spring-security: SEC-2224: ActiveDirectoryLdapAuthenticationProvider throws BadCredentialsException if userPrincipalName not equal to sAMAccountName + @domain
Michael Solano (Migrated from SEC-2224) said:
When using the sAMAccountName for authentication via ActiveDirectoryLdapAuthenticationProvider, a BadCredentialsException will be thrown if the userPrincipalName is not the sAMAccountName with @domain post-fixed.
For example, if the sAMAccountName is “bwayne” but the userPrincipalName is “bruce.wayne@batcave.net”, authentication will fail. The createBindPrincipal method assumes the userPrincipalName will be “bwayne@batcave.net” and not “bruce.wayne@batcave.net”.
The code below shows the details of that method:
String createBindPrincipal(String username) {
if (domain == null || username.toLowerCase().endsWith(domain)) {
return username;
}
return username + "@" + domain;
}
About this issue
- Original URL
- State: closed
- Created 11 years ago
- Comments: 19 (3 by maintainers)
Commits related to this issue
- SEC-2897: ActiveDirectoryLdapAuthenticationProvider uses bindPrincipal — committed to spring-projects/spring-security by deleted user 9 years ago
- Pass username as second parameter for search filter. Allows the username only (without domain) to be used in custom search filter like "sAMAccountName={1}", in eg. situations where the userPrincipalN... — committed to taasjord/spring-security by taasjord 7 years ago
- Pass username as second parameter for search filter. Allows the username only (without domain) to be used in custom search filter like "sAMAccountName={1}", in eg. situations where the userPrincipalN... — committed to thomasdarimont/spring-security by taasjord 7 years ago
- Pass username as second parameter for search filter. Allows the username only (without domain) to be used in custom search filter like "sAMAccountName={1}", in eg. situations where the userPrincipalN... — committed to taasjord/spring-security by taasjord 7 years ago
- Pass username as second parameter for search filter. Allows the username only (without domain) to be used in custom search filter like "sAMAccountName={1}", in eg. situations where the userPrincipalN... — committed to spring-projects/spring-security by taasjord 7 years ago
Would you please integrate/cherry-pick the fix into the 4.2.x branch. Thanks in advance.
N.B. Currently cannot switch to Spring Boot 2.x which would solve the issue due to a third party lib limitation.
@shafsongithub, did you set the search filter to use it? Eg:
provider.setSearchFilter("sAMAccountName={1}");I just want to note that I did try to use rootDN and blank domain, but that doesn’t work for me, because the domain is needed in bindAsUser (but cannot be in searchForUser).
The proposed change to add the necessary flexibility is very small and I don’t see what harm it could make.
This is still an issue. In my case the userPrincipalName has a different suffix than domain, ie. while bindPrincipal is “bwayne@batcave.net”, the userPrincipalName is “bwayne@gotham.com” and sAMAccountName is “bwayne”.
So I need to pass username to match sAMAccountName instead. My solution was just to copy the entire source of ActiveDirectoryLdapAuthenticationProvider (along with a package private exception) and change bindPrincipal to username.