Michael Fazio (Migrated from SEC-2141) said:
It is possible that ActiveDirectoryLdapAuthenticationProvider will fail to authenticate valid users when a domain address is used for the Active Directory host URL (e.g. ldap://corp.domain.com rather than ldap://adserver1.corp.domain.com).
This seems to be caused because the DNS lookup does not specify its request for Active Directory SRV DNS records to be used. Hence, an incorrect server can often be contacted for the target domain.
It would seem that someone has already flagged this issue in code around line 166:
private DirContext bindAsUser(String username, String password) {
// TODO. add DNS lookup based on domain
final String bindUrl = url;
...
I believe that the solution is to correctly specify the SRV directory context attribute so that LDAP service DNS lookup is performed, similar to:
Attributes attributes = ctx.getAttributes("_ldap._tcp." + domain, new String[] { "SRV" })
Michael Fazio (Migrated from SEC-2141) said:
It is possible that
ActiveDirectoryLdapAuthenticationProviderwill fail to authenticate valid users when a domain address is used for the Active Directory host URL (e.g. ldap://corp.domain.com rather than ldap://adserver1.corp.domain.com).This seems to be caused because the DNS lookup does not specify its request for Active Directory SRV DNS records to be used. Hence, an incorrect server can often be contacted for the target domain.
It would seem that someone has already flagged this issue in code around line 166:
I believe that the solution is to correctly specify the SRV directory context attribute so that LDAP service DNS lookup is performed, similar to: