Websphere LDAP Spring Security Parse Error

0
votes

We have a custom Grails application that is using Spring Security for LDAP authentication. The user DNs contain commas (e.g., "CN=Smith\, John,CN=Users,DC=example,DC=com"), but our admin user's DN does not (e.g., "CN=peadmin,CN=Users,DC=example,DC=com"). When I run the application from the Grails server, which is essentially Tomcat, everything authenticates fine. When I build the WAR and deploy to WebSphere AS 7, I can only log in with the admin user. The exception in our log complains about an unexpected comma, which says that the application is not properly parsing/escaping the DN when running on WAS.

After upgrading to Spring Security 3.0.4, here is the specific exception message we get:

2011-04-07 20:58:41,975 [WebContainer : 0] ERROR controller.LoginController - org.springframework.security.authentication.AuthenticationServiceException: Failed to parse DN; nested exception is org.springframework.ldap.core.ParseException: Encountered "" at line 1, column 20. Was expecting: ...

1
springgrailsldapwebspherewebsphere-7

1 Answers

0
votes

First off you are playing with fire. Never ever ues DN as basis for anything since it is not a stable attribute of user. It breaks instantly when ie. moving users around in the tree. With AD you should use samAccountName and with TDS (and most of the rest) uid. This does not cause your current problem but if that is a real life application that you wish to keep working please start changing things or you will be sorry later on.

Second, if you insist on using something with commas with is special character in LDAP queries you should yourself escape it as per RFC 2254. Tomcat does this for you when it returns the user, WAS does not.