Announcement Announcement Module
Collapse
No announcement yet.
Active Directory group search returns no roles Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Active Directory group search returns no roles

    Hi,

    Using Spring Security 2.0.0 with Spring 2.5.2 with name space configuration. I was able to authenticate against AD but group search never returns any roles. I think this is probably because our AD is set up such that group memberships are listed with a user in the memberOf attribute, instead of the usual group entry having a bunch of member attributes which specifies group number. Using the user.ldif that comes from the sample app as an exmaple, our exported ldif would have something like this:
    Code:
    dn: cn=Jane Doe,ou=people,dc=mycomany,dc=com
    objectclass: top
    objectclass: person
    objectClass: organizationalPerson
    objectClass: user
    sAMAccountName: jdoe
    memberOf: cn=user,ou=groups,dc=springframework,dc=org
    memberOf: cn=teller,ou=groups,dc=springframework,dc=org
    ...
    
    dn: cn=user,ou=groups,dc=mycomany,dc=com
    objectclass: top
    objectclass: group
    cn: user
    ...
    The main difference here is the group entry does not have a list of "member=..." entries that specified members of the group.

    My LDAP authentication is configured as follows:
    Code:
    <ldap-server url="ldap://myserver:389/dc=mycompany,dc=com" manager-dn="domain\manager" manager-password="secret"  />
      <ldap-authentication-provider  group-search-base="ou=Groups" group-search-filter="(member={0})" group-role-attribute="cn" user-search-base="ou=people" user-search-filter="(sAMAccountName={0})"/>
      <ldap-user-service user-search-base="ou=people" user-search-filter="(sAMAccountName={0})"/>
    Given that the group entry does not have member attributes listing group members, I am not surprised that group search does not return anything. I have been fiddling with the group search parameters of the ldap-authentication-provider, without any luck.

    Any idea how I should configure spring security given such structures in AD?

    Thanks.

    -Feng

  • #2
    Re: Active Directory group search returns no roles

    Some more info, I guess I was mistaken when I said in previous post that the group entry does not have a list of member=... attributes. It's probably because JxPlorer did not show them. When I did a quick search using JxPlorer with member=cn=FirstName LastName, ou=..., ou=..., dc=mycompany, dc=com, it did come back with all the groups that contains such an entry. So it seems that my original configuration should have worked.

    I am wondering whether I should set the serach subtree to true for DefaultLdapAuthoritiesPopulator. I think the default is false, and we have nested groups. It does not seem I can do that with the namespace configuration though.

    Any thoughts?

    -Feng

    Comment


    • #3
      Solved, for now.

      The problem is by default group search only does one level search. I have to use conventional bean definition syntax so that I can configure it to do subtree search. See this thread at http://forum.springframework.org/showthread.php?t=53594.

      Thanks.

      Comment

      Working...
      X