jzheaux
commented
4 months ago Thanks for the suggestion, @mayur9991, I think this makes sense to add.
Instead of exposing the DirContextProcessor, I think I'd prefer to add a setter, setPageSize to SpringSecurityLdapTemplate and add a new constructor in DefaultLdapAuthoritiesPopulator that takes an LdapOperations instead of a ContextSource. In this way, the other search method can use this setting too.
I'll put this on my list to take a look at after the 6.3 release.
Describe the bug DefaultLdapAuthoritiesPopulator does not provide a way to fetch all authorities belonging to the user if pagination is enforced on the LDAP Server.
We have a use-case where, on the LDAP server, users are mapped to 1000+ groups. Size limit is enforced, which can fetch 500 records at a time. Refer to OpenLDAP limits.
DefaultLdapAuthoritiesPopulator uses
SpringSecurityLdapTemplate, and a search with the defaultNullDirContextProcessoris triggered. See the code sample below fromDefaultLdapAuthoritiesPopulator.https://github.com/spring-projects/spring-security/blob/f57a0931377975779fb318e818ab318ec659110f/ldap/src/main/java/org/springframework/security/ldap/userdetails/DefaultLdapAuthoritiesPopulator.java#L231
The
searchcall onLdapTemplateshould be made withDirContextProcessor.https://github.com/spring-projects/spring-security/blob/f57a0931377975779fb318e818ab318ec659110f/ldap/src/main/java/org/springframework/security/ldap/SpringSecurityLdapTemplate.java#L197
The default value could be
NullDirContextProcessorforDirContextProcessor, but whoever wants to use a paginated one can customize it and usePagedResultsDirContextProcessor.To Reproduce Add 1000+ groups in LDAP and assign any user to all these groups. Make sure to set the limit as 500 on the LDAP. Now, when DefaultLdapAuthoritiesPopulator is used along with
LdapAuthenticationProvider, only the first 500 groups are fetched.Expected behavior
DefaultLdapAuthoritiesPopulatorshould provide a way to customizeDirContextProcessor, and that should be used withSpringSecurityLdapTemplate.