Possible bug in LDAP filter with active directory

dmitchell · July 9, 2021, 12:14am

When authenticating using active directory with a custom filter, such as:

jmix.ldap.useActiveDirectoryConfiguration = true
jmix.ldap.userSearchFilter = (&(objectClass=user)(sAMAccountName={0}))

the debug log shows the filter as:

filter = ‘(&(objectClass=user)(userPrincipalName={0}))’

It appears that it is required to specify userSearchFilter but its value is ignored when working with active directory.

I don’t know if this is a bug in the ldap add-on or if this is how Spring Security LDAP is supposed to function. However, it might be worth noting this in the documentation.

In case this helps anyone else: it appears that occurrences of {0} are replaced with the username@domain if jmix.ldap.activeDirectoryDomain is specified. Once I realized that, the filter became a non-issue. My users can sign in with their sAMAccountName but the search uses userPrincipalName which contains their email address.

shalyganov · July 12, 2021, 8:32am

Hi, @dmitchell

Thank you for trying out the add-on and your feedback!
In case when Active Directory configuration is used, users are able to login using either their username or domain username (user@domain). As long as jmix.ldap.activeDirectoryDomain is specified, ActiveDirectoryLdapAuthenticationProvider will handle it.

Filter used in ActiveDirectoryLdapAuthenticationProvider has slightly different parameters (occurrences of {0} are replaced with the username@domain. Occurrences of {1} are replaced with the username only), while jmix.ldap.userSearchFilter is supposed to have only one parameter replaced by username (because this filter is also used in other beans, e.g. LdapUserRepository). That’s why the filter defined by this property is not used during authentication in AD. Seems that a separate property for such filter would be useful. At least, this case should be mentioned in the documentation.

Regards,
Gleb