Why is CompositeName used in JNDI/LDAP after all?

Osipov, Michael (IN IT IN) michael.osipov at innomotics.com
Tue Sep 16 16:14:11 UTC 2025 

Hi folks,

consider this exception we had yesterday in production:
> 11:54:13.120 [https-openssl-apr-0.0.0.0-8008-exec-3] ERROR c.s.l.c.s.s.a.impl.ADUserAccess - Active Directory connection error!
> org.springframework.ldap.UncategorizedLdapException: Uncategorized exception occured during LDAP processing; nested exception is javax.naming.NamingException: [LDAP: error code 1 - 000020D6: SvcErr: DSID-03100836, problem 5012 (DIR_ERROR), data 0
>  ]; remaining name 'CN=SmartLD // China Hub_ab1464c2a8e6,OU=Cloud Groups,OU=ACF TEST,DC=innomotics,DC=net'
> 	at org.springframework.ldap.support.LdapUtils.convertLdapException(LdapUtils.java:228)
> 	at org.springframework.ldap.core.LdapTemplate.executeWithContext(LdapTemplate.java:824)
>...
> Caused by: javax.naming.NamingException: [LDAP: error code 1 - 000020D6: SvcErr: DSID-03100836, problem 5012 (DIR_ERROR), data 0
>  ]
> 	at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3305)
> 	at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3211)
> 	at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3002)
> 	at com.sun.jndi.ldap.LdapCtx.c_lookup(LdapCtx.java:1062)
> 	at com.sun.jndi.toolkit.ctx.ComponentContext.c_resolveIntermediate_nns(ComponentContext.java:168)
> 	at com.sun.jndi.toolkit.ctx.AtomicContext.c_resolveIntermediate_nns(AtomicContext.java:359)
> 	at com.sun.jndi.toolkit.ctx.ComponentContext.p_resolveIntermediate(ComponentContext.java:439)
> 	at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_getAttributes(ComponentDirContext.java:227)
> 	at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.getAttributes(PartialCompositeDirContext.java:141)
> 	at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.getAttributes(PartialCompositeDirContext.java:129)
> 	at javax.naming.directory.InitialDirContext.getAttributes(InitialDirContext.java:142)
> 	at sun.reflect.GeneratedMethodAccessor48.invoke(Unknown Source)

CompsiteName splits on slash sending an invalid request to Active Directory.

The method in question is javax.naming.directory.InitialDirContext# 
getAttributes(String name). I always assumed that the string value is 
parsed into an LDAP name via #getNameParser(""). Looking into the code I 
see that LdapCtx inherits from PartialCompositeDirContext using 
CompositeName which is unsuited for LDAP in general. At first, I 
considered this to be a conceptual bug and was about to report with you, 
but then found [1]. It explicitly says that: If your pass a string 
CompositeName is used. If you need exact results use LdapName.

My question is: Why does an LDAP context have this conceptual pitfall? I 
mean, this approach does not compute for me logically. At the end, 
unless you exactly know what you are passing to as a string, you 
*always* have to go through LdapNameParser to be on the safe side.

Michael

[1] https://docs.oracle.com/javase/jndi/tutorial/beyond/names/syntax.html

More information about the core-libs-dev mailing list