SEC-1915: Add cutomisation of search filter in ActiveDirectoryLdapAuthenticationProvider

[spring-projects-issues]

Tseliso Molukanele (Migrated from SEC-1915) said:

Currently the search filter used when retrieving user details is hard coded to '(&(objectClass=user)(userPrincipalName={0}))'.

When this hard coded filter is not consistent with the actual active directory instance it causes a org.springframework.dao.IncorrectResultSizeDataAccessException because the search returns with empty results after successful authentication.

A possible solution is to modify the class org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider to allow a configurable search filter via bean configuration.

Another possible solution is to make the class org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider extendable instead of final with protected instead of private functional methods to allow for easier customisation.

See question
http://stackoverflow.com/questions/9258047/spring-security-3-1-active-directory-authentication

[spring-projects-issues]

Tseliso Molukanele said:

This is a patch solving this problem according to the first suggestion in the issue description.

The patch adds new properties to enable configuration of user searching to make it more dynamic and capable.

[spring-projects-issues]

Cuong Q. Tran said:

I'd suggest to pass both the dn and username as arguments to the search filter ({0} and {1}).

[spring-projects-issues]

Andrejs said:

Submitted as pull request #18

[spring-projects-issues]

Lefebvre said:

When do you plan to release this patch ?

[spring-projects-issues]

Andrejs said:

@lefebvre The patch is submitted as a pull request but hasn't been merged in yet.

[spring-projects-issues]

David Ellinger said:

Has there been any word on this? I have a scenario where I need the functionality of the pull request. Is there anything I can do to help out on my end? Maybe merge in the pull request with the 3.2.4 version?

[spring-projects-issues]

Andrey Panov said:

I'm also have ActiveDirectory setup, where domain differ from rootDn (because of migration).

[spring-projects-issues]

Ryan LaMothe said:

We have this exact same issue. Our user's login name is located at 'sAMAccountName' and NOT at 'userPrincipalName'. For whatever unknown reason, the class ActiveDirectoryLdapAuthenticationProvider is marked 'final' and cannot be extended to fix this hard-coded bug. Our only option at this point is to either use Spring's raw LDAP classes instead or copy this class's code content into a new class and fix the bug. The correct solution, as noted elsewhere, is to allow users to pass in the correct searchFilter themselves.

Please fix this ASAP. Thanks.

[spring-projects-issues]

Mateusz Rasiński said:

Submitted a pull request: #157

[spring-projects-issues]

Rob Winch said:

Thanks for the PR! Custom search filter will be available in 3.2.6+ and 4.0.0.RC2+ which I will be available later this week.