Fog Creek Software
Discussion Board

JAAS querying active directory?

Can JAAS query active directory on  WindowsXP to get a mapping with the username and password of the Windows OS to the username and password of my web app, which could be used for single sign on?

Tuesday, July 6, 2004

You can query Active Directory as a (kind of) LDAP server with JNDI and the LDAP implementation.

Walter Rumsby
Tuesday, July 6, 2004

Just to be sure it's clear, Active Directory doesn't run on runs on the server, as the backbone of the Windows domain.  If you're working completely within the context of a Windows domain, it's actually much easier to just use AD as the primary user database, rather than trying to map credentials between AD and a private database.  To auth against AD, just try to open an LDAP connection to your Domain Controller using whatever credentials the user put into your login form.  The DC will only allow the connection if the credentials were valid.

However if your users aren't all necessarily members of your Windows domain, or if you need to store additional info per-user*, then you will need a mapping mechanism.  One way of doing it would be to use the SAM account name (ie, the login name) or the user account's GUID as the mapping key.  You'll need to add a column for the mapping key to your DB's Users table.  In your JAAS module, first try to auth against AD.  If it succeeds, look up the user's credentials from your DB Users table using the mapping key.  If it fails, query the Users table directly with the login form credentials.

* While you can attach additional information to user accounts directly in AD, extending the AD schema can be a pain in the arse for any medium to large deployment.

Hope that makes sense =)

Tuesday, July 6, 2004

*  Recent Topics

*  Fog Creek Home