Active Directory group search returns no roles
Hi,
Using Spring Security 2.0.0 with Spring 2.5.2 with name space configuration. I was able to authenticate against AD but group search never returns any roles. I think this is probably because our AD is set up such that group memberships are listed with a user in the memberOf attribute, instead of the usual group entry having a bunch of member attributes which specifies group number. Using the user.ldif that comes from the sample app as an exmaple, our exported ldif would have something like this:
Code:dn: cn=Jane Doe,ou=people,dc=mycomany,dc=com objectclass: top objectclass: person objectClass: organizationalPerson objectClass: user sAMAccountName: jdoe memberOf: cn=user,ou=groups,dc=springframework,dc=org memberOf: cn=teller,ou=groups,dc=springframework,dc=org ... dn: cn=user,ou=groups,dc=mycomany,dc=com objectclass: top objectclass: group cn: user ...
The main difference here is the group entry does not have a list of "member=..." entries that specified members of the group.
My LDAP authentication is configured as follows:
Code:<ldap-server url="ldap://myserver:389/dc=mycompany,dc=com" manager-dn="domain\manager" manager-password="secret" /> <ldap-authentication-provider group-search-base="ou=Groups" group-search-filter="(member={0})" group-role-attribute="cn" user-search-base="ou=people" user-search-filter="(sAMAccountName={0})"/> <ldap-user-service user-search-base="ou=people" user-search-filter="(sAMAccountName={0})"/>
Given that the group entry does not have member attributes listing group members, I am not surprised that group search does not return anything. I have been fiddling with the group search parameters of the ldap-authentication-provider, without any luck.
Any idea how I should configure spring security given such structures in AD?
Thanks.
-Feng
