Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

SEC-1848: AbstractLdapAuthenticator must escape username #2085

spring-issuemaster opened this Issue Nov 1, 2011 · 2 comments


None yet
1 participant

Mikhail Mazursky (Migrated from SEC-1848) said:

AbstractLdapAuthenticator.getUserDns() must escape provided username before fomatting it into userDnFormat. It should use LdapEncoder.nameEncode().

Luke Taylor said:

Thanks for spotting this. I've added the encoding to the name value when using the userDns approach.

Vít Novák said:

Unfortunately this change has broken our authentication mechanism. The reason is simple, we first do the search manually with LdapTemplate#search and then we use the distinguishedName to authenticate.

The test could look like this:

  public void testAuthenticationWithDistinguishedName() {
    authenticator.setUserDnPatterns(new String[] { "{0}" });
    authenticator.authenticate(new UsernamePasswordAuthenticationToken("uid=bob,ou=people", "bobspassword"));

And it fails with

Failed to parse DN; nested exception is org.springframework.ldap.core.TokenMgrError: 
Lexical error at line 1, column 4.  Encountered: "\\" (92), after : ""

I am not sure if this is correct usage, anyway could the encoding be configurable?

@spring-issuemaster spring-issuemaster added this to the 3.1.0 milestone Feb 5, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment