[jcifs] Help!!
Bharati
bharati_t at thbs.com
Wed Aug 30 09:31:30 GMT 2006
Hi,
Thanks for the replies.
Since I couldnt use jcifs-ext for a user witn many groups,
can you suggest me any other workaround that i can use?
I need to authorise the user for a particular domain and
authenticate him to use certain resources.
Thanks and Regards,
Bharati Trivedi
Associate Software Engineer
Torry Harris Business Solutions
Bangalore
"There is a time for departure even when there's no certain place to go."
-- Tennessee Williams
----- Original Message -----
From: "Richard Evans" <richard.evans at thoughtbreak.com>
To: "'Michael B Allen'" <mba2000 at ioplex.com>; "'Thomas Bley'"
<thomas.bley at simple-groupware.de>
Cc: <bharati_t at thbs.com>; <jcifs at lists.samba.org>
Sent: Wednesday, August 30, 2006 2:03 PM
Subject: RE: [jcifs] Help!!
> Thanks, Mike, for such a full answer.
>
> At the risk of pushing my luck...
>
> Do you have any pointers for extracting roles from the Kerberos ticket? Is
> it straightforward to get at & interpret the data with jcifs spnego
> extensions?
>
> Failing that...
>
> I have a very simple need to restrict access to one community of users. If
> I
> were to use NTLM I could set jcifs.smb.client.logonShare to a resource
> accessible just to my target community. Is there an analogous approach
> with
> Kerberos?
>
> Thanks again for your time
> Richard
>
>
>
> Richard Evans
> www.thoughtbreak.com
> 07985 437 517
> -----Original Message-----
> From: Michael B Allen [mailto:mba2000 at ioplex.com]
> Sent: 29 August 2006 18:40
> To: Thomas Bley
> Cc: richard.evans at thoughtbreak.com; bharati_t at thbs.com;
> jcifs at lists.samba.org
> Subject: Re: [jcifs] Help!!
>
> This code has a few problems.
>
> 1) It doesn't actually get groups it just resolves a sid. Richard et
> al need to get the group rids and then convert those to names. Using
> LDAP for that is problematic because just searching for all the memberOf
> attributes doesn't perform proper group expansion (I'm not certain that
> the GetGroupsForUser RPC does either but I would think it must since
> that's what Windows used before Kerberos authentication_data). And
> it doesn't give you RIDs so you have to then search for those. The
> absolutely correct way to get the groups for a user is to extract them
> from the authentication_data in their Kerberos ticket.
>
> 2) One should never use the simple LDAP authentication method without
> SSL/TLS. At least not on a regular basis. Otherwise the password is passed
> in clear text over the network which is a big no no. The absolutely
> correct way to authenticate with the LDAP server is to use the user's
> delegated kerberos credential with the SASL authentication method.
>
> 3) Using LDAP like this is slow although if you cached the RIDs and
> used a search filter that retrieved multiple RID names at once it would
> be bareable.
>
> 4) You don't need SUBTREE_SCOPE. I think OBJECT_SCOPE is what you want
> (or whatever means "base" scope).
>
> Mike
>
> On Tue, 29 Aug 2006 18:22:44 +0200
> Thomas Bley <thomas.bley at simple-groupware.de> wrote:
>
>> Hello,
>>
>> When using Active Directory you might use LDAP queries for getting
>> memberships ?
>> e.g. I'm using this code to get the username out of a SID:
>>
>> Hashtable env = new Hashtable();
>>
>>
> env.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");
>> env.put(Context.SECURITY_AUTHENTICATION,"simple");
>>
>> if (ldap_domain.length()>0) username = domain+"\\\\"+ldap_user;
>> env.put(Context.SECURITY_PRINCIPAL,ldap_user);
>> env.put(Context.SECURITY_CREDENTIALS,ldap_pass);
>> if (ldap_useSSL) {
>> env.put(Context.SECURITY_PROTOCOL, "ssl");
>> env.put(Context.PROVIDER_URL,"ldap://"+ldap_server+":636");
>> } else {
>> env.put(Context.PROVIDER_URL,"ldap://"+ldap_server+":389");
>> }
>> LdapContext ctx = new InitialLdapContext(env,null);
>> SearchControls searchCtls = new SearchControls();
>> String returnedAtts[]={"cn","objectClass"};
>> searchCtls.setReturningAttributes(returnedAtts);
>> searchCtls.setSearchScope(SearchControls.SUBTREE_SCOPE);
>> NamingEnumeration answer = ctx.search(ldap_dc,
>> "(objectSID="+sid+")", searchCtls);
>> if (answer.hasMoreElements()) {
>> SearchResult sr = (SearchResult)answer.next();
>> Attributes attrs = sr.getAttributes();
>> if (sr.getName().length()>0 && attrs != null &&
>> attrs.get("objectClass")!=null && attrs.get("cn")!=null)
>> {
>> return "("+attrs.get("objectClass").get(1)+")
>> "+attrs.get("cn").get();
>> }
>> } else return sid;
>> ctx.close();
>>
>> bye
>> Thomas
>>
>>
>>
>> richard.evans at thoughtbreak.com wrote:
>> > Thanks Mike,
>> > Does that mean we have to resign ourself to ..
