Keith Gregory (Migrated from SEC-2679) said:
When attempting to create an embedded LDAP server using the following specification:
<security:ldap-server id="embeddedLDAP" root="dc=example" />
You receive the following exception:
java.lang.StringIndexOutOfBoundsException: String index out of range: -4
at java.lang.String.substring(String.java:1937)
at org.springframework.security.ldap.server.ApacheDSContainer.start(ApacheDSContainer.java:190)
at org.springframework.security.ldap.server.ApacheDSContainer.afterPropertiesSet(ApacheDSContainer.java:130)
...
If you look at the relevant line in ApacheDSContainer, you'll see the following:
LdapDN dn = new LdapDN(root);
Assert.isTrue(root.startsWith("dc="));
String dc = root.substring(3,root.indexOf(','));
In other words, this code always assumes that the root entry will contain at least two dc elements, separated by a comma. While "real" domains will always have at least two components (eg: com.example), local directory servers may not.
I would guess that you can fix simply by looking for first occurrence of a comma or end of string, but have not tried this. The ApacheDS server does not appear to have any limitation on number of root dc components.
Keith Gregory (Migrated from SEC-2679) said:
When attempting to create an embedded LDAP server using the following specification:
You receive the following exception:
If you look at the relevant line in ApacheDSContainer, you'll see the following:
In other words, this code always assumes that the root entry will contain at least two dc elements, separated by a comma. While "real" domains will always have at least two components (eg: com.example), local directory servers may not.
I would guess that you can fix simply by looking for first occurrence of a comma or end of string, but have not tried this. The ApacheDS server does not appear to have any limitation on number of root dc components.