LDAP Authentication with a service account in Java

Question

I am trying to authenticate users from LDAP with a service account created. Im getting below error on ctx = new InitialDirContext(env);

[LDAP: error code 49 - 8009030C: LdapErr: DSID-0C0903A8, comment: AcceptSecurityContext error, data 2030, v1db1

Can someone help me to understand where am I going wrong ?

This is my java file

/**
 * 
 */
package com.dei;

import java.util.Hashtable;

import javax.naming.AuthenticationException;
import javax.naming.Context;
import javax.naming.NameNotFoundException;
import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.SizeLimitExceededException;
import javax.naming.directory.Attribute;
import javax.naming.directory.Attributes;
import javax.naming.directory.DirContext;
import javax.naming.directory.InitialDirContext;
import javax.naming.directory.SearchControls;
import javax.naming.directory.SearchResult;

public class LdapConnector {


        private static final String LDAP_SERVER_PORT = "389";
        private static final String LDAP_SERVER = "server";
        private static final String LDAP_BASE_DN = "OU=role,OU=roles,OU=de,OU=apps,DC=meta,DC=company,DC=com";
        private static final String LDAP_BIND_DN = "cn=service_account";//service account userid provided by LDAP team
        private static final String LDAP_BIND_PASSWORD = "password";///service account pwd provided by LDAP team


        public Boolean validateLogin(String userName, String userPassword) {
            Hashtable<String, String> env = new Hashtable<String, String>();
            env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
            env.put(Context.PROVIDER_URL, "ldap://" + LDAP_SERVER + ":" + LDAP_SERVER_PORT + "/" + LDAP_BASE_DN);

            // To get rid of the PartialResultException when using Active Directory
            env.put(Context.REFERRAL, "follow");

            // Needed for the Bind (User Authorized to Query the LDAP server) 
            env.put(Context.SECURITY_AUTHENTICATION, "simple");
            env.put(Context.SECURITY_PRINCIPAL, LDAP_BIND_DN);
            env.put(Context.SECURITY_CREDENTIALS, LDAP_BIND_PASSWORD);

            DirContext ctx;
            try {
               ctx = new InitialDirContext(env);
            } catch (NamingException e) {
               throw new RuntimeException(e);
            }

            NamingEnumeration<SearchResult> results = null;

            try {
               SearchControls controls = new SearchControls();
               controls.setSearchScope(SearchControls.SUBTREE_SCOPE); // Search Entire Subtree
               controls.setCountLimit(1);   //Sets the maximum number of entries to be returned as a result of the search
               controls.setTimeLimit(5000); // Sets the time limit of these SearchControls in milliseconds

               String searchString = "(&(objectCategory=user)(sAMAccountName=" + userName + "))";

               results = ctx.search("", searchString, controls);

               if (results.hasMore()) {

                   SearchResult result = (SearchResult) results.next();
                   Attributes attrs = result.getAttributes();
                   Attribute dnAttr = attrs.get("distinguishedName");
                   String dn = (String) dnAttr.get();

                   // User Exists, Validate the Password

                   env.put(Context.SECURITY_PRINCIPAL, dn);
                   env.put(Context.SECURITY_CREDENTIALS, userPassword);

                   new InitialDirContext(env); // Exception will be thrown on Invalid case
                   System.out.println("Login successful");
                   return true;
               } 
               else 
                   return false;

            } catch (AuthenticationException e) { // Invalid Login
                System.out.println("Login failed" +e.getMessage());

                return false;
            } catch (NameNotFoundException e) { // The base context was not found.
                System.out.println("Login failed" +e.getMessage());
                return false;
            } catch (SizeLimitExceededException e) {
                throw new RuntimeException("LDAP Query Limit Exceeded, adjust the query to bring back less records", e);
            } catch (NamingException e) {
               throw new RuntimeException(e);
            } finally {

               if (results != null) {
                  try { results.close(); } catch (Exception e) { /* Do Nothing */ }
               }

               if (ctx != null) {
                  try { ctx.close(); } catch (Exception e) { /* Do Nothing */ }
               }
            }
        }
}

Answer 1

The error 49 stands for invalid credentials, but the diagnostic string "AcceptSecurityContext error, data 2030", means "No such Object" i.e. the LDAP_BIND_DN "cn=service_account" could not be found in the directory. My guess is that "cn=service_account" is not the full DN of the account.

Answer 2

The bind operation has failed, typically due to a problem with the account.

Ensure the credentials for the bind account used to connect to the LDAP Server are correct.Error code data 2030 means that the DN of the user is invalid.