Spring Security 4.0.0 + ActiveDirectoryLdapAuthenticationProvider + BadCredentialsException PartialResultException

Question

I have read almost everything about Spring/Security/Ldap and ActiveDirectory on stackoverflow. Even if I found useful tips and hints, I wasn\'t able to solve my problem.

Answer 1

I was not able to solve this problem using Context.REFERRAL = "follow" in fact the problem lies in the code of method searchForUser() of the class ActiveDirectoryLdapProvider. In this method, the method SpringSecurityLdapTemplate.searchForSingleEntryInternal() is called with the bindPrincipal which is in fact the userPrincipalName composed from the arguments passed to the constructor in the first argument and the username. So, even if you set your search filter to anything else than userPrincipalName, it will be passed a userPrincipalName as argument 0. Hence, the filter with sAMAccountName will not work with a UPN and throw an exception.

Either searchForUser() should be modified or augmented to detect the searchFilter is needing a username and not a UPN, either extra setters are provided to set the arguments using patterns for the searchFilter.

But there is no way to make this class working correctly in such situation without modifying the code. That's what I finally did. I wrote my own class basically a carbon copy of the original ActiveDirectoryLdapAUthenticationProvider with one single and simple modification to searchForUser() passing the username instead of the bindPrincipal to searchForSingleEntryInternal().

It is bit a nonsense you can enter whatever search filter you want but forced to use only a single argument which is actually the userPrincipalName and nothing else.