Please provide customization of variable 'searchControls' inside ActiveDirectoryLdapAuthenticationProvider.searchForUser using protected method or some another method. Also if method parameter 'username' ends with '@domain', then 'bindPrincipal' and 'username' are identical, but I need to pass short username inside searchFilter, please also make ability to customize parameters for 'searchFilter', for example:
protected Object[] customizeSearchFilterParams(DirContext context, String username, String bindPrincipal) throws NamingException {
return new Object[] { bindPrincipal, username }
}
Comment From: BriceRoncace
+1 The fact that the search filter string is customizable, but the parameter passed into the search is always the User Principal Name means we can't use a filter containing just the username (sAMAccountName).
See also https://stackoverflow.com/a/30879635/225217
Comment From: rwinch
I think a good approach would be for us to first add a default method to LdapUserSearch (gh-9745) and then this issue can allow injecting a custom LdapUserSearch instance that would allow changing how the user is searched for. This ensures that we allow any customization that users will want in the future as well.
Anyone interested in submitting a PR please mention that on the linked issue first as it will be the first step
Comment From: BriceRoncace
Quick update on this.
I didn't realize at the time, but what I was looking to accomplish was already possible since the fix to https://github.com/spring-projects/spring-security/issues/2448 (commit https://github.com/spring-projects/spring-security/commit/8d717c62afd5d98b0aba467035389d3011434b51) included username as a second parameter to the search filter. This allows the username to be filtered by setting a search filter like:
(&(objectClass=user)(sAMAccountName={1}))
Comment From: jmsjr
Quick update on this.
I didn't realize at the time, but what I was looking to accomplish was already possible since the fix to #2448 (commit 8d717c6) included username as a second parameter to the search filter. This allows the username to be filtered by setting a search filter like:
(&(objectClass=user)(sAMAccountName={1}))
This saved the day for me !!! Thanks. This should be made obvious in the documentation.
FWIW, our domain is an internal-only domain ( e.g. .. let's say : corporation.com ), and I don't see any attribute where we have the LANID@corporation.com anywhere. We do have valid e-mail addresses ( e.g. let's say john@corp.com ), but the domain name of the e-mail address is NOT the AD domain. So the ability to apply a filter by only the LANID without the AD domain is essential.
Comment From: rwinch
I'm closing this in favor of the workaround and the related issues that were created