It might be the case that your organization's roles are stored in multiple locations or within unlike objects within an LDAP tree. Assume the following tree.
+--ou=system +--ou=roles +--ou=groups
Now assume that the objectClass of ou=roles,ou=system is organizationalRole and the objectClass of ou=groups,ou=system is group. You could define a single search filter. The disadvantages to this are (1) searching more objects than necessary and (2) a more complicated filter.
Instead, use the unionizing classes provided by Pentaho.
UnionizingLdapAuthoritiesPopulator
applicationContext-spring-security-ldap.xml
<bean id="populator1" class="org.springframework.security.ldap.populator.DefaultLdapAuthoritiesPopulator"> <constructor-arg index="0"> <ref local="contextSource" /> </constructor-arg> <constructor-arg index="1" value="ou=roles" /> <property name="groupRoleAttribute" value="cn" /> <property name="groupSearchFilter" value="roleOccupant={0}" /> <property name="rolePrefix" value="" /> <property name="convertToUpperCase" value="false" /> <property name="searchSubtree" value="false" /> </bean> <bean id="populator2" class="org.springframework.security.ldap.populator.DefaultLdapAuthoritiesPopulator"> <constructor-arg index="0"> <ref local="contextSource" /> </constructor-arg> <constructor-arg index="1" value="ou=groups" /> <property name="groupRoleAttribute" value="cn" /> <property name="groupSearchFilter" value="member={0}" /> <property name="rolePrefix" value="" /> <property name="convertToUpperCase" value="false" /> <property name="searchSubtree" value="false" /> </bean> <bean id="populator" class="org.pentaho.platform.plugin.services.security.userrole.ldap.UnionizingLdapAuthoritiesPopulator"> <property name="populators"> <set> <ref bean="populator1" /> <ref bean="populator2" /> </set> </property> </bean>
UnionizingLdapSearch
applicationContext-pentaho-security-ldap.xml
<bean id="allAuthoritiesSearch1" class="org.pentaho.platform.plugin.services.security.userrole.ldap.search.GenericLdapSearch"> <constructor-arg index="0" ref="contextSource" /> <constructor-arg index="1"> <bean class="org.pentaho.platform.plugin.services.security.userrole.ldap.search.LdapSearchParamsFactoryImpl"> <constructor-arg index="0" value="ou=roles" /> <constructor-arg index="1" value="objectClass=organizationalRole" /> </bean> </constructor-arg> <!-- omitted --> </bean> <bean id="allAuthoritiesSearch2" class="org.pentaho.platform.plugin.services.security.userrole.ldap.search.GenericLdapSearch"> <constructor-arg index="0" ref="initialDirContextFactory" /> <constructor-arg index="1"> <bean class="org.pentaho.platform.plugin.services.security.userrole.ldap.search.LdapSearchParamsFactoryImpl"> <constructor-arg index="0" value="ou=groups" /> <constructor-arg index="1" value="objectClass=group" /> </bean> </constructor-arg> <!-- omitted --> </bean> <bean id="allAuthoritiesSearch" class="org.pentaho.platform.plugin.services.security.userrole.ldap.search.UnionizingLdapSearch"> <property name="searches"> <set> <ref bean="allAuthoritiesSearch1" /> <ref bean="allAuthoritiesSearch2" /> </set> </property> </bean>