开发者

Is there a Spring Security DefaultLdapAuthoritiesPopulator implementation that supports nested groups?

I am trying to get a Pentaho-BI server which uses spring security to support nested LDAP roles. My group structure is as follows:

  • PentahoAdmins (group)
    • Members: Domain Admins
  • Domain Admins (group)
    • Members: User1
  • User1 (user)

I would like to verify that User1 is part of the PentahoAdmins group, without having to add the user to the group directly. From my research online, it doesn't seem like 开发者_如何学JAVASpring's DefaultLdapAuthoritiesPopulator supports nested groups. I'm sure it's possible to create a subclass that supports group nesting, but has someone already gone to this trouble and published it in an open source project?


Configure the LDAP authorities populator as below and it will work with nested groups:

<bean id="ldapAuthoritiesPopulator" class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
    <constructor-arg ref="ldapContextSource" />
    <constructor-arg value="OU=Resource,OU=Security Groups,OU=Administrative Area" /> <!-- group search base -->
    <property name="groupRoleAttribute" value="cn" /> <!-- cn is default, but setting it anyway so it's clear -->
    <property name="rolePrefix" value="" /> <!-- reset prefix, default is ROLE_ -->
    <property name="convertToUpperCase" value="false"/>
    <property name="searchSubtree" value="true" /> <!-- deep search -->
    <property name="groupSearchFilter" value="(&amp;(&amp;(objectClass=group)(objectCategory=CN=Group,CN=Schema,CN=Configuration,DC=company,DC=local))(&amp;(cn=RG-TRADE*)(member:1.2.840.113556.1.4.1941:={0})))" />
</bean>

The groupSearchFilter value means:

objectClass=[group object class] AND objectCategory=[group object category] AND cn_name_of_group=RG-TRADE* AND member:here_magic_for_nested_groups=[user full dn]


I found this article in regards to Microsoft's Active Directory. A search for LDAP_MATCHING_RULE_IN_CHAIN or the link above will present more information on the topic. The idea is that you can add a group search filter for the parent group and the uid of the user in your Spring Security config:

(&(uid={0})(memberof:1.2.840.113556.1.4.1941:=CN=parentGroup,DC=mycompany,DC=com))

=~ This user is {0} and is in a group that is a member of our parent group.

I tested this with Spring LDAP using a read-only context to search MS Active Directory but I have not confirmed this with group-search-filter in Spring Security, yet. I hope this helps.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