Skip to content

Add Flag to enable searching of LDAP groups on subtrees #8393

New issue
New issue
Closed
Closed
Add Flag to enable searching of LDAP groups on subtrees#8393
Assignees
rwinch
Labels
in: configAn issue in spring-security-configstatus: duplicateA duplicate of another issuetype: enhancementA general enhancement
@bberto

Description

@bberto
bberto
opened on Apr 15, 2020

Summary

Is not possible to get authorities searching LDAP groups on subtree of the provided groupSearchBase. IMHO this is a common use case.

Actual Behavior

LdapAuthenticationProviderConfigurer doesn't provide any way to configure DefaultLdapAuthoritiesPopulator.setSearchSubtree.

After construction, no postProcess() is applied to DefaultLdapAuthoritiesPopulator, so it cannot be postProcessed.

The only way I found is to define a custom LdapAuthoritiesPopulator just to set this flag. ContextSource is required by constructor, so have to be defined upfront, making configurer almost useless in this use case

  public class SubtreeLdapAuthoritiesPopulator extends DefaultLdapAuthoritiesPopulator {
    public SubtreeLdapAuthoritiesPopulator(ContextSource contextSource, String groupSearchBase) {
      super(contextSource, groupSearchBase);
      this.setSearchSubtree(true);
    }
  }

  @Autowired
  public void configureGlobal(AuthenticationManagerBuilder auth, BaseLdapPathContextSource ctx)
      throws Exception {
    SubtreeLdapAuthoritiesPopulator ldapAuthoritiesPopulator =
        new SubtreeLdapAuthoritiesPopulator(ctx, "OU=Roles");
    ldapAuthoritiesPopulator.setGroupSearchFilter("(member={0})");

    auth.ldapAuthentication()
        .userSearchFilter("(sAMAccountName={0})")
        .userSearchBase("OU=Users")
        .ldapAuthoritiesPopulator(ldapAuthoritiesPopulator)
        .contextSource(ctx);
  }

Expected Behavior

A method groupSearchSubtree(boolean) should be available in order to configure the flag. Also, performing postProcessing could be useful for further customizations.

  @Autowired
  public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
    auth.ldapAuthentication()
        .userSearchFilter("(sAMAccountName={0})")
        .userSearchBase("OU=Users")
        .groupSearchFilter("(member={0})")
        .groupSearchBase("OU=Roles")
        .groupSearchSubtree(true)                       <---- MISSING
        .contextSource()
        .url("ldap://corporate.ldap/DC=organization,DC=com")
        .port(389);
  }

Configuration

Version

Tested on Spring Security 5.2.1. Seems unchanged on master branch

Sample

Provided inline

Metadata

Metadata

Assignees

Labels

in: configAn issue in spring-security-configstatus: duplicateA duplicate of another issuetype: enhancementA general enhancement

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions