Posted on

Make your ldap search fast

Problem- I am using JNDI to connect to ldap active directory, and i want to search for users with the name contains the search string,. Its very slow.
my search method is as follows:

public static List<LDAPUser> searchContactsByName(
        ExtendedDirContext extendedDirContext, String name) {

    try {

        LdapContext ldapContext = extendedDirContext.getLdapContext();
        String searchBaseStr = extendedDirContext.getSearchBase();

        String sortKey = LDAPAttributes.NAME;
        ldapContext.setRequestControls(new Control[] { new SortControl(
                sortKey, Control.CRITICAL) });

        SearchControls searchCtls = new SearchControls();
        searchCtls.setTimeLimit(1000 * 10);

        String returnedAtts[] = { LDAPAttributes.USER_NAME,
                LDAPAttributes.NAME };
        searchCtls.setReturningAttributes(returnedAtts);

        searchCtls.setSearchScope(SearchControls.SUBTREE_SCOPE);

        String searchFilter = "(&(ObjectCategory=person)(cn=*" + name
                + "*))";

        NamingEnumeration<SearchResult> results = ldapContext.search(
                searchBaseStr, searchFilter, searchCtls);

        List<LDAPUser> users = new ArrayList<LDAPUser>(0);
        while (results.hasMoreElements()) {
            SearchResult sr = (SearchResult) results.next();
            Attributes attrs = sr.getAttributes();
            LDAPUser user = new LDAPUser();
            user.setName(attrs.get(LDAPAttributes.NAME).toString()
                    .replace("cn: ", ""));
            user.setUserName(attrs.get(LDAPAttributes.USER_NAME).toString()
                    .replace("sAMAccountName: ", ""));
            users.add(user);
        }

        return users;

    } catch (Exception e) {
        e.printStackTrace();
        return null;
    }
}

connection to ldap:

public static ExtendedDirContext connectToLdap(MessageSource messageSource) {

    try {
        log.debug("connectToLdap");
        String providerUrl = messageSource.getMessage("provider.url", null,
                null);
        String securityPrincipal = messageSource.getMessage(
                "security.principal", null, null);
        String securityCredentials = messageSource.getMessage(
                "security.credentials", null, null);
        String searchBase = messageSource.getMessage("search.base", null,
                null);
        boolean ssl = Boolean.parseBoolean(messageSource.getMessage("ssl",
                null, null));
        LdapContext ldapContext;

        Hashtable<String, String> ldapEnv = new Hashtable<String, String>(
                11);
        ldapEnv.put(Context.INITIAL_CONTEXT_FACTORY,
                "com.sun.jndi.ldap.LdapCtxFactory");
        ldapEnv.put(Context.PROVIDER_URL, providerUrl);
        ldapEnv.put(Context.SECURITY_AUTHENTICATION, "simple");
        ldapEnv.put(Context.SECURITY_PRINCIPAL, securityPrincipal);
        ldapEnv.put(Context.SECURITY_CREDENTIALS, securityCredentials);
        if (ssl)
            ldapEnv.put(Context.SECURITY_PROTOCOL, "ssl");
        // To get rid of the PartialResultException when using Active
        // Directory
        ldapEnv.put(Context.REFERRAL, "follow");
        ldapContext = new InitialLdapContext(ldapEnv, null);
        ExtendedDirContext extendedDirContext = new ExtendedDirContext();
        extendedDirContext.setLdapContext(ldapContext);
        extendedDirContext.setSearchBase(searchBase);
        log.debug("success connection to ldap");
        return extendedDirContext;
    } catch (Exception e) {
        e.printStackTrace();
        return null;
    }

}

ldap credentials:

provider.url=ldap://abc.techartifact.com:389
security.principal=CN=administrator,CN=Users,DC=techartifact,DC=com
security.credentials=password
search.base=dc=techartifact,dc=com

its very difficult to understand why the search takes too much time to retrieve the data.

Solution -To change 

ldapEnv.put(Context.REFERRAL, "follow");  to ldapEnv.put(Context.REFERRAL, "ignore");

Happy coding with Vinay in techartifact…

Posted on

Using WebLogic Server Embedded LDAP

LDAP is widely used in webapplication for authorization .we have to set embedded weblogic LDAP server for setting up development enviroment.
First question we have – What is LDAP ?

