Frank Scheffler (Migrated from SEC-2017) said:
The mentioned method uses Spring LDAP Template to search for the given user in AD. However, if the given user does not exist at all in the directory, the template throws IncorrectResultSizeException and not NamingException, as expected.
Sample stack-trace in Tomcat:
org.springframework.dao.IncorrectResultSizeDataAccessException: Incorrect result size: expected 1, actual 0
Frank Scheffler said:
Not yet tested, if this also affect pure LDAP authentication, i.e. not AD.
Rob Winch said:
This should not impact anything else because it is caught by FilterBasedLdapuserSearch#searchForUser and rethrown as UserNameNotFoundException which would be expected.
The IncorrectResultSizeDataAccessException is now wrapped in the same manner it would be with the default setup for LdapUserAuthenticationProvider. Specifically the Exception ends up looking like
new BadCredentialsException(new UsernameNotFoundException(incorrectresultSizeException));
In my case it was not caught by anything in between, but rather went through leading to HTTP/500 errors. Nevertheless, thanks for the fix, I will check, as soon as it's released.
Can you clarify the last statement? When you say "it" was not caught by anything in between are you referring to the ActiveDirectoryLdapAuthenticationProvider (which was broken and is now fixed) or were you referring to LdapAuthenticationProvider which should be working already. I ask because I want to be sure we got everything fixed and understood the scope of this bug properly.
I was referring to the AD-Provider, which did not catch the IncorrectResultSizeException. Did not check with LdapXXXProvider.
Alright. I was concerned that you didn't feel like everything had been addressed but it appears that is not the case. Thank you for your prompt response.