SEC-2141: ActiveDirectoryLdapAuthenticationProvider Should Perform Active Directory SRV Record Lookup when Performing DNS Resolution of Address #2367
Labels
in: ldap
An issue in spring-security-ldap
type: enhancement
A general enhancement
type: jira
An issue that was migrated from JIRA
Michael Fazio (Migrated from SEC-2141) said:
It is possible that
ActiveDirectoryLdapAuthenticationProvider
will fail to authenticate valid users when a domain address is used for the Active Directory host URL (e.g. ldap://corp.domain.com rather than ldap://adserver1.corp.domain.com).This seems to be caused because the DNS lookup does not specify its request for Active Directory SRV DNS records to be used. Hence, an incorrect server can often be contacted for the target domain.
It would seem that someone has already flagged this issue in code around line 166:
I believe that the solution is to correctly specify the SRV directory context attribute so that LDAP service DNS lookup is performed, similar to:
The text was updated successfully, but these errors were encountered: