JavaからActive Directory(LDAPS)接続(自己署名証明書の検証スルーコード付き)
自分向けの備忘録として。
基本はこちら。
こちらの記事だと自己証明書のスルーに使用しているのが X509TrustManager だが、新しいTLSに対応するためには代わりに X509ExtendedTrustManager を実装してあげる必要がある。
よって、以下のような感じになる。
接続側
Hashtable env = new Hashtable(); env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory"); env.put(Context.PROVIDER_URL, LDAP_URL); env.put(Context.SECURITY_AUTHENTICATION, "simple"); env.put(Context.SECURITY_PRINCIPAL, AD_USER_NAME); env.put(Context.SECURITY_CREDENTIALS, AD_PASSWORD); env.put("java.naming.security.protocol", "ssl"); env.put("java.naming.ldap.factory.socket", LooseSSLSocketFactory.class.getName()); DirContext ctx = null; try { List<Map<String, String>> ret = new ArrayList<>(); ctx = new InitialDirContext(env); for (NamingEnumeration<SearchResult> search = ctx.search("OU=XX,dc=XXXX,dc=local", null); search.hasMoreElements();) { SearchResult next = search.next(); Attributes attributes = next.getAttributes(); //実際の処理 } return ret; } catch (AuthenticationException ae) { //認証に失敗した ae.printStackTrace(); } catch (Exception e) { e.printStackTrace(); } finally { if (ctx != null) { try { ctx.close(); } catch (NamingException ex) { } } }
LooseSSLSocketFactory
package dev.megascus.ssl; import java.io.IOException; import java.net.InetAddress; import java.net.Socket; import java.net.UnknownHostException; import java.security.SecureRandom; import java.security.cert.CertificateException; import java.security.cert.X509Certificate; import javax.net.SocketFactory; import javax.net.ssl.SSLContext; import javax.net.ssl.SSLEngine; import javax.net.ssl.SSLSocketFactory; import javax.net.ssl.X509ExtendedTrustManager; import javax.net.ssl.X509TrustManager; public class LooseSSLSocketFactory extends SSLSocketFactory { SSLSocketFactory delegate; public LooseSSLSocketFactory() { try { SSLContext sslContext = SSLContext.getInstance("SSL"); sslContext.init(null, new X509TrustManager[] { new X509ExtendedTrustManager() { @Override public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException { } @Override public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException { } @Override public X509Certificate[] getAcceptedIssuers() { return null; } @Override public void checkClientTrusted(X509Certificate[] xcs, String string, Socket socket) throws CertificateException { } @Override public void checkServerTrusted(X509Certificate[] xcs, String string, Socket socket) throws CertificateException { } @Override public void checkClientTrusted(X509Certificate[] xcs, String string, SSLEngine ssle) throws CertificateException { } @Override public void checkServerTrusted(X509Certificate[] xcs, String string, SSLEngine ssle) throws CertificateException { } } }, new SecureRandom()); delegate = sslContext.getSocketFactory(); } catch (Exception e) { throw new RuntimeException(e); } } @Override public String[] getDefaultCipherSuites() { return delegate.getDefaultCipherSuites(); } @Override public String[] getSupportedCipherSuites() { return delegate.getSupportedCipherSuites(); } @Override public Socket createSocket(Socket socket, String s, int i, boolean b) throws IOException { return delegate.createSocket(socket, s, i, b); } @Override public Socket createSocket(String s, int i) throws IOException, UnknownHostException { return delegate.createSocket(s, i); } @Override public Socket createSocket(String s, int i, InetAddress inetAddress, int i1) throws IOException, UnknownHostException { return delegate.createSocket(s, i, inetAddress, i1); } @Override public Socket createSocket(InetAddress inetAddress, int i) throws IOException { return delegate.createSocket(inetAddress, i); } @Override public Socket createSocket(InetAddress inetAddress, int i, InetAddress inetAddress1, int i1) throws IOException { return delegate.createSocket(inetAddress, i, inetAddress1, i1); } public static SocketFactory getDefault() { return new LooseSSLSocketFactory(); } }
なお、Active Directoryは普通にやると1000件しか結果が返ってこない。 1000件以上登録されている可能性がある場合は以下の記事を参考にする。