Versions Compared

Old Version 1

changes.mady.by.user Former user

Saved on

compared with

New Version 2

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The instructions below describe how to implement nested roles or groups by describing the nesting structure (the child to parent mapping) outside of the LDAP directory. Why would you want to describe the nesting (i.e. what role is an occupant of what other role) outside of the LDAP directory? Because it is potentially prohibitive to repeatedly query the directory to recursively find all parents of a given child role. So for performance reasons, the nesting is described outside of the LDAP directory.

The two classes (NestedLdapAuthoritiesPopulator and ExtraRoles) introduced below are attached to this page and are also available in the trunk.

Describing the Nesting

Notice the populator is no longer DefaultLdapAuthoritiesPopulator. Instead, we've defined NestedLdapAuthoritiesPopulator which subclasses DefaultLdapAuthoritiesPopulator and adds a mapping for extra roles. In this mapthe extraRolesMapping, the keys are child roles and the values are parent roles.

...

If the roles that serve as "parents" to nested roles will not cannot be returned in the by a traditional all authorities search, you'll need to add it after the the parents to the list returned by your existing all authorities search using a transformer. The ExtraRoles transformer handles this.

Code Block
xml
xml
titleapplicationContext-pentaho-security.xml
<bean id="allAuthoritiesSearch" class="comorg.pentaho.platform.plugin.services.security.userrole.ldap.search.GenericLdapSearch">
<!-- omitted -->
  <constructor-arg index="2">
    <bean class="org.apache.commons.collections.functors.ChainedTransformer">
      <constructor-arg index="0">
        <list>
          <bean class="comorg.pentaho.platform.plugin.services.security.userrole.ldap.transform.SearchResultToAttrValueList">
            <!-- omitted -->
          </bean>
          <bean class="com.pentaho.security.ldap.transform.ExtraRoles">
            <property name="extraRoles">
              <set>
                <value>bireporting</value>
              </set>
            </property>
          </bean>
          <bean class="comorg.pentaho.platform.plugin.services.security.userrole.ldap.transform.StringToGrantedAuthority">
            <!-- omitted -->
          </bean>
        </list>
      </constructor-arg>
    </bean>
  </constructor-arg>
</bean>

...