Home/ Questions/Q 7598033
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-30T22:18:29+00:00

I am trying to authenticate users to an Active Directory Instance using spring security,

  • 0

I am trying to authenticate users to an Active Directory Instance using spring security, I am getting an Partial Results Exception. I am going around in circles trying to figure this out. Below is my config.

security-app-context

<authentication-manager erase-credentials="true">
        <authentication-provider>
            <user-service>
                <user name="admin@damien.com" authorities="ROLE_ADMINISTRATOR" password="123admin123" />
            </user-service>
        </authentication-provider>
        <authentication-provider ref="ldapActiveDirectoryAuthProvider"/>
</authentication-manager>

<bean id="ldapActiveDirectoryAuthProvider"
      class="org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider">
    <constructor-arg value="myDomain.com" />
    <constructor-arg value="ldap://ldapurl:389/" />
    <property name="convertSubErrorCodesToExceptions" value="true"/>
</bean>

Error I am getting

 org.springframework.dao.IncorrectResultSizeDataAccessException: Incorrect result size: expected 1, actual 0        org.springframework.security.ldap.SpringSecurityLdapTemplate.searchForSingleEntryInternal(SpringSecurityLdapTemplate.java:239)

I am struggling to find examples and the documentation indicates I am working in the right direction.

This is from the logs 

SpringSecurityLdapTemplate.java 213 - Searching for entry under DN '', base = 'dc=myDomain,dc=com', filter = '(&(objectClass=user)(userPrincipalName={0}))'

and this is what I would expect that to look like on a successful attempt from some scripts that work

Searching for entry under DN 'OU=Users and Groups,DC=one,DC=two,DC=myDomain,DC=com', base = 'OU=Users and Groups,DC=one,DC=two,DC=myDomain,DC=com', filter = '(&(objectClass=user)(userPrincipalName={0}))'

Do I need to get the DN populated? How? I have looked through the ActiveDirectoryLdapAuthenticationProvider properties and don’t see a way? Also the base is off but myDomain.com is the correct domain for users e.g john.doe@myDomain.com. Has anyone come across a similar problem?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    To solve this I used the default LDAP provider which enables user search base to be specified, specifying the user search base and user search filter.

    <ldap-authentication-provider
    user-search-base="OU=Users and Groups,DC=abc,DC=myDomain,DC=com"
    user-search-filter="userPrincipalName={0}" />

    A user would then be logging in with john.doe@myDomain.com but the usersearch base is more specific(abc.myDomain.com). I believe AD Spring was falling down due to this.

    • 0