Issue with LDAP External Roles

[rusty.ross]

I am seeing an LDAP issue in JRS 5.5.

LDAP (Active Directory) authentication is configured and working as expected.

LDAP external roles mapping is configured and (mostly) working as expected.

 

Here is the relevant config on that:

 

   <bean id="ldapAuthenticationProvider" class="org.springframework.security.providers.ldap.LdapAuthenticationProvider">

        <constructor-arg>

            <bean class="org.springframework.security.providers.ldap.authenticator.BindAuthenticator">

                <constructor-arg><ref local="ldapContextSource"/></constructor-arg>

                <property name="userSearch" ref="userSearch"/>

            </bean>

        </constructor-arg>

        <constructor-arg>

            <bean class="org.springframework.security.ldap.populator.DefaultLdapAuthoritiesPopulator">

                <constructor-arg index="0"><ref local="ldapContextSource"/></constructor-arg>

                <constructor-arg index="1"><value>OU=Internal</value></constructor-arg>

                <property name="groupRoleAttribute" value="cn"/>

                <property name="groupSearchFilter" value="(&(objectClass=group)(member={0})(|(cn=ABC-*)(CN=XYZ-*)))"/>

                <property name="searchSubtree" value="true"/>

                <!-- Can setup additional external default roles here  <property name="defaultRole" value="LDAP"/> -->

                <property name="defaultRole" value="ROLE_LDAPUSER"/>

            </bean>

        </constructor-arg>

    </bean>

 

 

The problem is this:

 

The ABC-* groups are in a different OU than the XYZ-* groups.

 

So for the config shown above, only the ABC groups get mapped, since "Internal" is the OU the ABC groups live in.

 

If I change this:

 

 <constructor-arg index="1"><value>OU=Internal</value></constructor-arg>

 

to this:

 

 <constructor-arg index="1"><value>OU=Foo</value></constructor-arg>

 

...then only the XYZ groups get mapped, since "Foo" is the OU the XYZ groups live in.

 

 

If I change this:

 

 <constructor-arg index="1"><value>OU=Internal</value></constructor-arg>

 

to this:

 

 <constructor-arg index="1"><value></value></constructor-arg>

 

...thus, searching the entire base DN, then login fails for all users.

 

(I have cofirmed by using ldapsearch in the CLI that all groups can be searched from the base DN for this environment.)

 

Any clues on why logins all fail when I do this in Jasper? Any thoughts on how to acheive what I am trying to do? Would any further detail or clarification be helpful to answer these questions?

 

Thanks.

 

 

[elizam]

I think you can have multiple instances of this bean, and just put them one after another.  If it doesn't find a match in the first bean, it falls through to the next. It doesn't fail till all beans are tried. If one of the patterns has significantly more matches, obviously best to put it first.

[rusty.ross]

The reason I don't think that approach will work is that some users are members of both families of groups, and I need to be able to map those users to all the roles for which they are a group member.