Uploaded image for project: 'Spring Security'
  1. Spring Security
  2. SEC-1915

Add cutomisation of search filter in ActiveDirectoryLdapAuthenticationProvider

    Details

    • Type: New Feature
    • Status: Closed
    • Priority: Major
    • Resolution: Complete
    • Affects Version/s: 3.1.0
    • Fix Version/s: 3.2.6, 4.0.0.RC2
    • Component/s: LDAP
    • Labels:
      None

      Description

      Currently the search filter used when retrieving user details is hard coded to '(&(objectClass=user)(userPrincipalName=

      {0}

      ))'.

      When this hard coded filter is not consistent with the actual active directory instance it causes a org.springframework.dao.IncorrectResultSizeDataAccessException because the search returns with empty results after successful authentication.

      A possible solution is to modify the class org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider to allow a configurable search filter via bean configuration.

      Another possible solution is to make the class org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider extendable instead of final with protected instead of private functional methods to allow for easier customisation.

      See question
      http://stackoverflow.com/questions/9258047/spring-security-3-1-active-directory-authentication

        Issue Links

          Activity

          Hide
          daellinger David Ellinger added a comment -

          Has there been any word on this? I have a scenario where I need the functionality of the pull request. Is there anything I can do to help out on my end? Maybe merge in the pull request with the 3.2.4 version?

          Show
          daellinger David Ellinger added a comment - Has there been any word on this? I have a scenario where I need the functionality of the pull request. Is there anything I can do to help out on my end? Maybe merge in the pull request with the 3.2.4 version?
          Hide
          panov.andy Andrey Panov added a comment -

          I'm also have ActiveDirectory setup, where domain differ from rootDn (because of migration).

          Show
          panov.andy Andrey Panov added a comment - I'm also have ActiveDirectory setup, where domain differ from rootDn (because of migration).
          Hide
          subaruwrc Ryan LaMothe added a comment -

          We have this exact same issue. Our user's login name is located at 'sAMAccountName' and NOT at 'userPrincipalName'. For whatever unknown reason, the class ActiveDirectoryLdapAuthenticationProvider is marked 'final' and cannot be extended to fix this hard-coded bug. Our only option at this point is to either use Spring's raw LDAP classes instead or copy this class's code content into a new class and fix the bug. The correct solution, as noted elsewhere, is to allow users to pass in the correct searchFilter themselves.

          Please fix this ASAP. Thanks.

          Show
          subaruwrc Ryan LaMothe added a comment - We have this exact same issue. Our user's login name is located at 'sAMAccountName' and NOT at 'userPrincipalName'. For whatever unknown reason, the class ActiveDirectoryLdapAuthenticationProvider is marked 'final' and cannot be extended to fix this hard-coded bug. Our only option at this point is to either use Spring's raw LDAP classes instead or copy this class's code content into a new class and fix the bug. The correct solution, as noted elsewhere, is to allow users to pass in the correct searchFilter themselves. Please fix this ASAP. Thanks.
          Hide
          mrasinski Mateusz Rasiński added a comment -
          Show
          mrasinski Mateusz Rasiński added a comment - Submitted a pull request: https://github.com/spring-projects/spring-security/pull/157
          Hide
          rwinch Rob Winch added a comment -

          Thanks for the PR! Custom search filter will be available in 3.2.6+ and 4.0.0.RC2+ which I will be available later this week.

          Show
          rwinch Rob Winch added a comment - Thanks for the PR! Custom search filter will be available in 3.2.6+ and 4.0.0.RC2+ which I will be available later this week.

            People

            • Assignee:
              rwinch Rob Winch
              Reporter:
              tseliso molukanele Tseliso Molukanele
            • Votes:
              8 Vote for this issue
              Watchers:
              11 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: