package ldaptest;import java.util.Hashtable;import javax.naming.Context;impor

1. package ldaptest;
2. import java.util.Hashtable;
3. import javax.naming.Context;
4. import javax.naming.NamingEnumeration;
5. import javax.naming.NamingException;
6. import javax.naming.directory.DirContext;
7. import javax.naming.directory.SearchControls;
8. import javax.naming.directory.SearchResult;
9. import javax.naming.ldap.InitialLdapContext;
10. import javax.naming.ldap.LdapContext;
11.  
12. /**
13. * Example code for retrieving a Users Primary Group
14. * from Microsoft Active Directory via. its LDAP API
15. */
16. public class LDAPTest {
17.  
18. public static void main(String[] args) throws NamingException {
19.  
20. final String ldapAdServer = "ldap://company.com:3269";
21. final String ldapSearchBase = "dc=company,dc=com";
22.  
23. final String ldapUsername = "ldapUsername";
24. final String ldapPassword = "ldapPassword";
25.  
26. final String ldapAccountToLookup = "ldapAccountToLookup";
27.  
28.  
29. Hashtable<String, Object> env = new Hashtable<String, Object>();
30. env.put(Context.SECURITY_AUTHENTICATION, "simple");
31. if(ldapUsername != null) {
32. env.put(Context.SECURITY_PRINCIPAL, ldapUsername);
33. }
34. if(ldapPassword != null) {
35. env.put(Context.SECURITY_CREDENTIALS, ldapPassword);
36. }
37. env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
38. env.put(Context.PROVIDER_URL, ldapAdServer);
39.  
40. //ensures that objectSID attribute values
41. //will be returned as a byte[] instead of a String
42. env.put("java.naming.ldap.attributes.binary", "objectSID");
43.  
44. // the following is helpful in debugging errors
45. //env.put("com.sun.jndi.ldap.trace.ber", System.err);
46. LdapContext ctx = new InitialLdapContext();
47.  
48. LDAPTest ldap = new LDAPTest();
49. System.out.println("Before searchresult");
50. //1) lookup the ldap account
51. SearchResult srLdapUser = ldap.findAccountByAccountName(ctx, ldapSearchBase, ldapAccountToLookup);
52. System.out.println("before SID");
53. //2) get the SID of the users primary group
54. String primaryGroupSID = ldap.getPrimaryGroupSID(srLdapUser);
55.  
56. //3) get the users Primary Group
57. String primaryGroupName = ldap.findGroupBySID(ctx, ldapSearchBase, primaryGroupSID);
58. }
59.  
60. public SearchResult findAccountByAccountName(DirContext ctx, String ldapSearchBase, String accountName) throws NamingException {
61.  
62. String searchFilter = "(&(objectClass=user)(sAMAccountName=" + accountName + "))";
63. System.out.println(searchFilter);
64. SearchControls searchControls = new SearchControls();
65. searchControls.setSearchScope(SearchControls.SUBTREE_SCOPE);
66. System.out.println("before Results");
67. NamingEnumeration<SearchResult> results = ctx.search(ldapSearchBase, searchFilter, searchControls);
68. System.out.println("after Results");
69. SearchResult searchResult = null;
70. if(results.hasMoreElements()) {
71. searchResult = (SearchResult) results.nextElement();
72.  
73. //make sure there is not another item available, there should be only 1 match
74. if(results.hasMoreElements()) {
75. System.err.println("Matched multiple users for the accountName: " + accountName);
76. return null;
77. }
78. }
79.  
80. return searchResult;
81. }
82.  
83. public String findGroupBySID(DirContext ctx, String ldapSearchBase, String sid) throws NamingException {
84.  
85. String searchFilter = "(&(objectClass=group)(objectSid=" + sid + "))";
86.  
87. SearchControls searchControls = new SearchControls();
88. searchControls.setSearchScope(SearchControls.SUBTREE_SCOPE);
89.  
90. NamingEnumeration<SearchResult> results = ctx.search(ldapSearchBase, searchFilter, searchControls);
91.  
92. if(results.hasMoreElements()) {
93. SearchResult searchResult = (SearchResult) results.nextElement();
94.  
95. //make sure there is not another item available, there should be only 1 match
96. if(results.hasMoreElements()) {
97. System.err.println("Matched multiple groups for the group with SID: " + sid);
98. return null;
99. } else {
100. return (String)searchResult.getAttributes().get("sAMAccountName").get();
101. }
102. }
103. return null;
104. }
105.  
106. public String getPrimaryGroupSID(SearchResult srLdapUser) throws NamingException {
107. byte[] objectSID = (byte[])srLdapUser.getAttributes().get("objectSid").get();
108. String strPrimaryGroupID = (String)srLdapUser.getAttributes().get("primaryGroupID").get();
109.  
110. String strObjectSid = decodeSID(objectSID);
111.  
112. return strObjectSid.substring(0, strObjectSid.lastIndexOf('-') + 1) + strPrimaryGroupID;
113. }
114.  
115. /**
116. * The binary data is in the form:
117. * byte[0] - revision level
118. * byte[1] - count of sub-authorities
119. * byte[2-7] - 48 bit authority (big-endian)
120. * and then count x 32 bit sub authorities (little-endian)
121. *
122. * The String value is: S-Revision-Authority-SubAuthority[n]...
123. *
124. * Based on code from here - http://forums.oracle.com/forums/thread.jspa?threadID=1155740&tstart=0
125. */
126. public static String decodeSID(byte[] sid) {
127.  
128. final StringBuilder strSid = new StringBuilder("S-");
129.  
130. // get version
131. final int revision = sid[0];
132. strSid.append(Integer.toString(revision));
133.  
134. //next byte is the count of sub-authorities
135. final int countSubAuths = sid[1] & 0xFF;
136.  
137. //get the authority
138. long authority = 0;
139. //String rid = "";
140. for(int i = 2; i <= 7; i++) {
141. authority |= ((long)sid[i]) << (8 * (5 - (i - 2)));
142. }
143. strSid.append("-");
144. strSid.append(Long.toHexString(authority));
145.  
146. //iterate all the sub-auths
147. int offset = 8;
148. int size = 4; //4 bytes for each sub auth
149. for(int j = 0; j < countSubAuths; j++) {
150. long subAuthority = 0;
151. for(int k = 0; k < size; k++) {
152. subAuthority |= (long)(sid[offset + k] & 0xFF) << (8 * k);
153. }
154.  
155. strSid.append("-");
156. strSid.append(subAuthority);
157.  
158. offset += size;
159. }
160.  
161. return strSid.toString();
162. }
163. }