AD: Fixed user search lookup

The user search is using the wrong user attribute name, userPrincipalName which in most cases is correct. But for the case of LA county, it isn't. We now search for sAMAccountName and UserPrincipalName. Fixes https://github.com/elasticsearch/elasticsearch-shield/issues/548 Original commit: elastic/x-pack-elasticsearch@7dd7d05f44
2025-02-09 06:25:07 +00:00 · 2015-01-09 12:07:28 -07:00 · 2015-01-09 12:07:28 -07:00 · be768d5a44
commit be768d5a44
parent 01c2016c49
2 changed files with 27 additions and 2 deletions
--- a/src/main/java/org/elasticsearch/shield/authc/active_directory/ActiveDirectoryConnectionFactory.java
+++ b/src/main/java/org/elasticsearch/shield/authc/active_directory/ActiveDirectoryConnectionFactory.java
@ -85,9 +85,9 @@ public class ActiveDirectoryConnectionFactory extends ConnectionFactory {
            searchCtls.setSearchScope(SearchControls.SUBTREE_SCOPE);
            searchCtls.setReturningAttributes(Strings.EMPTY_ARRAY);
            searchCtls.setTimeLimit(timeoutMilliseconds);
-            String searchFilter = "(&(objectClass=user)(userPrincipalName={0}))";
+            String searchFilter = "(&(objectClass=user)(|(sAMAccountName={0})(userPrincipalName={1})))";
            try (ClosableNamingEnumeration<SearchResult> results = new ClosableNamingEnumeration(
-                    ctx.search(userSearchDN, searchFilter, new Object[] { userPrincipal }, searchCtls))) {
+                ctx.search(userSearchDN, searchFilter, new Object[] { userName, userPrincipal }, searchCtls))) {

                if(results.hasMore()){
                    SearchResult entry = results.next();
--- a/src/test/java/org/elasticsearch/shield/authc/active_directory/ActiveDirectoryFactoryTests.java
+++ b/src/test/java/org/elasticsearch/shield/authc/active_directory/ActiveDirectoryFactoryTests.java
@ -124,6 +124,31 @@ public class ActiveDirectoryFactoryTests extends ElasticsearchTestCase {
        }
    }

+    @Test @SuppressWarnings("unchecked")
+    public void testAdUpnLogin() {
+        Settings settings = buildAdSettings(AD_LDAP_URL, AD_DOMAIN, "CN=Users,DC=ad,DC=test,DC=elasticsearch,DC=com", false);
+        ActiveDirectoryConnectionFactory connectionFactory = new ActiveDirectoryConnectionFactory(settings);
+
+        //Login with the UserPrincipalName
+        String userDN;
+        try (AbstractLdapConnection ldap = connectionFactory.open("erik.selvig", SecuredStringTests.build(PASSWORD))) {
+            List<String> groups = ldap.groups();
+            userDN = ldap.authenticatedUserDn();
+            assertThat(groups, containsInAnyOrder(
+                    containsString("Geniuses"),
+                    containsString("Domain Users")));
+        }
+        //Same user but login with sAMAccountName
+        try (AbstractLdapConnection ldap = connectionFactory.open("selvig", SecuredStringTests.build(PASSWORD))) {
+            assertThat(ldap.authenticatedUserDn(), is(userDN));
+
+            List<String> groups = ldap.groups();
+            assertThat(groups, containsInAnyOrder(
+                    containsString("Geniuses"),
+                    containsString("Domain Users")));
+        }
+    }
+
    @Test @SuppressWarnings("unchecked")
    public void testAD_standardLdapConnection(){
        String groupSearchBase = "DC=ad,DC=test,DC=elasticsearch,DC=com";