Java Code to Search Active Directory on LDAPS

Here is the sample java code to search Active Directory for user information.

import java.util.Hashtable;
import javax.naming.ldap.*;
import javax.naming.directory.*;
import javax.naming.*;
 
public class searchActiveDirectory {
 public void getUserDetails() {

  Hashtable env = new Hashtable();
  String adminName = "<<DN of the Admin Account>>";
  String adminPassword = "<<Password of Admin Account>>";
  String ldapURL = "ldaps://<<ADHost>>:636";
  String keystore = "<>";
  String searchBase = "<<Base DN>>";
  System.setProperty("javax.net.ssl.trustStore", keystore);
  env.put(Context.INITIAL_CONTEXT_FACTORY,
    "com.sun.jndi.ldap.LdapCtxFactory");
  
// set security credentials
  env.put(Context.SECURITY_AUTHENTICATION, "simple");
  env.put(Context.SECURITY_PRINCIPAL, adminName);
  env.put(Context.SECURITY_CREDENTIALS, adminPassword);
  // specify use of ssl
  env.put(Context.SECURITY_PROTOCOL, "ssl");
  // connect to my domain controller
  env.put(Context.PROVIDER_URL, ldapURL);
  try {
   // Create the initial directory context
   DirContext ctx = new InitialLdapContext(env, null);

   // Create the search controls
   SearchControls searchCtls = new SearchControls();

   // Specify the attributes to return
   String returnedAtts[] = { "sAMAccountName", "sn", "givenName",
     "mail", "description", "userAccountControl","whenCreated","distinguishedName" };
   searchCtls.setReturningAttributes(returnedAtts);
   // Specify the search scope
   searchCtls.setSearchScope(SearchControls.SUBTREE_SCOPE);

   // specify the LDAP search filter
   //String searchFilter = "(&(objectClass=user)(sAMAccountName="+username+"))";
   String searchFilter = "(&(objectClass=user)(!(objectClass=computer))(whenCreated>=20131227000000.0Z))";

   // Search for objects using the filter
   NamingEnumeration answer = ctx.search(searchBase, searchFilter,
     searchCtls);

   // Loop through the search results
   while (answer.hasMoreElements()) {
    SearchResult sr = (SearchResult) answer.next();
    Attributes attrs = sr.getAttributes();
    if (attrs != null) {
     try {
      System.out.println(attrs.get("sAMAccountName").get()+","+attrs.get("whenCreated").get());
      System.out.println(attrs.get("distinguishedName"));
     } catch (NullPointerException e) {
      System.out.println("Errors listing attributes: " + e);
     }
    }
   }
   ctx.close();
  } catch (NamingException e) {
   System.err.println("Problem searching directory: " + e);
  }
 }

 public static void main(String[] args) throws Exception{
  searchActiveDirectory s = new searchActiveDirectory();
  s.getUserDetails(); 
 }
}

Is it Possible to Change the AD Organization Name from an Access Policy?

There is a small confusion in the way access policies work for AD, once an access policy is created and assigned to a group, whenever a user is added to that group, the access policy will be applied to him and AD User resource will be provisioned to him .

Now , if you make an update on the group membership on active directory process form(child form) in the access policy , then it will work and will be updated on the target side, but if you update the Organization name on active directory process form, then it will not be reflected in the target side and in the OIM side.

Now open the Access policy which you created and if you try to change the group membership on active directory process form(child form) in the access policy , then it will work and it will be updated on the target side, but if you update the Organization name on active directory process form,then it will not be reflected in the target side and in the OIM side. Now, one may have a doubt that when a change in the child form is reflected, why does a change in parent form not reflected in the target system .

As per the development the above behaviour is correct , the documentation says "Access policy engine checks if the resource is already provisioned to the user. If it is, then the resource will not be provisioned again. [...] After this, it checks the list of policies being newly added to see if any of them specify child table data for this resource. If they do, then the appropriate child table entries need to be made in the process form for this resource."

This explains why the change in the organization has no effect (resource is not provisioned again) but the change in the child form has an effect (new child table entries are added),so any change in the child form will be reflected but changes to the parent form/organization change will not be reflected.

Regards,
Sunny Ajmera