0

Here is the code of my little test servlet:

protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
    SearchResult result2 = null;
    try {
        if (WSSecurityHelper.isServerSecurityEnabled()) {
            String testuser = "myuser";
            String password = "mypassword";

            UserRegistry registry = RegistryHelper.getUserRegistry("LdapRegistry");
            response.getWriter().append("<p>Output: " + registry.getUserSecurityName(testuser) +"</p>");
            response.getWriter().append("<p>Output: " + registry.isValidUser(testuser) +"</p>");
            response.getWriter().append("<p>Output: " + registry.isValidUser(registry.getUserSecurityName(testuser)) +"</p>");

        }else{
            response.getWriter().append("<p>Output: No Sec Enabled</p>");
        }
    } catch (Exception e) {

        response.getWriter().print("<p>Exception caught: " + e + " </p>");

    }
}

And here is my LDAP config from my server.xml:

    <ldapRegistry baseDN="o=appsdir" bindDN="cn=user123,ou=usersbind,o=appsdir" bindPassword="mostsecurePW" host="localhost" id="drd" ldapType="Microsoft Active Directory" port="389" realm="LdapRegistry" recursiveSearch="false" returnToPrimaryServer="true">
    <ldapCache>
            <attributesCache size="4000"/>
            <searchResultsCache resultsSizeLimit="1000" timeout="600ms"/>
    </ldapCache>
    <activedFilters userFilter="(&amp;(objectClass=person)(|(uid=%v)(samAccountName=%v)(userPrincipalName=%v)))"/>
</ldapRegistry>

I think my problem is that the userFilter in the server.xml is somehow of. When I set it to the following:`

(&amp;(objectClass=person)(|(uid=%v))) <-- on purpose to clarify what was removed

I get the output:

Output: uid=testuser,ou=testing,ou=people,o=appsdir

Output: true 

Output: false

But when I add (samAccountName=%v) and/or (userPrincipalName=%v) to the filter I get the following exception right away:

Exception caught: com.ibm.websphere.security.CustomRegistryException:
CWIML4520E: The LDAP operation could not be completed. The LDAP naming 
exception javax.naming.OperationNotSupportedException: [LDAP: error code 53 
- Search is not indexed]; remaining name 'o=appsdir'; resolved object 
com.sun.jndi.ldap.LdapCtx@254ba79e occurred during processing.

Why is it not working while using | (OR)? I thought this would go through this filters until one matches. Is there some documentation on how this works?

What does Search is not indexed from the exception mean?

Btw. using the standard value for the userFilter also results in the same exception.

T-Heron
  • 5,385
  • 7
  • 26
  • 52
kinglite
  • 339
  • 3
  • 20
  • You might get better/more direct feedback with using the same filter in ldapsearch. I could find no hint of an AD feature that "rejected" filters/searches that required searching non-indexed fields but that's sure what is seems like! – covener Aug 12 '17 at 16:19
  • Thank you, but the info I got from ldapsearch was the same – kinglite Aug 14 '17 at 08:50

1 Answers1

0

So, I played around and with the following filter the isValidUser method on a userSecurityName works: (&amp;(|(objectcategory=person)(objectclass=person))(uid=%v)) (amp; is needed for liberty's server.xml file, otherwise it's not necessary)

I dont know why or how I could check this in AD, but it seems there is no objectclass=person when using userSecurityName, but there is a objectcategory=person. The same, but the other way around, seems to be true when not using the userSecurityName.

kinglite
  • 339
  • 3
  • 20