[jcifs] Help!!

Michael B Allen mba2000 at ioplex.com
Tue Aug 29 17:39:42 GMT 2006 

This code has a few problems.

1) It doesn't actually get groups it just resolves a sid. Richard et
al need to get the group rids and then convert those to names. Using
LDAP for that is problematic because just searching for all the memberOf
attributes doesn't perform proper group expansion (I'm not certain that
the GetGroupsForUser RPC does either but I would think it must since
that's what Windows used before Kerberos authentication_data). And
it doesn't give you RIDs so you have to then search for those. The
absolutely correct way to get the groups for a user is to extract them
from the authentication_data in their Kerberos ticket.

2) One should never use the simple LDAP authentication method without
SSL/TLS. At least not on a regular basis. Otherwise the password is passed
in clear text over the network which is a big no no. The absolutely
correct way to authenticate with the LDAP server is to use the user's
delegated kerberos credential with the SASL authentication method.

3) Using LDAP like this is slow although if you cached the RIDs and
used a search filter that retrieved multiple RID names at once it would
be bareable.

4) You don't need SUBTREE_SCOPE. I think OBJECT_SCOPE is what you want
(or whatever means "base" scope).

Mike

On Tue, 29 Aug 2006 18:22:44 +0200
Thomas Bley <thomas.bley at simple-groupware.de> wrote:

> Hello,
> 
> When using Active Directory you might use LDAP queries for getting 
> memberships ?
> e.g. I'm using this code to get the username out of a SID:
> 
>         Hashtable env = new Hashtable();
>         
> env.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");
>         env.put(Context.SECURITY_AUTHENTICATION,"simple");
>        
>         if (ldap_domain.length()>0) username = domain+"\\\\"+ldap_user;
>         env.put(Context.SECURITY_PRINCIPAL,ldap_user);
>         env.put(Context.SECURITY_CREDENTIALS,ldap_pass);
>         if (ldap_useSSL) {
>             env.put(Context.SECURITY_PROTOCOL, "ssl");
>             env.put(Context.PROVIDER_URL,"ldap://"+ldap_server+":636");
>         } else {
>             env.put(Context.PROVIDER_URL,"ldap://"+ldap_server+":389");
>         }
>         LdapContext ctx = new InitialLdapContext(env,null);
>         SearchControls searchCtls = new SearchControls();
>         String returnedAtts[]={"cn","objectClass"};
>         searchCtls.setReturningAttributes(returnedAtts);
>         searchCtls.setSearchScope(SearchControls.SUBTREE_SCOPE);
>         NamingEnumeration answer = ctx.search(ldap_dc, 
> "(objectSID="+sid+")", searchCtls);
>         if (answer.hasMoreElements()) {
>             SearchResult sr = (SearchResult)answer.next();
>             Attributes attrs = sr.getAttributes();
>             if (sr.getName().length()>0 && attrs != null &&
>                 attrs.get("objectClass")!=null && attrs.get("cn")!=null) {
>                 return "("+attrs.get("objectClass").get(1)+") 
> "+attrs.get("cn").get();
>             }
>         } else return sid;
>         ctx.close();
> 
> bye
> Thomas
> 
> 
> 
> richard.evans at thoughtbreak.com wrote:
> > Thanks Mike,
> > Does that mean we have to resign ourself to ..
> >  
> > "JCIFS extension netUserGetGroups does not work if the target user is 
> > a member of many groups "
> >  
> > .. or is there a way around the problem? I am not familiar with teh 
> > underlying facility but would have hoped for some kind of iterative 
> > call to retrieve groups in page-loads may be an option.
> >  
> > Regards,
> > Richard
> >  
> >
> > +44(0)7985 437 517
> > richard.evans at thoughtbreak.com <mailto:richard.evans at thoughtbreak.com>
> >
> >
> > ----- Original Message ----
> > From: Michael B Allen <mba2000 at ioplex.com>
> > To: richard.evans at thoughtbreak.com
> > Cc: bharati_t at thbs.com; jcifs at lists.samba.org
> > Sent: Tuesday, August 29, 2006 4:02:56 PM
> > Subject: Re: [jcifs] Help!!
> >
> > RAPs are limited to 64K. Take a look at Jarapac.
> >
> > On Tue, 29 Aug 2006 07:52:39 -0700 (PDT)
> > <richard.evans at thoughtbreak.com> wrote:
> >
> > > Hello Mike,
> > > It is in the RAP package of the JCIFS Extensions 
> > http://sourceforge.net/projects/jcifs-ext/
> > > (I have the same problem!)
> > > Regards,
> > > Richard
> > >  
> > >
> > > +44(0)7985 437 517
> > > richard.evans at thoughtbreak.com
> > >
> > >
> > >
> > >
> > > ----- Original Message ----
> > > From: Michael B Allen <mba2000 at ioplex.com>
> > > To: Bharati <bharati_t at thbs.com>
> > > Cc: jcifs at lists.samba.org
> > > Sent: Tuesday, August 29, 2006 3:18:57 PM
> > > Subject: Re: [jcifs] Help!!
> > >
> > >
> > > On Tue, 29 Aug 2006 18:17:52 +0530
> > > "Bharati" <bharati_t at thbs.com> wrote:
> > >
> > > > Hi there,
> > > >
> > > > Am getting the Error MORE_DATA_AVAILABLE while using netUserGetGroups.
> > > > Am unable to change the buffer size.Can anyone help me out of this?
> > > > Please tell me where can i change the buffer size and how can i 
> > get this error removed...
> > >
> > > JCIFS doesn't have a netUserGetGroups method. What package are you 
> > using?
> > >
> > > Mike
> > >
> > > --
> > > Michael B Allen
> > > PHP Active Directory SSO
> > > http://www.ioplex.com/
> >
> >
> > -- 
> > Michael B Allen
> > PHP Active Directory SSO
> > http://www.ioplex.com/
> >
> 


-- 
Michael B Allen
PHP Active Directory SSO
http://www.ioplex.com/

More information about the jcifs mailing list