Home/ Questions/Q 8517853
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-11T05:49:14+00:00

I’m maintaining some legacy Java LDAP code. I know next to nothing about LDAP.

  • 0

I’m maintaining some legacy Java LDAP code. I know next to nothing about LDAP.

The program below basically just sends the userid and password to the LDAP server, receives notification back if the credentials are good. If so, it prints out the LDAP attributes received from the LDAP server, if not it prints out an exception.

All works well if a bad password is given. An “invalid credentials” exception gets thrown. However, if a blank password is sent to the LDAP Server, authentication will still happen, LDAP attributes will still be returned.

Is this unhappy situation due to the LDAP server allowing blank passwords, or does the code below need to be adjusted such a blank password will get fed to the LDAP server in such a way so it will get rejected?

I do have data validation in place. I took it off in a testing environment to solve another issue and noticed this problem. I would prefer not to have this problem underneath the data validation.

Thanks much in advance for any information

import javax.naming.*;
import javax.naming.directory.*;
import java.util.*;
import java.sql.*;

public class LDAPTEST {

    public static void main(String args[]) {

        String lcf                = "com.sun.jndi.ldap.LdapCtxFactory";
        String ldapurl            = "ldaps://ldap-cit.smew.acme.com:636/o=acme.com";
        String loginid            = "George.Jetson";
        String password           = "";
        DirContext ctx            = null;
        Hashtable env             = new Hashtable();
        Attributes attr           = null;
        Attributes resultsAttrs   = null;
        SearchResult result       = null;
        NamingEnumeration results = null;
        int iResults              = 0;
        int iAttributes           = 0;


        env.put(Context.INITIAL_CONTEXT_FACTORY, lcf);
        env.put(Context.PROVIDER_URL, ldapurl);
        env.put(Context.SECURITY_PROTOCOL, "ssl");
        env.put(Context.SECURITY_AUTHENTICATION, "simple");
        env.put(Context.SECURITY_PRINCIPAL, "uid=" + loginid + ",ou=People,o=acme.com");
        env.put(Context.SECURITY_CREDENTIALS, password);
        try {

            ctx     = new InitialDirContext(env);
            attr    = new BasicAttributes(true);
            attr.put(new BasicAttribute("uid",loginid));
            results = ctx.search("ou=People",attr);

            while (results.hasMore()) {
                result       = (SearchResult)results.next();
                resultsAttrs = result.getAttributes();

                for (NamingEnumeration enumAttributes  = resultsAttrs.getAll(); enumAttributes.hasMore();) {
                    Attribute a = (Attribute)enumAttributes.next();
                    System.out.println("attribute: " + a.getID() + " : " + a.get().toString());
                    iAttributes++;


                }// end for loop

                iResults++;
            }// end while loop

            System.out.println("Records  == " + iResults + " Attributes: " + iAttributes);

        }// end try
        catch (Exception e) {
            e.printStackTrace();
        }



    }// end function main()
}// end class LDAPTEST
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Unfortunately, the authentication with a DN and an empty password is one of the difficiency of LDAP, and results in an "unauthenticated" positive response from the server.
    Some LDAP servers have configuration options to disable that behavior that has been discouraged in the latest revision of LDAPv3 (RFC 4511), and even have it disabled by default.

    Ultimately, the client application should check input parameters and make sure the password is not empty.

    • 0