All geek questions in one place

Is there a Spring Security function DefaultLdapAuthoritiesPopulator that supports nested groups?

I am trying to get a Pentaho-BI server that uses spring to support nested LDAP roles. My group structure is as follows:

  • PentahoAdmins (group)
    • Members: Domain Admins
  • Domain Admins (group)
    • Members: User1
  • User1 (user)

I would like to verify that User1 is part of the PentahoAdmins group, without the need to directly add the user to the group. From my research on the web, this is not like spring. DefaultLdapAuthoritiesPopulator supports nested groups. I'm sure it is possible to create a subclass that supports group embedding, but has someone already gone into this problem and published it in an open source project?

+4
source share
2 answers

I found this article regarding Microsoft Active Directory. Searching LDAP_MATCHING_RULE_IN_CHAIN ​​or the link above will provide additional information on this topic. The idea is that you can add a group search filter for the parent group and user uid in Spring Security Configuration:

(&(uid={0})(memberof:1.2.840.113556.1.4.1941:=CN=parentGroup,DC=mycompany,DC=com)) =~ This user is {0} and is in a group that is a member of our parent group.

I tested this using Spring LDAP, using a read context to search for MS Active Directory, but I have not yet confirmed this using the group search filter in Spring Security. Hope this helps.

+1
source

Configure the LDAP mail authority regulator as shown below and it will work with nested groups:

 <bean id="ldapAuthoritiesPopulator" class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator"> <constructor-arg ref="ldapContextSource" /> <constructor-arg value="OU=Resource,OU=Security Groups,OU=Administrative Area" /> <!-- group search base --> <property name="groupRoleAttribute" value="cn" /> <!-- cn is default, but setting it anyway so it clear --> <property name="rolePrefix" value="" /> <!-- reset prefix, default is ROLE_ --> <property name="convertToUpperCase" value="false"/> <property name="searchSubtree" value="true" /> <!-- deep search --> <property name="groupSearchFilter" value="(&amp;(&amp;(objectClass=group)(objectCategory=CN=Group,CN=Schema,CN=Configuration,DC=company,DC=local))(&amp;(cn=RG-TRADE*)(member:1.2.840.113556.1.4.1941:={0})))" /> </bean>

The value of groupSearchFilter means:

 objectClass=[group object class] AND objectCategory=[group object category] AND cn_name_of_group=RG-TRADE* AND member:here_magic_for_nested_groups=[user full dn]
+5
source

Source: https://habr.com/ru/post/1341928/

More articles:


All Articles