Spring Security Add Flag to enable searching of LDAP groups on subtrees

Summary

Is not possible to get authorities searching LDAP groups on subtree of the provided groupSearchBase. IMHO this is a common use case.

Actual Behavior

LdapAuthenticationProviderConfigurer doesn't provide any way to configure DefaultLdapAuthoritiesPopulator.setSearchSubtree.

After construction, no postProcess() is applied to DefaultLdapAuthoritiesPopulator, so it cannot be postProcessed.

The only way I found is to define a custom LdapAuthoritiesPopulator just to set this flag. ContextSource is required by constructor, so have to be defined upfront, making configurer almost useless in this use case

  public class SubtreeLdapAuthoritiesPopulator extends DefaultLdapAuthoritiesPopulator {
    public SubtreeLdapAuthoritiesPopulator(ContextSource contextSource, String groupSearchBase) {
      super(contextSource, groupSearchBase);
      this.setSearchSubtree(true);
    }
  }

  @Autowired
  public void configureGlobal(AuthenticationManagerBuilder auth, BaseLdapPathContextSource ctx)
      throws Exception {
    SubtreeLdapAuthoritiesPopulator ldapAuthoritiesPopulator =
        new SubtreeLdapAuthoritiesPopulator(ctx, "OU=Roles");
    ldapAuthoritiesPopulator.setGroupSearchFilter("(member={0})");

    auth.ldapAuthentication()
        .userSearchFilter("(sAMAccountName={0})")
        .userSearchBase("OU=Users")
        .ldapAuthoritiesPopulator(ldapAuthoritiesPopulator)
        .contextSource(ctx);
  }

Expected Behavior

A method groupSearchSubtree(boolean) should be available in order to configure the flag. Also, performing postProcessing could be useful for further customizations.

  @Autowired
  public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
    auth.ldapAuthentication()
        .userSearchFilter("(sAMAccountName={0})")
        .userSearchBase("OU=Users")
        .groupSearchFilter("(member={0})")
        .groupSearchBase("OU=Roles")
        .groupSearchSubtree(true)                       <---- MISSING
        .contextSource()
        .url("ldap://corporate.ldap/DC=organization,DC=com")
        .port(389);
  }

Configuration

Version

Tested on Spring Security 5.2.1. Seems unchanged on master branch

Sample

Provided inline

Comment From: rwinch

Thanks for the report @bberto! Would you be interested in submitting two separate pull requests? The first would be adding boolean groupSearchSubtree and the second would ensure that DefaultLdapAuthoritiesPopulator is post processed?

Comment From: bberto

First PR submitted. Is my first one here, please feel free to provide any feedback

Comment From: rwinch

Closing in favor of gh-8400