then you have a suffix, which is your account suffix for your domain, for example "@myco.com". Put them together (along with a password) and you have your AD authentication information. Of course, the username and password would be sent through request parameters. Granted, this is a pretty simplistic view of AD authentication. You can do a whole lot more, like searching, and updating AD information. I learned all about it by looking through the adLDAP Project. The hard part was realizing that I didn't have PHP enabled on my server. Hint: if you get a message like "Call to undefined function: ldap_connect() ", that means that your LDAP isn't enabled for PHP. The adLDAP page has a FAQ that explains that as well.

Where’s my data coming from?????

I work on applications that interface with other applications using Web Services, and XML feeds. These apps help track employee information for different companies to track thing like pay, performance, and security issues. The problem is, I don’t know where the actual content is originating from. That can be problematic, because you are assuming that your data provider will let you know if there is a format change or discontinuation coming down the pipe. Typically, the provider will let you know, somehow. However, in the case of systems “piggy backing” on data of other systems, then in turn, providing that data to further systems, eventually, the message of change gets lost.

I found this out the hard way a couple weeks ago. Luckily for me, it was for a low priority system. I manage a series of blogs for a corporation. I don’t manage the content, but I taker care of the themes and plugins. One of the plugins that I wrote was a “Company Updates” plugin, basically an RSS type of news reader that uses plain XML, and not the RSS standard. The data was coming from what I thought to be the HR department. However, they were just sending it to me through a XML feed, as they were getting it from a small group in the company who were generating the data by hand. Well this group changed the format of the XML tags, and notified HR. But HR didn’t notify me. All of a sudden, I come to work and all of the Blog users were calling me because the “Company Updates” feed was busted. I noticed the change in the XML feed, so I fixed the problem. However I couldn’t understand why I wasn’t notified.

I contacted HR, and they didn’t know anything because they never wrote the Change notification down. Apparently the employee who was notified about the change assumed that in my super natural power over XML feeds, my plugin would have updated dynamically with the XML change. True, if I had a DTD or Schema, I could have written a more intelligent plugin, but I didn’t have a DTD or Schema, and this was a pretty small system. In this case, it is easier to modify the code as changes occur. Anyway, the HR people got me in touch with the group who produces the feed. They told me about the notifications. Needless to say, I switched the origin of the feed to this group.

The moral of the story is that documentation is a REALLY good thing. In this case the problem was small, and easily rectified. However, it made me review my other interfaces, and I decided to write up a Provider/Consumer agreement about data, so the actual origin of the data is known. This agreement is review by all parties in involved and helps to keep me in the loop when changes happen.

Sun buys MySQL

I just read on Slashdot that Sun Microsystems acquired MySQL. That is of particular interest to me because I love MySQL. I use it for all of my side projects and some of my professional projects. It should be interesting because MySQL has gained a lot of popularity with PHP developers and the whole LAMP (Linux, Apache, MySQL, and either Perl, Python, or PHP) movement. Many web developers who use MySQL, don't seem to think of Java as the first language to use with it. Java, being Sun's major programming platform, is now going to be linked to MySQL. So I wonder if the LAMP acronym might be changed to LAMJ???? I know, that doesn't make much sense. But from my perspective, a web developer who loves to develop in Java, that combination opens a lot of doors.

This acquisition might also open MySQL up to a more professional world. For the past 10 years, though MySQL has been used in some minor projects and applications, the big question I always see in regards to databases is "Oracle or SQL Server?" Many of the organizations I worked for didn't really trust MySQL. So now, I wonder if companies and organizations might change their mind, now that MySQL has Sun behind them.