>> >
>> > "JCIFS extension netUserGetGroups does not work if the target user is
>> > a member of many groups "
>> >
>> > .. or is there a way around the problem? I am not familiar with teh
>> > underlying facility but would have hoped for some kind of iterative
>> > call to retrieve groups in page-loads may be an option.
>> >
>> > Regards,
>> > Richard
>> >
>> >
>> > +44(0)7985 437 517
>> > richard.evans at thoughtbreak.com <mailto:richard.evans at thoughtbreak.com>
>> >
>> >
>> > ----- Original Message ----
>> > From: Michael B Allen <mba2000 at ioplex.com>
>> > To: richard.evans at thoughtbreak.com
>> > Cc: bharati_t at thbs.com; jcifs at lists.samba.org
>> > Sent: Tuesday, August 29, 2006 4:02:56 PM
>> > Subject: Re: [jcifs] Help!!
>> >
>> > RAPs are limited to 64K. Take a look at Jarapac.
>> >
>> > On Tue, 29 Aug 2006 07:52:39 -0700 (PDT)
>> > <richard.evans at thoughtbreak.com> wrote:
>> >
>> > > Hello Mike,
>> > > It is in the RAP package of the JCIFS Extensions
>> > http://sourceforge.net/projects/jcifs-ext/
>> > > (I have the same problem!)
>> > > Regards,
>> > > Richard
>> > >
>> > >
>> > > +44(0)7985 437 517
>> > > richard.evans at thoughtbreak.com
>> > >
>> > >
>> > >
>> > >
>> > > ----- Original Message ----
>> > > From: Michael B Allen <mba2000 at ioplex.com>
>> > > To: Bharati <bharati_t at thbs.com>
>> > > Cc: jcifs at lists.samba.org
>> > > Sent: Tuesday, August 29, 2006 3:18:57 PM
>> > > Subject: Re: [jcifs] Help!!
>> > >
>> > >
>> > > On Tue, 29 Aug 2006 18:17:52 +0530
>> > > "Bharati" <bharati_t at thbs.com> wrote:
>> > >
>> > > > Hi there,
>> > > >
>> > > > Am getting the Error MORE_DATA_AVAILABLE while using
> netUserGetGroups.
>> > > > Am unable to change the buffer size.Can anyone help me out of this?
>> > > > Please tell me where can i change the buffer size and how can i
>> > get this error removed...
>> > >
>> > > JCIFS doesn't have a netUserGetGroups method. What package are you
>> > using?
>> > >
>> > > Mike
>> > >
>> > > --
>> > > Michael B Allen
>> > > PHP Active Directory SSO
>> > > http://www.ioplex.com/
>> >
>> >
>> > --
>> > Michael B Allen
>> > PHP Active Directory SSO
>> > http://www.ioplex.com/
>> >
>>
>
>
> --
> Michael B Allen
> PHP Active Directory SSO
> http://www.ioplex.com/
>
-------------- next part --------------
******* DISCLAIMER: This email and any files transmitted with it are privileged and confidential information and intended solely for the use of the individual or entity to which they are addressed. If you are not the intended recipient, please notify the sender by e-mail and delete the original message. Further, you are not to copy, disclose, or distribute this e-mail or its contents to any other person and any such actions are unlawful. This e-mail may contain viruses. Torry Harris Business Solutions has taken every reasonable precaution to minimize this risk, but is not liable for any damage you may sustain as a result of any virus in this e-mail. The recipient should check this email and any attachments for the presence of viruses. THBS reserves the right to monitor and review the content of all messages sent to or from this e-mail address********
More information about the jcifs
mailing list