SEC-1848: AbstractLdapAuthenticator must escape username #2085

Closed
spring-issuemaster opened this Issue Nov 1, 2011 · 2 comments

1 participant

@spring-issuemaster

Mikhail Mazursky (Migrated from SEC-1848) said:

AbstractLdapAuthenticator.getUserDns() must escape provided username before fomatting it into userDnFormat. It should use LdapEncoder.nameEncode().

@spring-issuemaster

Luke Taylor said:

Thanks for spotting this. I've added the encoding to the name value when using the userDns approach.

@spring-issuemaster

Vít Novák said:

Unfortunately this change has broken our authentication mechanism. The reason is simple, we first do the search manually with LdapTemplate#search and then we use the distinguishedName to authenticate.

The test could look like this:

  @Test
  public void testAuthenticationWithDistinguishedName() {
    authenticator.setUserDnPatterns(new String[] { "{0}" });
    authenticator.authenticate(new UsernamePasswordAuthenticationToken("uid=bob,ou=people", "bobspassword"));
  }

And it fails with

org.springframework.ldap.BadLdapGrammarException: 
Failed to parse DN; nested exception is org.springframework.ldap.core.TokenMgrError: 
Lexical error at line 1, column 4.  Encountered: "\\" (92), after : ""

I am not sure if this is correct usage, anyway could the encoding be configurable?

@spring-issuemaster spring-issuemaster added this to the 3.1.0 milestone Feb 5, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment