SEC-1963: ActiveDirectoryLdapAuthenticationProvider: flag binary attributes

[spring-projects-issues]

Mark Rigby-Jones (Migrated from SEC-1963) said:

JNDI is not able to correctly detect binary attributes in Active Directory, leading to some attributes (such as the SID and GUID) to be incorrectly transferred in text mode, leading to corruption for certain values. A fix for this is to add an additional item to the environment in bindAsUser(...):

env.put("java.naming.ldap.attributes.binary", "objectGUID objectSid");

[spring-projects-issues]

Michael Osipov said:

How is JNDI supposed to do that? I does not process the directory's schema. This actually your task. A setter for binary attribute names would suffice. Are you able to provide a patch?

[spring-projects-issues]

Mark Rigby-Jones said:

Patch against Spring Security 3.1.2

[spring-projects-issues]

Mark Rigby-Jones said:

I'm aware that detecting binary attributes is not in JNDI's purview. ActiveDirectoryLdapAuthenticationProvider, however can safely make assumptions about the schema and tell JNDI which attributes should be treated as binary. As this is a final class and the underlying JNDI is not exposed, the only workaround I've found is to create a modified copy of the class.

[spring-projects-issues]

Dmitriy Sh said:

Thank you, Mark. Very strange that class in spring ldap package org.springframework.ldap.core.support.LdapContextSource has property java.naming.ldap.attributes.binary and I can there get bunary GUID and SID (string versions of course are corrupted). But in spring security class ActiveDirectoryLdapAuthenticationProvider has no such feature :-( It has no any configuration for binary fields. String versions are corrupted and sensles. I am using the latest 3.1.3 version and still patch is not there :-( Please, add patch at least in next spring security 3.1.4 ....

[msal98]

This is an ancient ticket at this point, but is there any update on this? I'm running into the same problem where objectGUIDs are being corrupted. The only workaround since ActiveDirectoryLdapAuthenticationProvider is final is to write your own.

[OlegSkr]

put jndi.properties in "src/main/resources" with the contents:
java.naming.ldap.attributes.binary=objectSid

see: https://docs.oracle.com/javase/7/docs/api/javax/naming/Context.html#RESOURCEFILES