Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ


Choose your language

InfoQ Homepage News Imperva Open Sources Active Directory Java Connector

Imperva Open Sources Active Directory Java Connector

Imperva has publicly released the source code to Domain Directory Controller (DDC), a Java library that simplifies common Active Directory integrations.

Unlike Java’s base LdapContext, this library builds on top of Apache Directory LDAP to simplify work such as managing primary/secondary server connections, query pagination, and automatic reconnection attempts. The library is designed to support organizations of any size, including advanced cases where there are multiple Active Directory servers and no cross-forest trust.

DDC also provides an abstraction API over top of the LDAP query syntax. This API provides an enumeration of Active Directory fields, giving developers an easy and statically-typed way of building working queries. This query syntax is more legible in code:

Sentence nameAndDepSentence = queryAssembler
    .addPhrase(FieldType.FIRST_NAME, PhraseOperator.EQUAL,"Gabriel")
    .addPhrase(FieldType.DEPARTMENT, PhraseOperator.EQUAL,"IT")
Sentence countrySentence = queryAssembler
    .addPhrase(FieldType.COUNTRY, PhraseOperator.EQUAL,"Italy")
Sentence finalSentence = queryAssembler

The alternative LDAP query without DDC would look like this:


"Every enterprise IT group is looking to reduce the identity stores used by applications. The most common are Active Directory, LDAP and Kerberos." explains Darren Mar-Elia, a 14-time Microsoft MVP and head of product for Semperis.

A lack of a consistent API to leverage AD caused its own issues and often resulted in sub-optimal use of AD and brittleness for the application. This open source AD library is a great help to those organizations that are looking for a standardized way of integrating their applications into AD in a consistent and secure manner.

The query API also takes steps to mitigate security concerns of LDAP queries, such as LDAP injection, which would otherwise let remote attackers control lookups through String concatenation.

One common activity in Active Directory is user/group resolution. Group membership is often used to determine if a user should have access to an asset or permission within an application. As organizations grow, this membership becomes complicated as a user’s permissions becomes a mix of direct grants, roles, and nested recursive groups. DDC simplifies this otherwise complicated lookup, through the ddc-service isMemberOf method. Application developers can use this for fine-grained access control to determine authorization, after performing authentication through common frameworks like Spring Security or Apache Shiro.

Domain Directory Controller was created by Gabriel Beyo, principal engineer, and is available under an Apache 2 license.

Rate this Article