SEC-1915: Add cutomisation of search filter in ActiveDirectoryLdapAuthenticationProvider #2143

Closed
spring-issuemaster opened this Issue Feb 16, 2012 · 11 comments

2 participants

@spring-issuemaster

Tseliso Molukanele (Migrated from SEC-1915) said:

Currently the search filter used when retrieving user details is hard coded to '(&(objectClass=user)(userPrincipalName={0}))'.

When this hard coded filter is not consistent with the actual active directory instance it causes a org.springframework.dao.IncorrectResultSizeDataAccessException because the search returns with empty results after successful authentication.

A possible solution is to modify the class org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider to allow a configurable search filter via bean configuration.

Another possible solution is to make the class org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider extendable instead of final with protected instead of private functional methods to allow for easier customisation.

See question
http://stackoverflow.com/questions/9258047/spring-security-3-1-active-directory-authentication

@spring-issuemaster

Tseliso Molukanele said:

This is a patch solving this problem according to the first suggestion in the issue description.

The patch adds new properties to enable configuration of user searching to make it more dynamic and capable.

@spring-issuemaster

Cuong Q. Tran said:

I'd suggest to pass both the dn and username as arguments to the search filter ({0} and {1}).

@spring-issuemaster

Andrejs said:

Submitted as pull request #18

@spring-issuemaster

Lefebvre said:

When do you plan to release this patch ?

@spring-issuemaster

Andrejs said:

@Lefebvre The patch is submitted as a pull request but hasn't been merged in yet.

@spring-issuemaster

David Ellinger said:

Has there been any word on this? I have a scenario where I need the functionality of the pull request. Is there anything I can do to help out on my end? Maybe merge in the pull request with the 3.2.4 version?

@spring-issuemaster

Andrey Panov said:

I'm also have ActiveDirectory setup, where domain differ from rootDn (because of migration).

@spring-issuemaster

Ryan LaMothe said:

We have this exact same issue. Our user's login name is located at 'sAMAccountName' and NOT at 'userPrincipalName'. For whatever unknown reason, the class ActiveDirectoryLdapAuthenticationProvider is marked 'final' and cannot be extended to fix this hard-coded bug. Our only option at this point is to either use Spring's raw LDAP classes instead or copy this class's code content into a new class and fix the bug. The correct solution, as noted elsewhere, is to allow users to pass in the correct searchFilter themselves.

Please fix this ASAP. Thanks.

@spring-issuemaster

Mateusz Rasiński said:

Submitted a pull request: #157

@spring-issuemaster

Rob Winch said:

Thanks for the PR! Custom search filter will be available in 3.2.6+ and 4.0.0.RC2+ which I will be available later this week.

@spring-issuemaster spring-issuemaster added this to the 4.0.0.RC2 milestone Feb 5, 2016
@spring-issuemaster

This issue relates to #3114
This issue supersedes #2448

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment