Affects Version/s: 10.0.2.0, 10.0.2.1, 10.1.1.0, 10.1.2.1, 10.1.3.1, 10.2.1.6, 10.2.2.0, 10.3.1.4, 10.3.2.1, 10.3.3.0, 10.4.1.3, 10.4.2.0, 10.5.1.1, 10.5.2.0, 10.5.3.0, 10.6.1.0, 10.6.2.1, 10.7.1.1
Fix Version/s: None
Issue & fix info:Known fix
Bug behavior facts:Security
It seems derby.authentication.ldap.searchFilter=derby.user doesn't work as advertised.
LDAPAuthenticationSchemeImpl contains this code:
// Retrieve the user's DN (Distinguished Name) If we're asked to
// look it up locally, do it first and if we don't find it, we go
// against the LDAP server for a look-up (search)
The lookup happens against the property "derby.user.", the username is not appended first, so userDN is always set to null, and search ensues before bind. Cf. this explanation http://db.apache.org/derby/manuals/develop/develop100.html:
> Derby typically initiates a search for a full DN before binding to the directory using the full DN for user authentication. Derby does not initiate a search in the following cases:
> * You have set derby.authentication.ldap.searchFilter to derby.user.
> * A user DN has been cached locally for the specific user with the derby.user.UserName property.