Why is CompositeName used in JNDI/LDAP after all?

Tue, 16 Sep 2025 09:14:49 -0700 

Hi folks,

consider this exception we had yesterday in production:

11:54:13.120 [https-openssl-apr-0.0.0.0-8008-exec-3] ERROR 
c.s.l.c.s.s.a.impl.ADUserAccess - Active Directory connection error!
org.springframework.ldap.UncategorizedLdapException: Uncategorized exception 
occured during LDAP processing; nested exception is 
javax.naming.NamingException: [LDAP: error code 1 - 000020D6: SvcErr: 
DSID-03100836, problem 5012 (DIR_ERROR), data 0
 ]; remaining name 'CN=SmartLD // China Hub_ab1464c2a8e6,OU=Cloud Groups,OU=ACF 
TEST,DC=innomotics,DC=net'
        at 
org.springframework.ldap.support.LdapUtils.convertLdapException(LdapUtils.java:228)
        at 
org.springframework.ldap.core.LdapTemplate.executeWithContext(LdapTemplate.java:824)
...
Caused by: javax.naming.NamingException: [LDAP: error code 1 - 000020D6: 
SvcErr: DSID-03100836, problem 5012 (DIR_ERROR), data 0
 ]
        at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3305)
        at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3211)
        at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3002)
        at com.sun.jndi.ldap.LdapCtx.c_lookup(LdapCtx.java:1062)
        at 
com.sun.jndi.toolkit.ctx.ComponentContext.c_resolveIntermediate_nns(ComponentContext.java:168)
        at 
com.sun.jndi.toolkit.ctx.AtomicContext.c_resolveIntermediate_nns(AtomicContext.java:359)
        at 
com.sun.jndi.toolkit.ctx.ComponentContext.p_resolveIntermediate(ComponentContext.java:439)
        at 
com.sun.jndi.toolkit.ctx.ComponentDirContext.p_getAttributes(ComponentDirContext.java:227)
        at 
com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.getAttributes(PartialCompositeDirContext.java:141)
        at 
com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.getAttributes(PartialCompositeDirContext.java:129)
        at 
javax.naming.directory.InitialDirContext.getAttributes(InitialDirContext.java:142)
        at sun.reflect.GeneratedMethodAccessor48.invoke(Unknown Source)


CompsiteName splits on slash sending an invalid request to Active Directory.


The method in question is javax.naming.directory.InitialDirContext# 
getAttributes(String name). I always assumed that the string value is 
parsed into an LDAP name via #getNameParser(""). Looking into the code I 
see that LdapCtx inherits from PartialCompositeDirContext using 
CompositeName which is unsuited for LDAP in general. At first, I 
considered this to be a conceptual bug and was about to report with you, 
but then found [1]. It explicitly says that: If your pass a string 
CompositeName is used. If you need exact results use LdapName.



My question is: Why does an LDAP context have this conceptual pitfall? I 
mean, this approach does not compute for me logically. At the end, 
unless you exactly know what you are passing to as a string, you 
*always* have to go through LdapNameParser to be on the safe side.


Michael

[1] https://docs.oracle.com/javase/jndi/tutorial/beyond/names/syntax.html














    











					Reply via email to