Support for nested groups in DefaultLdapAuthoritiesPopulator

**MortenHattesen** · May 27th, 2008, 03:43 AM

The current implementation of DefaultLdapAuthoritiesPopulator supports resolving roles from the direct membership of the user in "role" groups.

I miss, however, the ability to support nested groups, i.e. where the user is member of a group (not necessarily a "role" group), which is then a member of a "role" group. This would make the administration of role groups much easier.

Large organisations typically have an established group-membership structure, based on organisational and security structures, and these groups are typically nested several levels deep, for ease of maintenance.

I realize that resolving nested groups would require additional search(es) in the LDAP, and that the implementing class, would likely have to turn DefaultLdapAuthoritiesPopulator search "on its head". The resolving process could take its start, resolving all "role" groups (i.e. groups rooted in one of the designated "role" roots), and then resolving the members, expanding any references to other groups (globally in the directory). This may require quite a few LDAP searches, and should therefore be cached, with an appropriate expiry (typically minutes), after which the role-groups are re-resolved.

Once a user is authenticated, the authorisation can thus be easily done against the fully resolved "role" groups, by performing a search of the resolved groups using the user's DN.

Have anyone successfully implemented support for nested groups, and if so, how did you implement it?

If not, do anyone have an easier (quicker) way of resolving nested groups than the process I have described above?

**mpaquin** · May 28th, 2008, 03:44 PM

Hi,

I have the same needs as you. According to the spring-security home page spring security is supposed to support such feature

Long-requested support for groups, hierarchical roles and a user management API, which all combine to reduce development time and significantly improve system administration

I have see no examples of this feature and i haven't see it in the documentation.

**MortenHattesen** · May 29th, 2008, 04:44 AM

Hierarchical Roles means that roles may implicitly include other roles. This is implemented, released and documented, see jira.springframework.org item SEC-232

Nested Groups, however, seems not to be supported. So if a "role" group includes a user indirectly via another group (as one of its members), this role will currently NOT be assigned to the user.

It seems that, for Active Directory implementations, it is not necessary to recursively scan member groups, but a computed "tokenGroups" attribute on the user object includes references (via a binary SID) to all member groups (directly and indirectly referenced), for details. Several implementations exist for this. Search Google for "ldap active.directory nested.groups java sid"

**mpaquin** · May 29th, 2008, 07:29 AM

Thanks for your answer.

**spgmx** · Aug 10th, 2008, 06:52 AM

Originally Posted by mpaquin

Hi, [*]Long-requested support for groups, hierarchical roles and a user management API, which all combine to reduce development time and significantly improve system administration

I have see no examples of this feature and i haven't see it in the documentation.

Any hints where the documentation for this user management API can be found?

Thread: Support for nested groups in DefaultLdapAuthoritiesPopulator

Thread Tools

Display

Support for nested groups in DefaultLdapAuthoritiesPopulator

Hierarchical Roles and Nested Groups are two different animals

Tags for this Thread

Posting Permissions