Setting Context.REFERRAL to 'follow' results in DN parse exception

[nate_moser]

In order to follow referrals, I'm using LdapContextSource with

Code:

      
    env.put(Context.REFERRAL, "follow");
    ctx.setBaseEnvironmentProperties(env);

when a search includes results from following a referral, I get a exception

Code:

Caused by: org.springframework.ldap.BadLdapGrammarException: Failed to parse DN; nested exception is org.springframework.ldap.core.TokenMgrError: Lexical error at line 1, column 5.  Encountered: ":" (58), after : ""
        at org.springframework.ldap.core.DistinguishedName.parse(DistinguishedName.java:145)
        at org.springframework.ldap.core.DistinguishedName.<init>(DistinguishedName.java:100)
        at org.springframework.ldap.core.DirContextAdapter.<init>(DirContextAdapter.java:139)
        at org.springframework.ldap.core.support.DefaultDirObjectFactory.getObjectInstance(DefaultDirObjectFactory.java:61)
        at javax.naming.spi.DirectoryManager.createObjectFromFactories(Unknown Source)
        at javax.naming.spi.DirectoryManager.getObjectInstance(Unknown Source)

Setting a breakpoint at DirContextAdapter shows that the DN in question is prefixed with the LDAP URL for the referred-to LDAP server. Apparently that's how JNDI prefixes results returned from followed referrals (I'd post the reference, but haven't hit my five post threshold to be able to post URLs :-/ ... google '"Automatically Following Referrals" jndi' and you'll see the page I'm looking at from the JNDI tutorial).

Is there some clever trick here used by others who've gotten this to work? Or am I in for a subclassing of DirContextAdapter?

[rasky]

I have no experience of this myself, but this sounds like something we should probably work our way around. The place to do that would be the DefaultDirObjectFactory. Please post a jira issue with the details and we'll take a look at it.

[nate_moser]

Thanks for the pointer to DefaultDirObjectFactory. I was able to work around the issue. I've filed LDAP-136 in Jira, and attached the subclass of DefaultDirObjectFactory I'm using.

I also added a comment to LDAP-9. With the DN parsing issue fixed, I was actually able to have JNDI automatically follow referrals between Active Directory servers.

[Gouki]

Hi all,

I have a similar problem whilst trying to authenticate users using Spring Security and LDAP. Since I'm using referrals I've set the follow referral flag to true. Problem is this causes the following exception to occur:

Code:

Authentication request failed: org.springframework.security.AuthenticationServiceException: Failed to parse DN; nested exception is org.springframework.ldap.core.TokenMgrError: Lexical error at line 1, column 5.  Encountered: ":" (58), after : ""; nested exception is org.springframework.ldap.BadLdapGrammarException: Failed to parse DN; nested exception is org.springframework.ldap.core.TokenMgrError: Lexical error at line 1, column 5.  Encountered: ":" (58), after : ""

My security context:

Code:

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xmlns:util="http://www.springframework.org/schema/util"
  xmlns:security="http://www.springframework.org/schema/security"
  xsi:schemaLocation="http://www.springframework.org/schema/beans 
                           http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
                           http://www.springframework.org/schema/util 
                           http://www.springframework.org/schema/util/spring-util-2.5.xsd
                           http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.xsd">
 
  <security:http access-denied-page="/pages/denied.htm">
    <security:form-login login-page="/pages/login.htm" authentication-failure-url="/pages/login.htm?login_error=true" />
    <security:intercept-url pattern="/pages/login.htm*" filters="none"/>
    <security:intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY" />
    <security:logout />
  </security:http>
    
  <bean id="securityContextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
    <constructor-arg value="ldap://localhost:389/dc=org"/>
    <property name="referral" value="follow" />  
  </bean>
    
  <bean id="ldapAuthenticationProvider" class="org.springframework.security.providers.ldap.LdapAuthenticationProvider">
    <security:custom-authentication-provider/>
    <constructor-arg>
      <bean class="org.springframework.security.providers.ldap.authenticator.BindAuthenticator">
        <constructor-arg ref="securityContextSource"/>
        <property name="userSearch" ref="userSearch" />
      </bean>
    </constructor-arg>
    <constructor-arg>
      <bean class="org.springframework.security.ldap.populator.DefaultLdapAuthoritiesPopulator">
        <constructor-arg ref="securityContextSource"/>
        <constructor-arg value="ou=groups,ou=myApp,o=myOrganisation"/>
        <property name="groupSearchFilter" value="uniqueMember={0}" />
      </bean>
    </constructor-arg>
  </bean>
  
  <bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
    <constructor-arg index="0" value="ou=people" />
    <constructor-arg index="1" value="(uid={0})" />
    <constructor-arg index="2" ref="securityContextSource" />
    <property name="derefLinkFlag" value="true" /> 
  </bean>      
  
  <security:global-method-security secured-annotations="enabled" />
  
</beans>

I'm using Spring 2.5.6 with Spring Security 2.0.4 and Spring LDAP 1.3

Any help is highly appreciated!