Establishing LDAP Connection with User not listed in Active Directory

Question

I have an IP, username, and password that I use to connect to Active Directory via Active Directory Explorer. I'm attempting to establish a connection via Java using these credentials. However, the account that I log in to the server with is not listed in AD.

IP="1.1.1.20"
Username="Bob"
Password="password123"

To further complicate things, the base dn of the active directory im connecting to on 1.1.1.20 is different from the base dn included in the full dn of the user.

the base dn of 1.1.1.20 is dc=test,dc=this,dc=com, whereas the DN of the account I'm using to log in is

CN=Bob,OU=People,OU=Something,OU=Blah,DC=Fake,DC=Data,DC=local,DC=com

I have tried every combination I can think of of username & DN using the code snippet below to establish a connection.

Hashtable<String, Object> env = new Hashtable<String, Object>();
                env.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");
                env.put(Context.PROVIDER_URL, "ldap://1.1.1.20:389");
                env.put(Context.SECURITY_AUTHENTICATION, "simple");
                env.put(Context.SECURITY_PRINCIPAL, "CN=Bob,OU=People,OU=Something,OU=Blah,DC=Fake,DC=Data,DC=local,DC=com");
                env.put(Context.SECURITY_CREDENTIALS, "password123");
                DirContext ctx = null;
                try{
                    ctx = new InitialDirContext(env);

I am able to establish an anonymous connection when I comment out the lines for SECURITY_PRINCIPAL and SECURITY_CREDENTIALS, but I cannot create a connection when using the username and password provided to me for Active Directory Explorer.

I know that the username and password are correct because I can log in with them using Active Directory explorer, so I'm assuming the issue is arising when I am combining the username and baseDN to create the principal.

Is it even possible, or would the account I'm using to log in need to be found on the same server I am viewing?

Answer 1

It seems you know the full DN of the account you're using, so that should work.

I suspect that simple authentication is disabled on the domain, or isn't allowed because the account is on a different domain than you're connecting to.

So it might be as easy as changing the authentication method to Kerberos. Try replacing the line that sets Context.SECURITY_AUTHENTICATION with this:

env.put(Context.SECURITY_AUTHENTICATION, "GSSAPI");

See this answer for more details.

Update: If that doesn't work, then you can use AD Explorer to check the supported authentication mechanisms.

1. Right-click the root of the domain, and click 'Properties'.
2. Click the 'RootDSE Attributes' tab.
3. Look for the "supportedSASLMechanisms" attribute (probably the last in the list).

Try each of the values in that attribute and see if any of them work.