Add optional nested Active Directory group resolution by wonderfulrosemari · Pull Request #18823 · spring-projects/spring-security
Closes gh-2053
Add optional support for resolving nested Active Directory groups when loading
authorities in ActiveDirectoryLdapAuthenticationProvider.
By default, authorities are derived from direct memberOf values. For AD
deployments that use nested groups, this can miss effective group membership.
This change introduces an opt-in nested lookup using AD's
LDAP_MATCHING_RULE_IN_CHAIN search filter.
Changes include:
- add
setSearchNestedGroups(boolean)to
ActiveDirectoryLdapAuthenticationProvider - when enabled, perform an additional LDAP search with:
(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={0})) - merge nested authorities with existing authorities from the configured
LdapAuthoritiesPopulator - add tests for:
- default behavior (nested lookup disabled)
- nested lookup enabled (nested group authority included)