Author |
Topic: LDAP Proxy Authorization Control -- Code Example |
|
SteveHB member offline  |
|
posts: |
113 |
joined: |
05/31/2006 |
from: |
Mountain View, CA |
|
|
 |
|
|
LDAP Proxy Authorization Control -- Code Example |
The Proxy Authorization Control allows a client to request that an operation be processed under a provided authorization identity instead of under the current authorization identity associated with the connection.
The structure of this control is as follows:
ProxiedAuthorizationControl ::= SEQUENCE {
controlType 2.16.840.1.113730.3.4.18,
criticality BOOLEAN DEFAULT FALSE,
controlValue proxiedAuthorizationControlValue optional
}
|
|
|
|
|
|
|
SteveHB member offline  |
|
posts: |
113 |
joined: |
05/31/2006 |
from: |
Mountain View, CA |
|
|
 |
|
|
A code example of Proxy Authentication Control JNDI Client |
(Note: JNDI Boost package is required to run this code)
/**
* A code example of Proxy Authentication Control JNDI Client
* Note: JKD1.5 or higher and JNDI Boost package is required for this example to run.
*/
import javax.naming.*;
import javax.naming.directory.*;
import javax.naming.ldap.*;
import com.sun.jndi.ldap.ctl.ProxiedAuthorizationControl;
import java.util.Hashtable;
public class ProxiedUserControlJndiClient
{
static final String PROXY_AUTHORIZATION_CONTROL_OID = "2.16.840.1.113730.3.4.18";
public static void main(String[] args)
{
Hashtable env = new Hashtable();
env.put(Context.INITIAL_CONTEXT_FACTORY,
"com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, "ldap://myserver.mydomain.com:389");
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.SECURITY_PRINCIPAL, "mytest");
env.put(Context.SECURITY_CREDENTIALS, "mypassword");
try{
/* Open an LDAP connection for the provided principal and credentials */
LdapContext ctx = new InitialLdapContext(env, null);
/* Query the server to see if the control is supported */
if (!isProxyAuthorizationControlSupported(ctx)){
System.out.println(
"The server does not support Proxy Authorization Control.");
System.exit(1);
}
/* Activate the control */
ctx.setRequestControls(new Control[]{
new ProxiedAuthorizationControl("dn:uid=proxyUser,ou=People,o=mydomain")});
Attributes attrs = ctx.getAttributes("uid=proxiedUser,ou=People,o=mydomain");
System.out.println(attrs);
/* Close the LDAP association */
ctx.close();
}catch (Exception e){
e.printStackTrace();
}
}
/**
* Is Proxy Authorization Control supported?
*
* Query the rootDSE object to find out if the Proxy Authorization Control
* is supported.
*/
static boolean isProxyAuthorizationControlSupported(LdapContext ctx)
throws NamingException
{
SearchControls ctl = new SearchControls();
ctl.setReturningAttributes(new String[]{"supportedControl"});
ctl.setSearchScope(SearchControls.OBJECT_SCOPE);
/* search for the rootDSE object */
NamingEnumeration results = ctx.search("", "(objectClass=*)", ctl);
while(results.hasMore())
{
SearchResult entry = (SearchResult)results.next();
NamingEnumeration attrs = entry.getAttributes().getAll();
while (attrs.hasMore())
{
Attribute attr = (Attribute)attrs.next();
NamingEnumeration vals = attr.getAll();
while (vals.hasMore())
{
String value = (String) vals.next();
if (value.equals(PROXY_AUTHORIZATION_CONTROL_OID))
return true;
}
}
}
return false;
}
}
|
|
|
|
|
|
|
SteveHB member offline  |
|
posts: |
113 |
joined: |
05/31/2006 |
from: |
Mountain View, CA |
|
|
 |
|
|
|
The above example has been tested to work with SunOne Directory Server 5.2
|
|
|
|
|
|
|
SteveHB member offline  |
|
posts: |
113 |
joined: |
05/31/2006 |
from: |
Mountain View, CA |
|
|
 |
|
|
Missing DN in AuthzID |
If the prefix 'dn:' is missed in the above example, like the following:
/* Activate the control */
ctx.setRequestControls(new Control[]{
new ProxiedAuthorizationControl("uid=proxyUser,ou=People,o=mydomain")});
The running against SunOne would return error similar like this:
javax.naming.CommunicationException: [LDAP: error code 2 - Protocol Error]; remaining name 'uid=proxyUser,ou=People,o=mydomain' at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3053) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2951) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2758) at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1812) at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1735) at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:368) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:338) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:321) at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:248)
|
|
|
|
|
|
|
SteveHB member offline  |
|
posts: |
113 |
joined: |
05/31/2006 |
from: |
Mountain View, CA |
|
|
 |
|
|
OperationNotSupportedException - Active Directory Doesn't Support LDAP Proxy Authorization Control |
The running of the above example against AD would return error similar like this:
The server does not support Proxy Authorization Control. javax.naming.OperationNotSupportedException: [LDAP: error code 12 - 00000057: LdapErr: DSID-0C090591, comment: Error processing control, data 0, v893]; remaining name 'uid=proxyUser,ou=People,o=mydomain' at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3065) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2951) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2758) at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1812) at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1735) at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:368) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:338) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:321) at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:248)
|
|
|
|
|
|
|
|