6

I am trying to get a Pentaho-BI server which uses spring security to support nested LDAP roles. My group structure is as follows:

  • PentahoAdmins (group)
    • Members: Domain Admins
  • Domain Admins (group)
    • Members: User1
  • User1 (user)

I would like to verify that User1 is part of the PentahoAdmins group, without having to add the user to the group directly. From my research online, it doesn't seem like Spring's DefaultLdapAuthoritiesPopulator supports nested groups. I'm sure it's possible to create a subclass that supports group nesting, but has someone already gone to this trouble and published it in an open source project?

skaffman
  • 398,947
  • 96
  • 818
  • 769
bayfieldcoder
  • 158
  • 2
  • 8
  • Out of curiosity, did you ever find a solution to this? I too have this same issue, and am in need of a solution. – cdeszaq Sep 21 '11 at 16:52
  • I did not. I figured I would have to write my own, but I didn't end up using Pentaho in production, so I didn't have to address this issue. – bayfieldcoder Sep 21 '11 at 17:22
  • 1
    Thanks for the response. Since it seems that there are none that exist, I will work on putting my own together, and will post back here once that is complete. – cdeszaq Sep 21 '11 at 18:15
  • 1
    FYI This issue has been raised in the [Spring Security JIRA](https://jira.springsource.org/browse/SEC-1823) – GaZ Jan 05 '12 at 13:44
  • 1
    There is now a NestedLdapAuthoritiesPopulator out there. It looks like it should help to solve this problem. – Kimball Robinson Dec 16 '16 at 18:19

2 Answers2

8

Configure the LDAP authorities populator as below and it will work with nested groups:

<bean id="ldapAuthoritiesPopulator" class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
    <constructor-arg ref="ldapContextSource" />
    <constructor-arg value="OU=Resource,OU=Security Groups,OU=Administrative Area" /> <!-- group search base -->
    <property name="groupRoleAttribute" value="cn" /> <!-- cn is default, but setting it anyway so it's clear -->
    <property name="rolePrefix" value="" /> <!-- reset prefix, default is ROLE_ -->
    <property name="convertToUpperCase" value="false"/>
    <property name="searchSubtree" value="true" /> <!-- deep search -->
    <property name="groupSearchFilter" value="(&amp;(&amp;(objectClass=group)(objectCategory=CN=Group,CN=Schema,CN=Configuration,DC=company,DC=local))(&amp;(cn=RG-TRADE*)(member:1.2.840.113556.1.4.1941:={0})))" />
</bean>

The groupSearchFilter value means:

objectClass=[group object class] AND objectCategory=[group object category] AND cn_name_of_group=RG-TRADE* AND member:here_magic_for_nested_groups=[user full dn]
j0k
  • 22,600
  • 28
  • 79
  • 90
Mac
  • 91
  • 1
  • 3
2

I found this article in regards to Microsoft's Active Directory. A search for LDAP_MATCHING_RULE_IN_CHAIN or the link above will present more information on the topic. The idea is that you can add a group search filter for the parent group and the uid of the user in your Spring Security config:

(&(uid={0})(memberof:1.2.840.113556.1.4.1941:=CN=parentGroup,DC=mycompany,DC=com))

=~ This user is {0} and is in a group that is a member of our parent group.

I tested this with Spring LDAP using a read-only context to search MS Active Directory but I have not confirmed this with group-search-filter in Spring Security, yet. I hope this helps.

Mark Hall
  • 53,938
  • 9
  • 94
  • 111
R.J. Salicco
  • 36
  • 5