DefaultLdapAuthoritiesPopulator does not provide all authorities if pagination is enforced on LDAP Server

[mayur9991]

Describe the bug
DefaultLdapAuthoritiesPopulator does not provide a way to fetch all authorities belonging to the user if pagination is enforced on the LDAP Server.

We have a use-case where, on the LDAP server, users are mapped to 1000+ groups. Size limit is enforced, which can fetch 500 records at a time. Refer to OpenLDAP limits.

DefaultLdapAuthoritiesPopulator uses SpringSecurityLdapTemplate, and a search with the default NullDirContextProcessor is triggered. See the code sample below from DefaultLdapAuthoritiesPopulator.

spring-security/ldap/src/main/java/org/springframework/security/ldap/userdetails/DefaultLdapAuthoritiesPopulator.java

Line 231 in f57a093

Set<Map<String, List<String>>> userRoles = getLdapTemplate().searchForMultipleAttributeValues(

The search call on LdapTemplate should be made with DirContextProcessor.

spring-security/ldap/src/main/java/org/springframework/security/ldap/SpringSecurityLdapTemplate.java

Line 197 in f57a093

search(base, formattedFilter, ctls, roleMapper);

The default value could be NullDirContextProcessor for DirContextProcessor, but whoever wants to use a paginated one can customize it and use PagedResultsDirContextProcessor.

To Reproduce
Add 1000+ groups in LDAP and assign any user to all these groups. Make sure to set the limit as 500 on the LDAP. Now, when DefaultLdapAuthoritiesPopulator is used along with LdapAuthenticationProvider, only the first 500 groups are fetched.

Expected behavior
DefaultLdapAuthoritiesPopulator should provide a way to customize DirContextProcessor, and that should be used with SpringSecurityLdapTemplate.

[jzheaux]

Thanks for the suggestion, @mayur9991, I think this makes sense to add.

Instead of exposing the DirContextProcessor, I think I'd prefer to add a setter, setPageSize to SpringSecurityLdapTemplate and add a new constructor in DefaultLdapAuthoritiesPopulator that takes an LdapOperations instead of a ContextSource. In this way, the other search method can use this setting too.

I'll put this on my list to take a look at after the 6.3 release.