Why do accountExpires and userAccountControl filters in SpringLDAP / plain Java AD queries do not work as expected?

Question

I'm using SpringLDAP API within spring based webapp to query ActiveDirectory that is hosted on Windows Server 2012. Following are my environment details :- Java 1.8.0_101, apache-tomcat-8.0.36, SpringMVC 4.3.1 & SpringLDAP 2.3.1

The following AD filter query fetches the matching accounts in windows based (C++/C# based) query tool (e.g., Lepide AD Query tool) and also in the LDAP Browser plugin within the eclipse IDE BUT does not fetch the matching records/AD accounts when used within the Java (JNDI/SpringLDAP API based) code & also in the Java based application JXplorer :-

(&(objectclass=user)(objectCategory=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(accountExpires>=131554368000000000)(userPrincipalName=cgm@*))

I'm trying to get an user account that is ACTIVE, not yet expired given a date and with userPrincipalName value starting with string cgm@.

Following is the ldap configuration within the spring-servlet.xml file :-

<util:map id="ldapBaseEnvProps">
        <entry key="java.naming.ldap.attributes.binary" value="objectGUID"/>
</util:map>
<ldap:context-source id="pooledLdapContextSrc" url="ldap://dc.myadserver.com:3268" base="DC=myadserver,DC=com" username="CN=adusername,OU=Mkt-Managers,DC=myadserver,DC=com" password="*****" base-env-props-ref="ldapBaseEnvProps">
    <ldap:pooling max-total="16" max-active="16" max-idle="8" min-idle="0" max-wait="90000" when-exhausted="BLOCK" test-on-borrow="true" test-while-idle="true"/>
</ldap:context-source>

Are such AD filters supported by Java/SpringLDAP API at all? If yes, what needs to be changed for the above AD query filter to work (fetch matching AD account(s)) in the Java based code?

Answer 1

I would suggest using Spring LDAP's query builder object in Java to help you build that query. Your question seems to indicate that you copied that query from your C (windows) environment into your Java environment.

I would start by building the query with .where() function in Spring LDAP as used here and seeing if it results in the same error: https://docs.spring.io/spring-ldap/docs/current/apidocs/org/springframework/ldap/query/LdapQueryBuilder.html