Just as DefaultLdapAuthoritiesPopulator has a configurable search scope via its searchSubtree property, LdapSearchParamsFactoryImpl provides a way to set a search scope by passing a SearchControls instance into the constructor. The XML below demonstrates this. If no SearchControls is supplied via the constructor, the default search scope is ONELEVEL_SCOPE.
<bean class="com.pentaho.security.ldap.search.LdapSearchParamsFactoryImpl">
<constructor-arg index="0" value="ou=users" />
<constructor-arg index="1" value="objectClass=Person" />
<constructor-arg index="2">
<bean class="javax.naming.directory.SearchControls">
<!-- 2 comes from http://java.sun.com/j2se/1.3/docs/api/javax/naming/directory/SearchControls.html#SUBTREE_SCOPE -->
<property name="searchScope" value="2" />
</bean>
</constructor-arg>
</bean>