LDAP-287: LdapTemplate should convert string DNs to DistinguishedNames before passing them to DirContext

[rwinch]

Migrated from LDAP-287

Oracle's com.sun.jndi.ldap.LdapCtx (OracleJDK and OpenJDK) is converting all string based names to CompositeName. This means that it will get special handling for forward slashes and possibly other unwanted behavior.

Spring LDAP is LDAP library and LdapTemplate is supposed to work with LDAP objects. If JavaDoc says a DN string is expected, it should not have any side-effects, like misinterpretting forward slash character, which is not consistent with LDAP RFCs.

ldapTemplate.lookup("cn=foo/bar,cn=root"); // Results in error
ldapTemplate.lookup(new DistinguishedName("cn=foo/bar,cn=root")); // Works nicely

I suggest to convert internally all string based DNs to DistinguishedName inside LdapTemplate methods, before handing them over to DirContext.

[rwinch]

Pavel Horal said:

Of course alternative approach would be to not alter current implementation, but actually warn about CompositeName syntax in JavaDoc.

[rwinch]

Mattias Hellborg Arthursson said:

I'm considering your workaround, but to be perfectly honest I think this should really be filed as a bug in the JDK rather than Spring LDAP. It's quite clearly stated that Spring LDAP relies on Java LDAP/JNDI under the covers, even though we are sidestepping similar problems caused by CompositeNames in a number of places.

I'll have to think about this some more before deciding. Please note however that DistinguishedName has been deprecated in Spring LDAP 2.x. The recommendation is now to always use the built-in Java LdapName; there are some utilities in LdapUtils and LdapNameBuilder that helps working with these, particularly taking care of the Exceptions, which are all checked in LdapName.