Problem adding a user with authorities and special (eg '+') characters

[Raphael_Lemaire]

Hi,

I'm facing a problem when adding a user with special characters (such as '+') in ldap using the createUser method of LdapUserDetailsManager. I use spring-ldap 1.3.0.RELEASE.

I might be missing something, and my code or configuration might be wrong in some way, but here is what I found :

The first part of the method runs successfuly, and the user is added, but an exception is thrown in the addAuthorities method.

Code:

org.springframework.ldap.InvalidAttributeValueException: [LDAP: error code 21 - member: value #0 invalid per syntax]; nested exception is javax.naming.directory.InvalidAttributeValueException: [LDAP: error code 21 - member: value #0 invalid per syntax]; remaining name 'cn=user,ou=Group'

I explored the source in debug mode and it appends that the username is correctly protected by the DistinguishedName class (test+a@test becomes test\+a@test), but in the following call (lines 328 to 331 of LdapUserDetailsManager), the fullDn.toUrl() returns an unprotected dn (back to test+a@test), leading the exception above.

Code:

ModificationItem addGroup = new ModificationItem(modType,
                            new BasicAttribute(groupMemberAttributeName, fullDn.toUrl()));

The full trace is :

Code:

Exception in thread "main" org.springframework.ldap.InvalidAttributeValueException: [LDAP: error code 21 - member: value #0 invalid per syntax]; nested exception is javax.naming.directory.InvalidAttributeValueException: [LDAP: error code 21 - member: value #0 invalid per syntax]; remaining name 'cn=user,ou=Group'
	at org.springframework.ldap.support.LdapUtils.convertLdapException(LdapUtils.java:122)
	at org.springframework.ldap.core.LdapTemplate.executeWithContext(LdapTemplate.java:810)
	at org.springframework.ldap.core.LdapTemplate.executeReadWrite(LdapTemplate.java:802)
	at org.springframework.security.ldap.userdetails.LdapUserDetailsManager.modifyAuthorities(LdapUserDetailsManager.java:323)
	at org.springframework.security.ldap.userdetails.LdapUserDetailsManager.addAuthorities(LdapUserDetailsManager.java:315)
	at org.springframework.security.ldap.userdetails.LdapUserDetailsManager.createUser(LdapUserDetailsManager.java:243)
	at com.mycompany.project.core.application.manager.impl.LdapRepositoryUserManager.saveUser(LdapRepositoryUserManager.java:294)
	at com.mycompany.project.core.application.manager.impl.LdapRepositoryUserManager.saveClient(LdapRepositoryUserManager.java:114)
	at com.mycompany.project.apps.webapps.LdapTestMain.main(LdapTestMain.java:36)
Caused by: javax.naming.directory.InvalidAttributeValueException: [LDAP: error code 21 - member: value #0 invalid per syntax]; remaining name 'cn=user,ou=Group'
	at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3054)
	at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2987)
	at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2794)
	at com.sun.jndi.ldap.LdapCtx.c_modifyAttributes(LdapCtx.java:1455)
	at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_modifyAttributes(ComponentDirContext.java:255)
	at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(PartialCompositeDirContext.java:172)
	at javax.naming.directory.InitialDirContext.modifyAttributes(InitialDirContext.java:153)
	at org.springframework.security.ldap.userdetails.LdapUserDetailsManager$5.executeWithContext(LdapUserDetailsManager.java:331)
	at org.springframework.ldap.core.LdapTemplate.executeWithContext(LdapTemplate.java:807)
	... 7 more

I'm currently looking for a workaround, maybe using another method of the API.