Hitachi Vantara Pentaho Community Wiki
Child pages
  • Retrieving Roles Using Multiple LDAP Search Filters
Skip to end of metadata
Go to start of metadata

It might be the case that your organization's roles are stored in multiple locations or within unlike objects within an LDAP tree. Assume the following tree.

+--ou=system
   +--ou=roles
   +--ou=groups

Now assume that the objectClass of ou=roles,ou=system is organizationalRole and the objectClass of ou=groups,ou=system is group. You could define a single search filter. The disadvantages to this are (1) searching more objects than necessary and (2) a more complicated filter.

Instead, use the unionizing classes provided by Pentaho.

UnionizingLdapAuthoritiesPopulator

applicationContext-spring-security-ldap.xml
<bean id="populator1" class="org.springframework.security.ldap.populator.DefaultLdapAuthoritiesPopulator">
  <constructor-arg index="0">
    <ref local="contextSource" />
  </constructor-arg>
  <constructor-arg index="1" value="ou=roles" />
  <property name="groupRoleAttribute" value="cn" />
  <property name="groupSearchFilter" value="roleOccupant={0}" />
  <property name="rolePrefix" value="" />
  <property name="convertToUpperCase" value="false" />
  <property name="searchSubtree" value="false" />
</bean>

<bean id="populator2" class="org.springframework.security.ldap.populator.DefaultLdapAuthoritiesPopulator">
  <constructor-arg index="0">
    <ref local="contextSource" />
  </constructor-arg>
  <constructor-arg index="1" value="ou=groups" />
  <property name="groupRoleAttribute" value="cn" />
  <property name="groupSearchFilter" value="member={0}" />
  <property name="rolePrefix" value="" />
  <property name="convertToUpperCase" value="false" />
  <property name="searchSubtree" value="false" />
</bean>

<bean id="populator" class="org.pentaho.platform.plugin.services.security.userrole.ldap.UnionizingLdapAuthoritiesPopulator">
  <property name="populators">
    <set>
      <ref bean="populator1" />
      <ref bean="populator2" />
    </set>
  </property>
</bean>

UnionizingLdapSearch

applicationContext-pentaho-security-ldap.xml
<bean id="allAuthoritiesSearch1" class="org.pentaho.platform.plugin.services.security.userrole.ldap.search.GenericLdapSearch">
  <constructor-arg index="0" ref="contextSource" />
  <constructor-arg index="1">
    <bean class="org.pentaho.platform.plugin.services.security.userrole.ldap.search.LdapSearchParamsFactoryImpl">
      <constructor-arg index="0" value="ou=roles" />
      <constructor-arg index="1" value="objectClass=organizationalRole" />
    </bean>
  </constructor-arg>
  <!-- omitted -->
</bean>

<bean id="allAuthoritiesSearch2" class="org.pentaho.platform.plugin.services.security.userrole.ldap.search.GenericLdapSearch">
  <constructor-arg index="0" ref="initialDirContextFactory" />
  <constructor-arg index="1">
    <bean class="org.pentaho.platform.plugin.services.security.userrole.ldap.search.LdapSearchParamsFactoryImpl">
      <constructor-arg index="0" value="ou=groups" />
      <constructor-arg index="1" value="objectClass=group" />
    </bean>
  </constructor-arg>
  <!-- omitted -->
</bean>

<bean id="allAuthoritiesSearch" class="org.pentaho.platform.plugin.services.security.userrole.ldap.search.UnionizingLdapSearch">
  <property name="searches">
    <set>
      <ref bean="allAuthoritiesSearch1" />
      <ref bean="allAuthoritiesSearch2" />
    </set>
  </property>
</bean>