Skip to content

Instantly share code, notes, and snippets.

@ecki

ecki/ServerSasl.java

Last active January 16, 2020 10:26
Show Gist options
  • Save ecki/cdd7a14575b7dca10da8d362974731a0 to your computer and use it in GitHub Desktop.
Save ecki/cdd7a14575b7dca10da8d362974731a0 to your computer and use it in GitHub Desktop.
Download ZIP
ActiveDirectory Test
Raw
ServerSasl.java
import java.util.Arrays;
import java.util.Enumeration;
import java.util.Hashtable;
import javax.naming.Context;
import javax.naming.NamingException;
import javax.naming.directory.Attributes;
import javax.naming.directory.DirContext;
import javax.naming.directory.InitialDirContext;
import javax.security.sasl.Sasl;
import javax.security.sasl.SaslClientFactory;
/**
* Demonstrates how to discover a LDAP server's supported SASL mechanisms.
* <p>
* Can also be used to check LDAP connections.
*/
class ServerSasl
{
public static void main(String[] args)
{
//diagSasl(); System.out.printf("%n----------%n%n");
boolean isTLS = false;
boolean isDigest = true; // requires AD user with reversible PW encryption
String serverName = "bernd-adwin.bernd.test"; // URL must end in actual domain/realm:
try {
Hashtable<String, Object> env = new Hashtable<String, Object>(11);
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory"); // TODO IBM
if (isTLS) {
env.put(Context.PROVIDER_URL, "ldaps://"+serverName+":636/");
//env.put(Context.SECURITY_PROTOCOL, "ssl"); // default for ldaps
System.setProperty("javax.net.debug", "all"); // extreme JSSE debugging
} else {
env.put(Context.PROVIDER_URL, "ldap://"+serverName+":389/");
}
if (isDigest) {
// configure it for DIGEST-MD5 with LDAP Signing (integrity protection)
env.put(Context.SECURITY_AUTHENTICATION, "DIGEST-MD5"); // case sensitive in java11
if (!isTLS) env.put("javax.security.sasl.qop", "auth-int"); // default auth
} else {
// simple bind is also the default
env.put(Context.SECURITY_AUTHENTICATION, "simple");
}
// output hex dump of all LDAP messages
env.put("com.sun.jndi.ldap.trace.ber", System.out);
// UPN, Netbios or dn: format is fine: (realm is extracted from servername)
env.put(Context.SECURITY_PRINCIPAL, "bernd\\testview"); // testview@bernd.test
env.put(Context.SECURITY_CREDENTIALS, "PASS12345678);
DirContext ctx = new InitialDirContext(env);
System.out.println("Connected: name="+ ctx.getNameInNamespace() + " (obj=" + ctx + ")");
// Sample Request (Read supportedSASLMechanisms from root DSE)
Attributes attrs = ctx.getAttributes("", new String[]{"supportedSASLMechanisms"});
System.out.println(attrs);
// Close the context when we're done
ctx.close();
} catch (NamingException e) {
e.printStackTrace();
}
}
private static void diagSasl()
{
Enumeration<SaslClientFactory> fs = Sasl.getSaslClientFactories();
while(fs.hasMoreElements())
{
SaslClientFactory f = fs.nextElement();
String[] ms = f.getMechanismNames(null);
System.out.println(" factory=" + f + " mechs=" + Arrays.deepToString(ms));
}
}
}
Raw
zzz_output-ok.txt
test with requiresigning=off server, isTLS=FALSE, isDIGEST=true
-> bernd-adwin.bernd.test:389
0000: 30 18 02 01 01 60 13 02 01 03 04 00 A3 0C 04 0A 0....`..........
0010: 44 49 47 45 53 54 2D 4D 44 35 DIGEST-MD5
<- bernd-adwin.bernd.test:389
0000: 30 84 00 00 00 FC 02 01 01 61 84 00 00 00 F3 0A 0........a......