LDAP is Lightweight Directory Access Protocol.LDAP is a protocol for accessing a directory. A directory contains objects; generally those related to users, groups, computers, printers and so on; company structure information (although frankly you can extend it and store anything in there).
LDAP gives you query methods to add, update and remove objects within a directory (and a bunch more, but those are the central ones).

-Connect to a directory (with varying levels of security)
-Read the entries in a directory
-Write entries in a directory
-Search a directory
-Rename entries in a directory
-Delete entries in a directory

IF you are reading about LDAP the you should also know –

what is directory
A directory is a type of hierarchical database. It is made up of entries, that have a globally unique name, and contain attributes that are named collections of data values. directories are optimised for fast look up, they have a strong security model and they scale well. Because they are a tree structure, different parts of the tree can be maintained by different directories and different administrators. The tree data structure also fits some cases much better than a relational database. (BTW – If you’re familiar with relational databases, ldap is conceptually similar to SQL.)

CONNECT TO WEBLOGIC SERVER EMBEDDED LDAP USING LDAP BROWSER-

WebLogic Server includes an embedded LDAP server that acts as the default security provider data store for the Default Authentication, Authorization, Credential Mapping, and Role Mapping providers.embedded LDAP server contains user, group, group membership, security role, security policy, and credential map information. By default, each WebLogic Server domain has an embedded LDAP server configured with the default values set for each type of information. The Default Authentication, Authorization, Credential Mapping, and Role Mapping providers use the embedded LDAP server as their data store.

In the WebLogic Server Administration Console, change the credential for the embedded LDAP server:

Expand Domain > Security > Embedded LDAP.

– In the Credential field, enter the new credential.

– In the Confirm Credential field, enter the new credential again.

– Click Save.

– Restart WebLogic Server.

Now we will be needing the LDAP browser to access it.There are multiple LDAP browser like

– OpenLDap -http://www.openldap.org/
– jxplorer – jxplorer.org

Following is connection parameter as below –

Hostname: Hostname of the WebLogic Server.
Port: WebLogic Admin Server port.
Base DN: This is the WebLogic domain name.
User DN: By default the Admin user DN is cn=Admin.
Password: Admin user password

1 In the LDAP browser, configure a new connection in the LDAP browser:

-Select the QuickConnect tab.

-Set the host field to localhost.

-Set the port field to 7001 (7002 if SSL is being used).

Set the Base DN field to dc=mydomain where mydomain is the name of the WebLogic Server domain you are using.

– Uncheck the Anonymous Bind option.

– Set the User DN field to cn=Admin.

– Set the Password field to the credential you specified in Step 2.

2 Click the new connection.

– Use the LDAP browser to navigate the hierarchy of the embedded LDAP server.

Now You can create users/groups .

Hope it helps ..happy coding with Vinay in techartifact ……

Posted on

Ldap configuration in Jetspeed 2.2.0

Ldap configuration in Jetspeed 2 (JS2) is very easy. Its only two required steps to configure Ldap in JS2.

1) Enable Ldap module
First you need to create “spring-filter-key.properties” under jetspeed/WEB-INF/conf and add the following lines

#Turn on LDAP Security
spring.filter.key = portal.ldap

Spring-filter-key. properties can be used to enable or disable different module of jetspeed.

2) Define Ldap Connection propetries

Jetspeed store all its Configuration settings in jetspeed.properties.

Following are default jetspeed ldap settings
jetspeedldap
First four points are self explanatory.

ldap.context.factory
Jetspeed uses ldap to communicate to ldap server. I think it would not be advisable to changes context factory until its rally required.

ldap.user.filter =

You can define you own object class for users

ldap.search.scope

Ldap search scope refer to searching objects in ldap sub tree. I would suggest not-to change this value

ldap.user.searchBase
ldap.role.searchBase
ldap.group.searchBase
You can define tree location where all you users reside. Once you define user search base of user, Jetspeed will only look for user and there relation under that node.
Search base can beĀ  defined for groups and roles too.

ldap user entryPrefix

In ldap there are different user classes to create user and they have there own different respective schema, So you can choose you can define your own uid prefix