How to: Configure nested LDAP groups

Requirement

You have an LDAP group that contains various LDAP groups that in turn contain users. You want to assign this LDAP group to a role in XL Deploy and have the users in the sub-groups inherit the permissions of that XL Deploy role.

Environment

XL Deploy, roles and permissions

Solution

  1. Edit your deployit-security.xml file
  2. Change DefaultLdapAuthoritiesPopulator to NestedLdapAuthoritiesPopulator
  3. Your bean should look something like the example below
<bean id="authoritiesPopulator" class="org.springframework.security.ldap.userdetails.
NestedLdapAuthoritiesPopulator">
<constructor-arg ref="ldapServer" />
<constructor-arg value="dc=example,dc=com" />
<property name="groupSearchFilter" value="(member={0})" />
<property name="rolePrefix" value="" />
<property name="searchSubtree" value="true" />
<property name="convertToUpperCase" value="false" />
</bean>

Caveats

  • The NestedLdapAuthoritiesPopulator class is available in XLD and XLR versions 6 and up.
  • Don't make your group search base too specific. If you have groups in different branches of your LDAP tree, and you specify ou=xldeploy,ou=applications,dc=example,dc=com in your group search base, the groups in ou=groups,dc=example,dc=com are not found. So the most specific group search base you can use is dc=example,dc=com

Additional Information

For more information about the configuration of LDAP for your XL Deploy, please see LDAP security in the Developer Portal.

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.