How to retrieve (user) attributes from LDAP?

[harro]

I am authentication against LDAP, this works fine, but I have some specific user attributes wich I want to retrieve. (e.g. userMustChangePassword)
In order to retrieve these I have an applicationlistener listening for AuthenticationSuccessEventS. Once triggered I use something like ((AuthenticationSuccessEvent)event).getAuthenticat ion().getPrincipal().getAttributes()
However, the attributes are always empty ("No attributes").
According to Javadoc if the field "userAttributes" in AbstractLdapAuthenticator is null, all attributes are retrieved. But this seem to work in a way I do not understand since it is null in my case but still no attributes are returned; If I set it to a specific attribute, still no attributes...

How do I retrieve the attributes from LDAP so that I can use them in my application?

Code:

<bean id="ldapAuthProvider" 
          class="org.acegisecurity.providers.ldap.LdapAuthenticationProvider">
        <constructor-arg>
            <bean class="org.acegisecurity.providers.ldap.authenticator.BindAuthenticator">
                <constructor-arg><ref local="initialDirContextFactory"/></constructor-arg>
                <property name="userDnPatterns"><list><value>${userDnPatterns}</value></list></property>
            </bean>
        </constructor-arg>
        <constructor-arg>
            <bean class="org.acegisecurity.providers.ldap.populator.DefaultLdapAuthoritiesPopulator">
                <constructor-arg><ref local="initialDirContextFactory"/></constructor-arg>
                <constructor-arg><value>${groupSearchBase}</value></constructor-arg>
                <property name="groupRoleAttribute"><value>${groupRoleAttribute}</value></property>
                <property name="searchSubtree"><value>false</value></property>
                <property name="rolePrefix"><value>ROLE_</value></property>
                <property name="convertToUpperCase"><value>true</value></property>
                <property name="defaultRole"><value>ROLE_ANONYMOUS</value></property>
                <property name="groupSearchFilter"><value>${groupSearchFilter}</value></property>
            </bean>
        </constructor-arg>
    </bean>

[Luke Taylor]

Have you tried writing a simple LDAP client which attempts to retrieve the attributes you want (i.e. without using Acegi)? That would be a good starting point.

[harro]

That would be a possility. But I was under the impression that Acegi could do that for me at login.
The LdapUserDetailsImpl I retrieve after logon has a method getAttributes which always is empty. Does this mean I have to write my own LdapUserDetailsMapper and inject it in the BindAuthenticator used by the LdapAuthenticationProvider?

After some digging and debugging it notice that LdapTemplate makes a call to javax.naming.directory.DirContext.mapAttributes:

Code:

Attributes javax.naming.directory.DirContext.getAttributes(String name, String[] attrIds) throws NamingException

Retrieves selected attributes associated with a named object. See getAttributes(Name, String[]) for details.

Parameters:
    name The name of the object from which to retrieve attributes
    attrIds the identifiers of the attributes to retrieve. null indicates that all attributes should be retrieved; an empty array indicates that none should be retrieved.
Returns:
    the requested attributes; never null
Throws:
    NamingException if a naming exception is encountered

Debugging this code makes clear that although attrIds is null, which should retrieve all attributes, no attributes are returned. So I guess it is not Acegi's fault...

B.t.w. filling the attrIds with the attributes to retrieve doesn't do anything either...
I do not understand what is going on...

[Luke Taylor]

That's why I suggested writing a simple client - to isolate an dependency on Acegi. Alternatively try using something like JXPlorer or another Java LDAP client and try binding as the same user and reading the entry. It is probably due to the permissions in your directory.