SEC-2141: ActiveDirectoryLdapAuthenticationProvider Should Perform Active Directory SRV Record Lookup when Performing DNS Resolution of Address

[spring-projects-issues]

Michael Fazio (Migrated from SEC-2141) said:

It is possible that ActiveDirectoryLdapAuthenticationProvider will fail to authenticate valid users when a domain address is used for the Active Directory host URL (e.g. ldap://corp.domain.com rather than ldap://adserver1.corp.domain.com).

This seems to be caused because the DNS lookup does not specify its request for Active Directory SRV DNS records to be used. Hence, an incorrect server can often be contacted for the target domain.

It would seem that someone has already flagged this issue in code around line 166:

 private DirContext bindAsUser(String username, String password) {
        // TODO. add DNS lookup based on domain
        final String bindUrl = url;
        ...

I believe that the solution is to correctly specify the SRV directory context attribute so that LDAP service DNS lookup is performed, similar to:

Attributes attributes = ctx.getAttributes("_ldap._tcp." + domain, new String[] { "SRV" })

[spring-projects-issues]

Michael Osipov said:

There is no need to. You are using Digest auth and the RFC requires a fully-qualified domain name. You have provided a CNAME.

[spring-projects-issues]

Michael Osipov said:

Alternatively, you can provide a URL with a root DN: ldap:///DC=corp,DC=domain,DC=com and Sun's implemenation will automatically look it up in DNS.