Jun 17th, 2009, 10:20 AM
LdapUserDetailsManager always updates password attribute
I'm using the method LdapUserDetailsManager.updateUser(UserDetails) and I've noticed that the call to the method ctx.getModificationItems() always contains the password attribute. The reason for this is because the Spring DirectoryContextAdapter is comparing the original password, which is a byte array, with the current password, which is a String. Therefore the result of the comparison will mean the password always gets updated.
Looking further I can see in Person:Essence(DirectoryContextOperations) the password is converted from a byte array to a String. However I can't see where the reverse happens, which I think is the cause of the problem. The reason this causes me a difficulty is because my LDAP server (OID) has a password policy set to reject the password if it has been used in the last 15 passwords.
Could someone please confirm if my analysis is correct and if there are any workarounds or fixes for this. I'm currently using version 2.0.4 of Spring Security
Many Thanks in advance for your help
Jun 23rd, 2009, 04:31 AM
re: LdapUserDetailsManager always updates password attribute
I think the answser the question lies in the method org.springframework.security.userdetails.ldap.Pers on(DirContextAdapter). Here it can be seen that if the password is null then it will not be added to the directory context and therefore will not be updated. My fix is to first of check and update the password if necessary, then set the password to null on the UserDetails instance before persisting it using the LdapUserDetailsManager.