0010: 01 0E 04 00 04 00 87 82 00 E8 71 6F 70 3D 22 61 ..........qop="a
0020: 75 74 68 2C 61 75 74 68 2D 69 6E 74 2C 61 75 74 uth,auth-int,aut
0030: 68 2D 63 6F 6E 66 22 2C 63 69 70 68 65 72 3D 22 h-conf",cipher="
0040: 33 64 65 73 2C 72 63 34 22 2C 61 6C 67 6F 72 69 3des,rc4",algori
0050: 74 68 6D 3D 6D 64 35 2D 73 65 73 73 2C 6E 6F 6E thm=md5-sess,non
0060: 63 65 3D 22 2B 55 70 67 72 61 64 65 64 2B 76 31 ce="+Upgraded+v1
0070: 30 34 32 64 64 34 66 35 61 64 63 33 66 64 33 66 042dd4f5adc3fd3f
0080: 63 32 36 39 31 64 64 37 63 62 31 39 33 31 36 66 c2691dd7cb19316f
0090: 65 30 36 65 33 35 31 34 34 32 62 38 64 35 30 31 e06e351442b8d501
00A0: 31 39 30 34 39 33 64 31 35 39 65 66 61 38 35 34 190493d159efa854
00B0: 39 65 63 63 37 37 62 62 34 31 63 38 38 33 36 35 9ecc77bb41c88365
00C0: 34 34 65 30 30 61 37 61 63 36 39 63 34 32 62 39 44e00a7ac69c42b9
00D0: 32 62 39 38 63 34 31 61 39 65 30 65 63 32 66 63 2b98c41a9e0ec2fc
00E0: 22 2C 63 68 61 72 73 65 74 3D 75 74 66 2D 38 2C ",charset=utf-8,
00F0: 72 65 61 6C 6D 3D 22 62 65 72 6E 64 2E 74 65 73 realm="bernd.tes
0100: 74 22 t"
-> bernd-adwin.bernd.test:389
0000: 30 82 01 8B 02 01 02 60 82 01 84 02 01 03 04 00 0......`........
0010: A3 82 01 7B 04 0A 44 49 47 45 53 54 2D 4D 44 35 ......DIGEST-MD5
0020: 04 82 01 6B 63 68 61 72 73 65 74 3D 75 74 66 2D ...kcharset=utf-
0030: 38 2C 75 73 65 72 6E 61 6D 65 3D 22 62 65 72 6E 8,username="bern
0040: 64 5C 5C 74 65 73 74 76 69 65 77 22 2C 72 65 61 d\\testview",rea
0050: 6C 6D 3D 22 62 65 72 6E 64 2E 74 65 73 74 22 2C lm="bernd.test",
0060: 6E 6F 6E 63 65 3D 22 2B 55 70 67 72 61 64 65 64 nonce="+Upgraded
0070: 2B 76 31 30 34 32 64 64 34 66 35 61 64 63 33 66 +v1042dd4f5adc3f
0080: 64 33 66 63 32 36 39 31 64 64 37 63 62 31 39 33 d3fc2691dd7cb193
0090: 31 36 66 65 30 36 65 33 35 31 34 34 32 62 38 64 16fe06e351442b8d
00A0: 35 30 31 31 39 30 34 39 33 64 31 35 39 65 66 61 501190493d159efa
00B0: 38 35 34 39 65 63 63 37 37 62 62 34 31 63 38 38 8549ecc77bb41c88
00C0: 33 36 35 34 34 65 30 30 61 37 61 63 36 39 63 34 36544e00a7ac69c4
00D0: 32 62 39 32 62 39 38 63 34 31 61 39 65 30 65 63 2b92b98c41a9e0ec
00E0: 32 66 63 22 2C 6E 63 3D 30 30 30 30 30 30 30 31 2fc",nc=00000001
00F0: 2C 63 6E 6F 6E 63 65 3D 22 46 36 6C 5A 76 6A 46 ,cnonce="F6lZvjF
0100: 57 55 31 72 59 32 52 6D 64 6C 53 49 6D 38 78 39 WU1rY2RmdlSIm8x9
0110: 47 49 6B 48 67 65 69 61 50 34 34 6F 72 63 75 49 GIkHgeiaP44orcuI
0120: 34 22 2C 64 69 67 65 73 74 2D 75 72 69 3D 22 6C 4",digest-uri="l
0130: 64 61 70 2F 62 65 72 6E 64 2D 61 64 77 69 6E 2E dap/bernd-adwin.
0140: 62 65 72 6E 64 2E 74 65 73 74 22 2C 6D 61 78 62 bernd.test",maxb
0150: 75 66 3D 36 35 35 33 36 2C 72 65 73 70 6F 6E 73 uf=65536,respons
0160: 65 3D 39 32 36 35 33 63 32 65 32 37 35 35 64 36 e=92653c2e2755d6
0170: 61 65 31 37 63 65 34 62 36 35 61 31 30 65 36 36 ae17ce4b65a10e66
0180: 63 33 2C 71 6F 70 3D 61 75 74 68 2D 69 6E 74 c3,qop=auth-int
<- bernd-adwin.bernd.test:389
0000: 30 84 00 00 00 3A 02 01 02 61 84 00 00 00 31 0A 0....:...a....1.
0010: 01 00 04 00 04 00 87 28 72 73 70 61 75 74 68 3D .......(rspauth=
0020: 39 36 32 31 33 30 38 39 65 39 62 37 65 66 36 64 96213089e9b7ef6d
0030: 36 65 30 34 38 64 31 65 32 64 33 61 32 34 35 35 6e048d1e2d3a2455
Connected: name= (obj=javax.naming.directory.InitialDirContext@458c1321)
-> bernd-adwin.bernd.test:389
0000: 30 5B 02 01 03 63 39 04 00 0A 01 00 0A 01 03 02 0[...c9.........
0010: 01 00 02 01 00 01 01 00 87 0B 6F 62 6A 65 63 74 ..........object
0020: 43 6C 61 73 73 30 19 04 17 73 75 70 70 6F 72 74 Class0...support
0030: 65 64 53 41 53 4C 4D 65 63 68 61 6E 69 73 6D 73 edSASLMechanisms
0040: A0 1B 30 19 04 17 32 2E 31 36 2E 38 34 30 2E 31 ..0...2.16.840.1
0050: 2E 31 31 33 37 33 30 2E 33 2E 34 2E 32 .113730.3.4.2
<- bernd-adwin.bernd.test:389
0000: 30 84 00 00 00 60 02 01 03 64 84 00 00 00 57 04 0....`...d....W.
0010: 00 30 84 00 00 00 4F 30 84 00 00 00 49 04 17 73 .0....O0....I..s
0020: 75 70 70 6F 72 74 65 64 53 41 53 4C 4D 65 63 68 upportedSASLMech
0030: 61 6E 69 73 6D 73 31 84 00 00 00 2A 04 06 47 53 anisms1....*..GS
0040: 53 41 50 49 04 0A 47 53 53 2D 53 50 4E 45 47 4F SAPI..GSS-SPNEGO
0050: 04 08 45 58 54 45 52 4E 41 4C 04 0A 44 49 47 45 ..EXTERNAL..DIGE
0060: 53 54 2D 4D 44 35 ST-MD5
<- bernd-adwin.bernd.test:389
0000: 30 84 00 00 00 10 02 01 03 65 84 00 00 00 07 0A 0........e......
0010: 01 00 04 00 04 00 ......
{supportedsaslmechanisms=supportedSASLMechanisms: GSSAPI, GSS-SPNEGO, EXTERNAL, DIGEST-MD5}
-> bernd-adwin.bernd.test:389
0000: 30 22 02 01 04 42 00 A0 1B 30 19 04 17 32 2E 31 0"...B...0...2.1
0010: 36 2E 38 34 30 2E 31 2E 31 31 33 37 33 30 2E 33 6.840.1.113730.3
0020: 2E 34 2E 32 .4.2
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment