Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Access to LDAP from websphere applications

283 views
Skip to first unread message

Sundaram....@mincom.com

unread,
Sep 11, 2007, 11:38:39 PM9/11/07
to
Hi,

We use WAS 5.1.2 on Windows 2003 with IBM Directory Server 5.1 (LDAP).

Would like to access LDAP data from EJBs and Servlets. Our WAS is already configured to use the LDAP Server for Client authentication. Is there a way for applications to access this LADP.

Regards


Harikumar

Patrick Finnegan

unread,
Sep 12, 2007, 3:33:23 AM9/12/07
to

I asked IBM about this in the past and the answer is no. There is an
Ldap jndi reference in the name space but it's not accessible to the
apps. You have to do it the old fashioned way - property files.

Paul Ilechko

unread,
Sep 12, 2007, 9:21:28 AM9/12/07
to

You can use the UserRegistry interface to get data about the currently
authenticated user - some sample code:

import com.ibm.websphere.security.UserRegistry;
{
Context ic= new InitialContext();
Object objRef= ic.lookup("UserRegistry");
UserRegistry userReg = (UserRegistry)PortableRemoteObject.narrow(
objRef, UserRegistry.class);
out.println(" registry says display name is: " +
userReg.getUserDisplayName(req.getUserPrincipal().getName()));
IdentityHelper h = new IdentityHelper();
gid = h.getGroups().iterator().next();
out.println(“the id of your first group is “+ gid+ “, the name of this
group is “+ userReg.getGroupSecurityName(gid));
}


If you want to do random queries to LDAP, you'd have to acccess it
directly.

jtpape

unread,
Sep 13, 2007, 10:51:55 AM9/13/07
to
And the best way to accomplish that is via JNDI.

John Pape
WebSphere Advisory Software Engineer

peter...@xerox.com

unread,
Oct 19, 2007, 5:24:36 PM10/19/07
to
If the LDAP credential information is stored in the "JAAS - J2C authentication data" in WebSphere, can this be accessed in Java code (presumably through JNDI)? How?

Thanks,

Peter

Paul Ilechko

unread,
Oct 19, 2007, 6:10:41 PM10/19/07
to

What do you mean by "LDAP Credential information"?

As already mentioned, you can access the LDAP server directly in code.
If you want to get information about the credential on the current
thread of execution you can get that from the Subject. Neither of these
has anything to do with J2C authentication data, which is used to access
external resources. I'm really not sure what exactly it is that you want.

Peter Chin

unread,
Oct 19, 2007, 11:26:29 PM10/19/07
to
What I would like is for the administration of userid and passwords for JDBC data sources to be consistent with the administration of LDAP credentials, if possible.

I understand and know how that a JAAS/J2C entry can be used to store and feed userid and password credentials to access a JDBC data source but I don't know the mechanism to do the same with LDAP.

So I know I can create JAAS/J2C entries with userid and password but I don't know how to access these entries.

Paul Ilechko

unread,
Oct 20, 2007, 11:39:03 AM10/20/07
to

Your question doesn't really make any sense. You use LDAP to
authenticate end users. J2C JAAS entries are to authenticate the server
to an external resource. They are totally different things.

Peter Chin

unread,
Oct 20, 2007, 2:25:19 PM10/20/07
to
Our LDAP(like most others) contains more than just identity information. We have an application that currently reads and updates our LDAP so we are treating it like a data source but is using userid credentials stored in visible property files.

Regardless if this make sense to you or not, the technical question remains - can the JAAS J2C entries in WAS 6.1 be programmatically read from Java?

Paul Ilechko

unread,
Oct 20, 2007, 3:57:33 PM10/20/07
to
Peter Chin wrote:
> Our LDAP(like most others) contains more than just identity
> information. We have an application that currently reads and updates
> our LDAP so we are treating it like a data source but is using userid
> credentials stored in visible property files.

A more common way of dealing with this issue is to access the LDAP using
the JNDI API, and to secure access to the server with mutual SSL.

>
> Regardless if this make sense to you or not, the technical question
> remains - can the JAAS J2C entries in WAS 6.1 be programmatically
> read from Java?

Not to my knowledge. The datasource itself can be accessed using JNDI.
If you have a component authentication alias on the datasource, the
password is visible to the code - not a good idea from a security
perspecive, and not recommended at all.


For container auth aliases, only WAS has the password, and it is not
available to application code.

Peter Chin

unread,
Oct 20, 2007, 6:34:56 PM10/20/07
to
I guess that makes sense. Security would be compromised. Thanks for your replies, Paul.
0 new messages