5

The DefaultLdapAuthoritiesPopulator sets a search scope of "ONE_LEVEL", but I need to search "SUBSCOPE" to get the list of groups a user is a member of.

I've been following the "configuration" style Spring setup (code, not XML). While there's tons of examples of how to configure a custom LdapAuthoritiesPopulator in XML, I'm kind of stuck on how to do it in code.

Here's what I have so far:

@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @EnableWebSecurity
    public class SecurityConfig extends WebSecurityConfigurerAdapter {

      @Autowired
      public void configure(AuthenticationManagerBuilder auth) throws Exception {
          auth.ldapAuthentication()
              .contextSource().url("ldap://ldap.company.org/")
              .and()
                  .userSearchBase("o=company.org,c=us")
                  .userSearchFilter("(uid={0})")
                  .groupSearchBase("o=company.org,c=us")
                  .groupSearchFilter("(&(objectClass=groupOfUniqueNames)(uniqueMember={0}))");
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.formLogin().and().authorizeRequests()
            .antMatchers("/api/**").authenticated()
            .anyRequest().permitAll();
    }
}

What's missing is that I need to be able to set the search scope on the DefaultLdapAuthoritiesPopulator. The class itself exposes a "setSearchSubtree" method, but the LdapAuthenticationProviderConfigurer does not provide a way of configuring it.

Any suggestions?

Jarrod Carlson
  • 1,967
  • 4
  • 16
  • 20

2 Answers2

3

Solution is to set this property in LdapAuthoritiesPopulator and pass it to LdapAuthenticationProvider

Refer Example 1 in : https://www.programcreek.com/java-api-examples/?api=org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator

@Bean public LdapAuthoritiesPopulator authoritiesPopulator(){

    DefaultLdapAuthoritiesPopulator populator = new DefaultLdapAuthoritiesPopulator(
            contextSource(),
            groupSearchBase);

    populator.setGroupSearchFilter("(uniqueMember={0})");
    populator.setGroupRoleAttribute("cn");
    **populator.setSearchSubtree(true);**
    populator.setRolePrefix("");

    return populator;
}
sathesh
  • 31
  • 4
  • The example is not complete, as the OP uses the builder variant for configuration, which does not allow access to `contextSource()`. – Matthias B Apr 07 '20 at 10:22
0

You need to add something like:

final SearchControls searchControls = new SearchControls();
searchControls.setSearchScope(SearchControls.SUBTREE_SCOPE);

To before you begin your search. Why it is called a "control" is beyond me (an LDAP guy), but that is what Spring does.

-jim

jwilleke
  • 10,467
  • 1
  • 30
  • 51
  • 1
    I am having the same problem as OP but your answer does not help. How are we supposed to pass that SearchControl all the way down through those configuration builders? – Saita Mar 28 '17 at 20:23