I'm able to authenticate to Active Directory if there is need to configure only one AD server. The solution is given as Active Directory authentication through ssl as anonymous user by me.
Now I'm stuck when there is multiple ADs running behind a Load Balancer.
Since Load Balancer is in between, I will get the Host name only and the IP of AD will be replaced with the Host name behind the Load Balancer based on the availability. Therefore, I won't be able to know which Active Directory server will be used to process my request of authentication. So , I won't be able to generate the certificate in advance. Also, I can't get the IPs of ADs my client is using for balancing the load(for security reasons). so there is no point of generating jssecacert. All I need to do is to disable the certificate validation. I'm using LdapTemplate class(using spring-ldap 1.3.1) to authenticate the user. My spring Config looks like this...
<bean id="ldapTemplate" class="org.springframework.ldap.core.LdapTemplate">
<property name="contextSource" ref="contextSource" />
<property name="ignorePartialResultException" value="yes" />
</bean>
<bean id="contextSource" class="org.springframework.ldap.core.support.LdapContextSource">
<property name="url" value="ldaps://xxx.xxx.xxx.xxx:636" />
</bean>
The authenticate method:
public boolean login(String username, String password) {
System.setProperty("javax.net.ssl.trustStore",
.../jssecacerts");
boolean authenticate=false;
AndFilter filter = new AndFilter();
filter.and(new EqualsFilter("xyz","xyz"));
filter.and(new EqualsFilter("xyz", xyz));
authenticate = this.ldapTemplate.authenticate(base, filter.encode(), password);
return authenticate;
}
Since we don't need to have certificate System.setProperty("javax.net.ssl.trustStore",
.../jssecacerts");
will not be needed.
What changes I need to make to disable the certificate validation.
I'm pretty new in LDAP stuff. , Kindly help with appropriate answer.
The LDAP is used to read from and write to Active Directory. By default, LDAP traffic is transmitted unsecured. You can make LDAP traffic confidential and secure by using SSL/Transport Layer Security (TLS) technology.
Just like websites secured with HTTPS, LDAPS requires X. 509 certificates signed by a trusted root certificate authority to function properly.
Well, Thanks to Darren Hauge for providing a tricky solution that will not care about ssl certificate. Rewriting the solution here :
public static void trustSelfSignedSSL() {
try {
SSLContext ctx = SSLContext.getInstance("TLS");
X509TrustManager tm = new X509TrustManager() {
public void checkClientTrusted(X509Certificate[] xcs, String string) throws CertificateException {
}
public void checkServerTrusted(X509Certificate[] xcs, String string) throws CertificateException {
}
public X509Certificate[] getAcceptedIssuers() {
return null;
}
};
ctx.init(null, new TrustManager[]{tm}, null);
SSLContext.setDefault(ctx);
} catch (Exception ex) {
ex.printStackTrace();
}
}
All we need to create a utility class and put this method inside that. Call this method wherever you need.
Any comment on this solution is welcome.
Thanks.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With