New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SEC-2405: BadLdapGrammarException with search result from referral #2625
Comments
Patrick Wong said: I get the exact same error message. I am using Artifactory, which uses Spring LDAP, to connect to an ActiveDirectory server. It is able to authenticate users who are stored directly on that AD server. However, when it tries to authenticate users who are referred by the first AD server to a second AD server, it seems like Spring LDAP cannot handle the response and spits out the error:
I tested using an intentionally-wrong username as well as an intentionally-wrong password, and the errors in those cases are different. I also did a lot of testing with Tomcat - I set up a security realm in server.xml that uses the first AD server, set all successfully-authenticated users to be able to use the default Tomcat manager, and tested that it is able to handle referrals to the second AD server. Therefore, the problem does not seem to be with the AD servers (unless Tomcat's way of handling them is smoothing out other errors) |
Virgilio Rey said: We have the same problem. We have a OpenLDAP server with a tree referred to other OpenLDAP server. Using tcpdump, I can see the searching process its correct, the referral its been followed, and there is a successfull response, but then we get that exception on the log, and the authentication is aborted. Here is the log:
There is any workarround? I think this bug is important, and priority should be higher. Thanks! |
leroy nicolas said: Have you any solution for this issue ? |
Mattias Hellborg Arthursson said: Terribly sorry for the long response time. The problem with referrals in Spring LDAP is discussed in LDAP-136; in all LdapTemplate methods that construct DirContextAdapter instances, this is automatically handled out of the box (if the appropriate property is set on the ContextSource to follow referrals). The problem here is that they are not using these methods in the specific subclass of LdapTemplate used in Spring Security. The name from the SearchResult is used as-is as an input to DistinguishedName. Since this string starts with ldap:// it's not a valid DistinguishedName and cannot be parsed. I'm therefore tempted to say that this is not a problem bug in Spring LDAP; it should be handled in Spring Security. As far as I can figure out, the simplest way to go about this would be for Spring Security to just use I think that should do the trick. |
Mattias Hellborg Arthursson said: rwinch: As suggested in my comment, I don't think this is a bug in Spring LDAP; the problem is solved in Spring LDAP, but Spring Security is not taking advantage of this. I think this issue should be moved to the Spring Security project. |
Mattias Hellborg Arthursson said: I've started working on a fix for this one, will submit pull request shortly. |
Mattias Hellborg Arthursson said: Submitted pull request: #57 |
Rob Winch said: Thanks this has been merged into master |
Tom Field (Migrated from SEC-2405) said:
within DirContextOperations searchForSingleEntryInternal
we have a search result where searchResult.getName() = ldap://blahblah
LdapUtils.convertCompositeNameToString() within the DistinguishedName constructor for this gives "ldap:"
then DistinguishedName blows up with this exception.
The text was updated successfully, but these errors were encountered: