Is there a Spring Security DefaultLdapAuthoritiesPopulator implementation that supports nested groups?

Question

I am trying to get a Pentaho-BI server which uses spring security to support nested LDAP roles. My group structure is as follows:

• PentahoAdmins (group)
  • Members: Domain Admins
• Domain Admins (group)
  • Members: User1
• User1 (user)

I would like to verify that User1 is part of the PentahoAdmins group, without having to add the user to the group directly. From my research online, it doesn't seem like Spring's DefaultLdapAuthoritiesPopulator supports nested groups. I'm sure it's possible to create a subclass that supports group nesting, but has someone already gone to this trouble and published it in an open source project?

Answer 1

Configure the LDAP authorities populator as below and it will work with nested groups:

<bean id="ldapAuthoritiesPopulator" class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
    <constructor-arg ref="ldapContextSource" />
    <constructor-arg value="OU=Resource,OU=Security Groups,OU=Administrative Area" /> <!-- group search base -->
    <property name="groupRoleAttribute" value="cn" /> <!-- cn is default, but setting it anyway so it's clear -->
    <property name="rolePrefix" value="" /> <!-- reset prefix, default is ROLE_ -->
    <property name="convertToUpperCase" value="false"/>
    <property name="searchSubtree" value="true" /> <!-- deep search -->
    <property name="groupSearchFilter" value="(&amp;(&amp;(objectClass=group)(objectCategory=CN=Group,CN=Schema,CN=Configuration,DC=company,DC=local))(&amp;(cn=RG-TRADE*)(member:1.2.840.113556.1.4.1941:={0})))" />
</bean>

The groupSearchFilter value means:

objectClass=[group object class] AND objectCategory=[group object category] AND cn_name_of_group=RG-TRADE* AND member:here_magic_for_nested_groups=[user full dn]