Spring Security
  1. Spring Security
  2. SEC-1915

Add cutomisation of search filter in ActiveDirectoryLdapAuthenticationProvider

    Details

    • Type: New Feature New Feature
    • Status: Closed
    • Priority: Major Major
    • Resolution: Complete
    • Affects Version/s: 3.1.0
    • Fix Version/s: 3.2.6, 4.0.0.RC2
    • Component/s: LDAP
    • Labels:
      None

      Description

      Currently the search filter used when retrieving user details is hard coded to '(&(objectClass=user)(userPrincipalName=

      {0}

      ))'.

      When this hard coded filter is not consistent with the actual active directory instance it causes a org.springframework.dao.IncorrectResultSizeDataAccessException because the search returns with empty results after successful authentication.

      A possible solution is to modify the class org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider to allow a configurable search filter via bean configuration.

      Another possible solution is to make the class org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider extendable instead of final with protected instead of private functional methods to allow for easier customisation.

      See question
      http://stackoverflow.com/questions/9258047/spring-security-3-1-active-directory-authentication

        Activity

        Hide
        David Ellinger added a comment -

        Has there been any word on this? I have a scenario where I need the functionality of the pull request. Is there anything I can do to help out on my end? Maybe merge in the pull request with the 3.2.4 version?

        Show
        David Ellinger added a comment - Has there been any word on this? I have a scenario where I need the functionality of the pull request. Is there anything I can do to help out on my end? Maybe merge in the pull request with the 3.2.4 version?
        Hide
        Andrey Panov added a comment -

        I'm also have ActiveDirectory setup, where domain differ from rootDn (because of migration).

        Show
        Andrey Panov added a comment - I'm also have ActiveDirectory setup, where domain differ from rootDn (because of migration).
        Hide
        Ryan LaMothe added a comment -

        We have this exact same issue. Our user's login name is located at 'sAMAccountName' and NOT at 'userPrincipalName'. For whatever unknown reason, the class ActiveDirectoryLdapAuthenticationProvider is marked 'final' and cannot be extended to fix this hard-coded bug. Our only option at this point is to either use Spring's raw LDAP classes instead or copy this class's code content into a new class and fix the bug. The correct solution, as noted elsewhere, is to allow users to pass in the correct searchFilter themselves.

        Please fix this ASAP. Thanks.

        Show
        Ryan LaMothe added a comment - We have this exact same issue. Our user's login name is located at 'sAMAccountName' and NOT at 'userPrincipalName'. For whatever unknown reason, the class ActiveDirectoryLdapAuthenticationProvider is marked 'final' and cannot be extended to fix this hard-coded bug. Our only option at this point is to either use Spring's raw LDAP classes instead or copy this class's code content into a new class and fix the bug. The correct solution, as noted elsewhere, is to allow users to pass in the correct searchFilter themselves. Please fix this ASAP. Thanks.
        Hide
        Mateusz Rasiński added a comment -
        Show
        Mateusz Rasiński added a comment - Submitted a pull request: https://github.com/spring-projects/spring-security/pull/157
        Hide
        Rob Winch added a comment -

        Thanks for the PR! Custom search filter will be available in 3.2.6+ and 4.0.0.RC2+ which I will be available later this week.

        Show
        Rob Winch added a comment - Thanks for the PR! Custom search filter will be available in 3.2.6+ and 4.0.0.RC2+ which I will be available later this week.

          People

          • Assignee:
            Rob Winch
            Reporter:
            Tseliso Molukanele
          • Votes:
            8 Vote for this issue
            Watchers:
            11 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: