BT

InfoQ Homepage News Imperva Open Sources Active Directory Java Connector

Imperva Open Sources Active Directory Java Connector

Bookmarks

Imperva has publicly released the source code to Domain Directory Controller (DDC), a Java library that simplifies common Active Directory integrations.

Unlike Java’s base LdapContext, this library builds on top of Apache Directory LDAP to simplify work such as managing primary/secondary server connections, query pagination, and automatic reconnection attempts. The library is designed to support organizations of any size, including advanced cases where there are multiple Active Directory servers and no cross-forest trust.

DDC also provides an abstraction API over top of the LDAP query syntax. This API provides an enumeration of Active Directory fields, giving developers an easy and statically-typed way of building working queries. This query syntax is more legible in code:

Sentence nameAndDepSentence = queryAssembler
    .addPhrase(FieldType.FIRST_NAME, PhraseOperator.EQUAL,"Gabriel")
    .addPhrase(FieldType.DEPARTMENT, PhraseOperator.EQUAL,"IT")
    .closeSentence(SentenceOperator.AND);
Sentence countrySentence = queryAssembler
    .addPhrase(FieldType.COUNTRY, PhraseOperator.EQUAL,"Italy")
    .closeSentence();
Sentence finalSentence = queryAssembler
    .addSentence(nameAndDepSentence)
    .addSentence(countrySentence)
    .closeSentence(SentenceOperator.OR);

The alternative LDAP query without DDC would look like this:

(&(&(co=Italy)(department=IT)(division=Security))(|(givenName=Gabriel)(givenName=Noam)))

"Every enterprise IT group is looking to reduce the identity stores used by applications. The most common are Active Directory, LDAP and Kerberos." explains Darren Mar-Elia, a 14-time Microsoft MVP and head of product for Semperis.

A lack of a consistent API to leverage AD caused its own issues and often resulted in sub-optimal use of AD and brittleness for the application. This open source AD library is a great help to those organizations that are looking for a standardized way of integrating their applications into AD in a consistent and secure manner.

The query API also takes steps to mitigate security concerns of LDAP queries, such as LDAP injection, which would otherwise let remote attackers control lookups through String concatenation.

One common activity in Active Directory is user/group resolution. Group membership is often used to determine if a user should have access to an asset or permission within an application. As organizations grow, this membership becomes complicated as a user’s permissions becomes a mix of direct grants, roles, and nested recursive groups. DDC simplifies this otherwise complicated lookup, through the ddc-service isMemberOf method. Application developers can use this for fine-grained access control to determine authorization, after performing authentication through common frameworks like Spring Security or Apache Shiro.

Domain Directory Controller was created by Gabriel Beyo, principal engineer, and is available under an Apache 2 license.

Rate this Article

Adoption
Style

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Community comments

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

BT

Is your profile up-to-date? Please take a moment to review and update.

Note: If updating/changing your email, a validation request will be sent

Company name:
Company role:
Company size:
Country/Zone:
State/Province/Region:
You will be sent an email to validate the new email address. This pop-up will close itself in a few moments.