Java - Querying an LDAP Directory
yuibox April 17th, 2008
(All credit to my sensei, Eric Enright)
Yesterday I spent a lot of time figuring out how to go about getting a user’s group membership information out of Active Directory, Java style. Since Active Directory is essentially a glorified LDAP server, you can connect to it through JNDI, treating it like any other database: connect to it, query it, and process your results. The below code will run over all user accounts, printing out their full LDAP DN, their email address, and their logon name.
[source:java]
import java.util.Hashtable;
import javax.naming.*;
import javax.naming.directory.*;
public class Main {
// Connection information. If connecting to Active Directory, the user
// name should be of the form DOMAIN\\user.
private static String SERVER = “ldap://dc-1:389″;
private static String AUTHTYPE = “simple”;
private static String USER = “myuser”;
private static String PASSWORD = “mypassword”;
// Search filter to use. This filter restricts us to only look at entries
// which are human users.
private static String FILTER = “(&(objectCategory=person)(objectClass=user))”;
// The base directory.
private static String BASE = “DC=larlyn,DC=com”;
public static void main(String[] args) {
// Create and populate our connection environment.
Hashtable env = new Hashtable();
env.put(Context.INITIAL_CONTEXT_FACTORY, “com.sun.jndi.ldap.LdapCtxFactory”);
env.put(Context.PROVIDER_URL, SERVER);
env.put(Context.SECURITY_AUTHENTICATION, AUTHTYPE);
env.put(Context.SECURITY_PRINCIPAL, USER);
env.put(Context.SECURITY_CREDENTIALS, PASSWORD);
try {
// Bind to the LDAP server.
DirContext ctx = new InitialDirContext(env);
System.out.println(”Login successful”);
// Perform the search
SearchControls constraints = new SearchControls();
constraints.setSearchScope(SearchControls.SUBTREE_SCOPE);
NamingEnumeration results = ctx.search(BASE, FILTER, constraints);
while (results != null && results.hasMoreElements()) {
SearchResult result = (SearchResult)results.next();
String dn = result.getName() + ‘,’ + BASE;
String[] searchattrs = {”mail”, “sAMAccountName”};
Attributes attrs = ctx.getAttributes(dn, searchattrs);
// Print out information in the form of:
// DN: [attr...]
if (attrs != null) {
System.out.print(dn + “: “);
for (int i = 0; i < searchattrs.length; ++i) {
Attribute attr = attrs.get(searchattrs[i]);
if (attr != null) {
for (NamingEnumeration e = attr.getAll(); e.hasMore();)
System.out.print((String)e.nextElement() + ” “);
}
}
System.out.println();
}
}
ctx.close();
} catch (AuthenticationException e) {
System.out.println(”Login failed: ” + e.getMessage());
} catch (Exception e) {
e.printStackTrace();
}
}
}[/source]
Yesterday I spent a lot of time figuring out how to go about getting a user’s group membership information out of Active Directory, Java style. Since Active Directory is essentially a glorified LDAP server, you can connect to it through JNDI, treating it like any other database: connect to it, query it, and process your results. The below code will run over all user accounts, printing out their full LDAP DN, their email address, and their logon name.
[source:java]
eenright@ws2:~/src (41)> java Main
Login successful
CN=Eric Enright,OU=Administrative Staff,DC=larlyn,DC=com: xxxx@larlyn.com eenright
CN=Some Girl,OU=Windsor,OU=All Offices,DC=larlyn,DC=com: xxxx@larlyn.com sgirl
CN=Some Guy,OU=Edmonton,OU=All Offices,DC=larlyn,DC=com: xxxx@larlyn.com sguy [/source]
For group membership, one would want to include “memberOf” in searchattrs.
Stumble it!
May 21st, 2008 at 2:15 am
Very interesting and useful !
Thanx a lot
July 9th, 2008 at 3:58 am
Hi Andrea, your post is really helping and useful.
I have got all users emails from LDAP Sever,but I need to
retrieve all emails present in a particular distribution list which are stored on the LDAP Server(The server is Microsoft Exchange Server).
Thanks in Advance,
Vipin
August 21st, 2008 at 12:35 pm
Very helpful!! Thanks a ton!!