Sunday, November 26, 2017

Why do accountExpires and userAccountControl filters in SpringLDAP / plain Java AD queries do not work as expected?

By Hường Hana 9:30 PM , , , , Leave a Comment

I'm using SpringLDAP API within spring based webapp to query ActiveDirectory that is hosted on Windows Server 2012. Following are my environment details :- Java 1.8.0_101, apache-tomcat-8.0.36, SpringMVC 4.3.1 & SpringLDAP 2.3.1

The following AD filter query works in windows based (may be C++/C#) query tool (e.g., Lepide AD Query tool) and also in the LDAP Browser plugin within the eclipse IDE but does not work within the Java (JNDI/SpringLDAP API based) code & in the Java based application JXplorer :-

(&(objectclass=user)(objectCategory=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(accountExpires>=131554368000000000)(userPrincipalName=cgm@*))

I'm trying to get an user account that is ACTIVE, not yet expired given a date and with userPrincipalName value starting with string cgm@.

Following is the ldap configuration within the spring-servlet.xml file :-

<util:map id="ldapBaseEnvProps">         <entry key="java.naming.ldap.attributes.binary" value="objectGUID"/> </util:map> <ldap:context-source id="pooledLdapContextSrc" url="ldap://dc.myadserver.com:3268" base="DC=myadserver,DC=com" username="CN=adusername,OU=Mkt-Managers,DC=myadserver,DC=com" password="*****" base-env-props-ref="ldapBaseEnvProps">     <ldap:pooling max-total="16" max-active="16" max-idle="8" min-idle="0" max-wait="90000" when-exhausted="BLOCK" test-on-borrow="true" test-while-idle="true"/> </ldap:context-source>

Are such AD filters supported by Java/SpringLDAP API at all? If yes, what needs to be changed for the above AD query filter to work in the Java based code?

1 Answers

Answers 1

I would suggest using Spring LDAP's query builder object in Java to help you build that query. Your question seems to indicate that you copied that query from your C (windows) environment into your Java environment.

I would start by building the query with .where() function in Spring LDAP as used here and seeing if it results in the same error: https://docs.spring.io/spring-ldap/docs/current/apidocs/org/springframework/ldap/query/LdapQueryBuilder.html

If You Enjoyed This, Take 5 Seconds To Share It

0 comments:

Post a Comment