Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

SEC-1915: Add cutomisation of search filter in ActiveDirectoryLdapAuthenticationProvider #2143

spring-issuemaster opened this Issue Feb 16, 2012 · 11 comments


None yet
2 participants

Tseliso Molukanele (Migrated from SEC-1915) said:

Currently the search filter used when retrieving user details is hard coded to '(&(objectClass=user)(userPrincipalName={0}))'.

When this hard coded filter is not consistent with the actual active directory instance it causes a org.springframework.dao.IncorrectResultSizeDataAccessException because the search returns with empty results after successful authentication.

A possible solution is to modify the class org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider to allow a configurable search filter via bean configuration.

Another possible solution is to make the class org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider extendable instead of final with protected instead of private functional methods to allow for easier customisation.

See question

Tseliso Molukanele said:

This is a patch solving this problem according to the first suggestion in the issue description.

The patch adds new properties to enable configuration of user searching to make it more dynamic and capable.

Cuong Q. Tran said:

I'd suggest to pass both the dn and username as arguments to the search filter ({0} and {1}).

Andrejs said:

Submitted as pull request SpringSource#18

Lefebvre said:

When do you plan to release this patch ?

Andrejs said:

@lefebvre The patch is submitted as a pull request but hasn't been merged in yet.

David Ellinger said:

Has there been any word on this? I have a scenario where I need the functionality of the pull request. Is there anything I can do to help out on my end? Maybe merge in the pull request with the 3.2.4 version?

Andrey Panov said:

I'm also have ActiveDirectory setup, where domain differ from rootDn (because of migration).

Ryan LaMothe said:

We have this exact same issue. Our user's login name is located at 'sAMAccountName' and NOT at 'userPrincipalName'. For whatever unknown reason, the class ActiveDirectoryLdapAuthenticationProvider is marked 'final' and cannot be extended to fix this hard-coded bug. Our only option at this point is to either use Spring's raw LDAP classes instead or copy this class's code content into a new class and fix the bug. The correct solution, as noted elsewhere, is to allow users to pass in the correct searchFilter themselves.

Please fix this ASAP. Thanks.

Mateusz Rasiński said:

Submitted a pull request: #157

Rob Winch said:

Thanks for the PR! Custom search filter will be available in 3.2.6+ and 4.0.0.RC2+ which I will be available later this week.

@spring-issuemaster spring-issuemaster added this to the 4.0.0.RC2 milestone Feb 5, 2016

This issue relates to #3114
This issue supersedes #2448

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment