StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

POHow to translate a domain name to LDAP DC when working in a Active Directory forest in Java?
primarykey
Id
6516665
data
AcceptedAnswerId
6521099
AnswerCount
2
ClosedDate
CommentCount
2
CommunityOwnedDate
CreationDate
2011-06-29T06:39:39.833
FavoriteCount
0
LastActivityDate
2012-06-18T18:14:39.353
LastEditDate
2011-07-15T16:23:54.427
LastEditorUserId
696632
OwnerUserId
696632
ParentId
0
PostTypeId
1
Score
2
ViewCount
3180
LastEditorDisplayName
text
Body
I am struggling with a problem where I wasn't able to find a lean and generic solution. This is my situation: I am in a huge AD forest with > 20 sub domains replicating over several hundreds servers. Say the main domain and Kerberos realm is <code>COMPANY.COM</code> and I am working in <code>D1.COMPANY.COM</code>. I do connect from Java to the global catalog and are able to access the entire forrest to support all company users. My connection URL is like this: <code>ldap://mycompany.com:3268/DC=company,DC=com</code> The entire stuff is running in a webapp using SPNEGO to authenticate the users which works very well. I.e., after sucessful login I do receive the users UPN/Kerberos principal. Due to some reasons all UPN fields in the forest where altered to match user's email address rather to leave the UPN value intact. This means that I an not able to search for the search by the krb princ but I have to strip out the username and search by <code>sAMAccountName</code>. I presumed the <code>sAMAccountName</code> is unique in the entire forest until a user failed to login yesterday. After some LDAP query magic I figured out that two users have the same <code>sAMAccountName</code> in two different domains. My search fails. So the issue is, how do I determine the base DN/DC of a realm/sub domain based in the Kerberos realm? I figured out several approaches with a stripped realm string: <ol> <li>constuct an LDAP URL and connect to and read defaultNamingContext</li> <li>reformat domain name to DC=d1,DC...</li> </ol> Currently, I am using approach 2 which seems to be the easiest way. Altough some C# post here on stack overflow said that this might fail due to disjoint spaces. Is anyone aware of a safe solution? The best would be actually to translate Kerberos principals to user principal names.
Tags
<java><active-directory><ldap><kerberos>
Title
How to translate a domain name to LDAP DC when working in a Active Directory forest in Java?
singulars
PostAcceptedAnswerId
1. PO
 singulars
 PostTypePostTypeId
 PTAnswer
PostParentId
1. This table or related slice is empty.
PostTypePostTypeId
1. PTQuestion
UserLastEditorUserId
1. USMichael-O
UserOwnerUserId
1. USMichael-O
plurals
PostLinksPostIdRelatedPostId
1. PL
 singulars
 LinkTypeLinkTypeId
 LTLinked
PostLinksRelatedPostIdPostId
1. This table or related slice is empty.
PostsAcceptedAnswerId
1. This table or related slice is empty.
PostsParentIdCreationDate
1. PO
 singulars
 PostTypePostTypeId
 PTAnswer
2. PO
 singulars
 PostTypePostTypeId
 PTAnswer
VotesPostIdCreationDate
1. VO
 singulars
 PostPostId
 POHow to translate a domain name to LDAP DC when working in a Active Directory forest in Java?
 UserUserId
 This table or related slice is empty.
 VoteTypeVoteTypeId
 VTUpMod
CommentsPostId
1. COsamAccountName is unique across the forest. Otherwise there is some serious problem in your servers. Probably the GC is out of sync on those two servers?
 singulars
 PostPostId
 POHow to translate a domain name to LDAP DC when working in a Active Directory forest in Java?
 UserUserId
 USkalyan
2. CO@kalyan Actually it's not. It has to be according to [this](http://technet.microsoft.com/en-us/library/ee198826.aspx) article. It seems that the admin guys were really sloppy. I double-checked ti and their account creation script verifies against the domain only. This is pita. The accounts where created years ago and the last change time is old.
 singulars
 PostPostId
 POHow to translate a domain name to LDAP DC when working in a Active Directory forest in Java?
 UserUserId
 USMichael-O

Querying!

Guidance

A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.