Join GitHub today
SEC-2405: BadLdapGrammarException with search result from referral #2625
within DirContextOperations searchForSingleEntryInternal
we have a search result where searchResult.getName() = ldap://blahblah
LdapUtils.convertCompositeNameToString() within the DistinguishedName constructor for this gives "ldap:"
then DistinguishedName blows up with this exception.
Patrick Wong said:
I get the exact same error message.
I am using Artifactory, which uses Spring LDAP, to connect to an ActiveDirectory server. It is able to authenticate users who are stored directly on that AD server. However, when it tries to authenticate users who are referred by the first AD server to a second AD server, it seems like Spring LDAP cannot handle the response and spits out the error:
I tested using an intentionally-wrong username as well as an intentionally-wrong password, and the errors in those cases are different.
I also did a lot of testing with Tomcat - I set up a security realm in server.xml that uses the first AD server, set all successfully-authenticated users to be able to use the default Tomcat manager, and tested that it is able to handle referrals to the second AD server. Therefore, the problem does not seem to be with the AD servers (unless Tomcat's way of handling them is smoothing out other errors)
Virgilio Rey said:
We have the same problem.
We have a OpenLDAP server with a tree referred to other OpenLDAP server.
Using tcpdump, I can see the searching process its correct, the referral its been followed, and there is a successfull response, but then we get that exception on the log, and the authentication is aborted.
Here is the log:
There is any workarround? I think this bug is important, and priority should be higher.
Terribly sorry for the long response time. The problem with referrals in Spring LDAP is discussed in LDAP-136; in all LdapTemplate methods that construct DirContextAdapter instances, this is automatically handled out of the box (if the appropriate property is set on the ContextSource to follow referrals). The problem here is that they are not using these methods in the specific subclass of LdapTemplate used in Spring Security. The name from the SearchResult is used as-is as an input to DistinguishedName. Since this string starts with ldap:// it's not a valid DistinguishedName and cannot be parsed.
I'm therefore tempted to say that this is not a problem bug in Spring LDAP; it should be handled in Spring Security.
As far as I can figure out, the simplest way to go about this would be for Spring Security to just use
I think that should do the trick.