From 8794590e502f3f7805d4138c2c99334c8eda29f4 Mon Sep 17 00:00:00 2001
From: S Rahul <srahul@novell.com>
Date: Fri, 5 Jun 2009 05:56:35 +0000
Subject: [PATCH] Bug#501650: Disable alias dereferencing when ATS server
 searches for user in LDAP server.

---
 .../Svc/src/com/novell/casa/authtoksvc/PwdAuthenticate.java  | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/CASA-auth-token/server-java/Svc/src/com/novell/casa/authtoksvc/PwdAuthenticate.java b/CASA-auth-token/server-java/Svc/src/com/novell/casa/authtoksvc/PwdAuthenticate.java
index d3a54638..fefef3b6 100644
--- a/CASA-auth-token/server-java/Svc/src/com/novell/casa/authtoksvc/PwdAuthenticate.java
+++ b/CASA-auth-token/server-java/Svc/src/com/novell/casa/authtoksvc/PwdAuthenticate.java
@@ -191,6 +191,7 @@ public final class PwdAuthenticate implements AuthMechanism, Serializable
             env.put(Context.SECURITY_PRINCIPAL, m_svcConfig.m_realmsInfo.proxyUsernameCredential(authReqMsg.getRealm()));
             env.put(Context.SECURITY_CREDENTIALS, m_svcConfig.m_realmsInfo.proxyPasswordCredential(authReqMsg.getRealm()));
          }
+         env.put("java.naming.ldap.derefAliases", "never");
 
          int retries = 3;
          while (retries != 0)
@@ -237,9 +238,9 @@ public final class PwdAuthenticate implements AuthMechanism, Serializable
                if (realmType != null)
                {
                   if (realmType.equalsIgnoreCase(RealmsInfo.eDirectoryRealm))
-                     searchString = "(cn={0})";
+                     searchString = "(&(cn={0})(!(objectClass=aliasObject)))";
                   else if (realmType.equalsIgnoreCase(RealmsInfo.ActiveDirectoryRealm))
-                     searchString = "(sAMAccountName={0})";
+                     searchString = "(&(sAMAccountName={0})(!(objectClass=aliasObject)))";
                   else
                   {
                      m_log.warn("invoke()- Unsupported realm type " + realmType);