Spring Security LDAP. The SearchControls.OBJECT_SCOPE is used instead of SearchControls.SUBTREE_SCOPE

1
votes

spring-boot-starter-security 2.2.4.RELEASE, jdk 11

The org.springframework.security.ldap.SpringSecurityLdapTemplate.searchForMultipleAttributeValues method is used for the group search during the web request authentication. The request passed the authentification. However, no user groups are found.

It uses the search controls with the scope SearchControls.OBJECT_SCOPE. The search controls prepared by the following method com.sun.jndi.toolkit.ctx.LdapCtx.c_getAttributes.(Name name, String[] attrIds, Continuation cont) As the result no any groups are found. If I using the ldap template for the search with the same input (group search base, group search filter, group role attribute) but with the SearchControls.SUBTREE_SCOPE all groups are found.

What I need to change in org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder configuration to use the SearchControls.SUBTREE_SCOPE for the group search?

Thank you!

1
javaspringspring-securityldap
Are you calling SpringSecurityLdapTemplate directly or is it through something like an LdapAuthoritiesPopulator?jzheaux
Yes. I directly created the template to check what it returns with the same configuration.senleft
SpringSecurityLdapTemplate uses SUBTREE_SCOPE by default, so I guess I'm not clear on what you are asking. If you are constructing it directly, then you can always call setSearchControls with whatever you need.jzheaux

1 Answers

0
votes

It was a configuration issue. The original group search base pointed on the root node. This is why search via LDAP template with SearchControls.SUBTREE_SCOPE allowed find groups from the child nodes. Not sure why the com.sun.jndi.toolkit.ctx.LdapCtx.c_getAttributes uses the SearchControls.OBJECT_SCOPE as the default value. Changing the group search base to the specific group node solved the issue.