CODEWITHSUNDEEP
springspring-securityldapspring-security-ldap
Jarrod Carlson
Jarrod Carlson

Reputation: 2065

Customize LdapAuthoritiesPopulator in configuration

The DefaultLdapAuthoritiesPopulator sets a search scope of "ONE_LEVEL", but I need to search "SUBSCOPE" to get the list of groups a user is a member of.

I've been following the "configuration" style Spring setup (code, not XML). While there's tons of examples of how to configure a custom LdapAuthoritiesPopulator in XML, I'm kind of stuck on how to do it in code.

Here's what I have so far:

@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @EnableWebSecurity
    public class SecurityConfig extends WebSecurityConfigurerAdapter {

      @Autowired
      public void configure(AuthenticationManagerBuilder auth) throws Exception {
          auth.ldapAuthentication()
              .contextSource().url("ldap://ldap.company.org/")
              .and()
                  .userSearchBase("o=company.org,c=us")
                  .userSearchFilter("(uid={0})")
                  .groupSearchBase("o=company.org,c=us")
                  .groupSearchFilter("(&(objectClass=groupOfUniqueNames)(uniqueMember={0}))");
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.formLogin().and().authorizeRequests()
            .antMatchers("/api/**").authenticated()
            .anyRequest().permitAll();
    }
}

What's missing is that I need to be able to set the search scope on the DefaultLdapAuthoritiesPopulator. The class itself exposes a "setSearchSubtree" method, but the LdapAuthenticationProviderConfigurer does not provide a way of configuring it.

Any suggestions?

Upvotes: 5

Views: 3435

Answers (2)

sathesh
sathesh

Reputation: 41

Solution is to set this property in LdapAuthoritiesPopulator and pass it to LdapAuthenticationProvider

Refer Example 1 in : https://www.programcreek.com/java-api-examples/?api=org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator

@Bean public LdapAuthoritiesPopulator authoritiesPopulator(){

    DefaultLdapAuthoritiesPopulator populator = new DefaultLdapAuthoritiesPopulator(
            contextSource(),
            groupSearchBase);

    populator.setGroupSearchFilter("(uniqueMember={0})");
    populator.setGroupRoleAttribute("cn");
    **populator.setSearchSubtree(true);**
    populator.setRolePrefix("");

    return populator;
}

Upvotes: 4

jwilleke
jwilleke

Reputation: 10986

You need to add something like:

final SearchControls searchControls = new SearchControls();
searchControls.setSearchScope(SearchControls.SUBTREE_SCOPE);

To before you begin your search. Why it is called a "control" is beyond me (an LDAP guy), but that is what Spring does.

-jim

Upvotes: 0

Related Questions