Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Flag to enable searching of LDAP groups on subtrees #8393

Closed
bberto opened this issue Apr 15, 2020 · 3 comments
Closed

Add Flag to enable searching of LDAP groups on subtrees #8393

bberto opened this issue Apr 15, 2020 · 3 comments
Assignees
@rwinch
Labels
in: config An issue in spring-security-config status: duplicate A duplicate of another issue type: enhancement A general enhancement

Comments

@bberto
Copy link
Contributor

bberto commented Apr 15, 2020

Summary

Is not possible to get authorities searching LDAP groups on subtree of the provided groupSearchBase. IMHO this is a common use case.

Actual Behavior

LdapAuthenticationProviderConfigurer doesn't provide any way to configure DefaultLdapAuthoritiesPopulator.setSearchSubtree.

After construction, no postProcess() is applied to DefaultLdapAuthoritiesPopulator, so it cannot be postProcessed.

The only way I found is to define a custom LdapAuthoritiesPopulator just to set this flag. ContextSource is required by constructor, so have to be defined upfront, making configurer almost useless in this use case

  public class SubtreeLdapAuthoritiesPopulator extends DefaultLdapAuthoritiesPopulator {
    public SubtreeLdapAuthoritiesPopulator(ContextSource contextSource, String groupSearchBase) {
      super(contextSource, groupSearchBase);
      this.setSearchSubtree(true);
    }
  }

  @Autowired
  public void configureGlobal(AuthenticationManagerBuilder auth, BaseLdapPathContextSource ctx)
      throws Exception {
    SubtreeLdapAuthoritiesPopulator ldapAuthoritiesPopulator =
        new SubtreeLdapAuthoritiesPopulator(ctx, "OU=Roles");
    ldapAuthoritiesPopulator.setGroupSearchFilter("(member={0})");

    auth.ldapAuthentication()
        .userSearchFilter("(sAMAccountName={0})")
        .userSearchBase("OU=Users")
        .ldapAuthoritiesPopulator(ldapAuthoritiesPopulator)
        .contextSource(ctx);
  }

Expected Behavior

A method groupSearchSubtree(boolean) should be available in order to configure the flag. Also, performing postProcessing could be useful for further customizations.

  @Autowired
  public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
    auth.ldapAuthentication()
        .userSearchFilter("(sAMAccountName={0})")
        .userSearchBase("OU=Users")
        .groupSearchFilter("(member={0})")
        .groupSearchBase("OU=Roles")
        .groupSearchSubtree(true)                       <---- MISSING
        .contextSource()
        .url("ldap://corporate.ldap/DC=organization,DC=com")
        .port(389);
  }

Configuration

Version

Tested on Spring Security 5.2.1. Seems unchanged on master branch

Sample

Provided inline
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Apr 15, 2020
@rwinch
Copy link
Member

rwinch commented Apr 15, 2020

Thanks for the report @bberto! Would you be interested in submitting two separate pull requests? The first would be adding boolean groupSearchSubtree and the second would ensure that DefaultLdapAuthoritiesPopulator is post processed?

@rwinch rwinch added in: config An issue in spring-security-config type: enhancement A general enhancement and removed status: waiting-for-triage An issue we've not yet triaged labels Apr 15, 2020
@bberto bberto mentioned this issue Apr 16, 2020
Closed
@bberto
Copy link
Contributor Author

bberto commented Apr 16, 2020

First PR submitted. Is my first one here, please feel free to provide any feedback

@rwinch rwinch added this to the 5.4.0.M1 milestone Apr 17, 2020
@rwinch rwinch changed the title LdapAuthenticationProviderConfigurer search on subtree Add Flag to enable searching of LDAP groups on subtrees Apr 17, 2020
@rwinch rwinch removed this from the 5.4.0.M1 milestone Apr 17, 2020
@rwinch rwinch added the status: duplicate A duplicate of another issue label Apr 17, 2020
@rwinch rwinch self-assigned this Apr 17, 2020
@rwinch
Copy link
Member

rwinch commented Apr 17, 2020

Closing in favor of gh-8400

@rwinch rwinch closed this as completed Apr 17, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rwinch rwinch

Labels
in: config An issue in spring-security-config status: duplicate A duplicate of another issue type: enhancement A general enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add Flag to enable searching of LDAP groups on subtrees
3 participants
@rwinch @bberto @spring-projects-issues