javaactive-directoryldapadamadlds

LDAP not returning all attributes


I'm using Ldap to retrieve accounts from AD LDS:

Hashtable props = new Hashtable();
props.put(Context.SECURITY_PRINCIPAL, "cn=adminuser,o=myorg,c=uk");
props.put(Context.SECURITY_CREDENTIALS, "password");
props.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
props.put(Context.PROVIDER_URL, "ldaps://myldapserver:636");
InitialLdapContext context = new InitialLdapContext(props, null);

SearchControls controls = new SearchControls();
controls.setSearchScope(SearchControls.SUBTREE_SCOPE);
controls.setReturningAttributes(null);
    // according to javadoc, null means "return all attributes"

NamingEnumeration<SearchResult> results =
    context.search(userBase, "cn=SOMEUSER", controls);

The account comes back fine. But not all of SOMEUSER's attributes get returned.

Specifcally, the msDS-UserPasswordExpired attribute never comes back.


However... if I list that attribute in SearchControls:

controls.setReturningAttributes(new String[] {
    "msDS-UserPasswordExpired", "cn", "mail"
});

Then magically it does come back.

Why? Is SearchControl javadoc lying?

How do I tell it that I really really want all attributes back?

The workaround is to list every single attribute that I want back. But that's hideous, and will make adding future fields very error-prone.


Solution

  • The password-control attributes are operational attributes, which aren't returned unless you specifically ask for them.

    How do I tell it that I really really want all attributes back?

    You specify new String[]{"*", "+"} as the attribute IDs to return: "*" means all non-operational attributes, and "+" means all operational attributes. But this is not generally a good idea. There are lots of operational attributes that are none of your business. Just ask for what you actually need.