Surrogate ldap RECURSIVE_ENTRY

[Michael Daley]

I've been having some trouble using the search-entry-handler with the surrogate ldap setup.  The RECURSIVE_ENTRY handler does not seem to be used when searching user attributes.

- Using Active Directory with the ldap attribute repository for authentication and attribute repository.  This is working and we are able to lookup nested groups using the RECURSIVE_ENTRY search-entry-handler. 

- Using the same ldap for the surrogate setup.  The authorization is working fine, but I would like to use a search-entry-handler to find "nested groups" that the user is a member of.  The search-entry-handler doesn't seem to even be used when I turn on debug for <Property name="ldap.log.level">debug</Property>.  See attached log. User is a member of "parent_nested_group" which is a member of another group to authorize the users to impersonate "student-lo"

# Search filter is used to locate the account / attribute for the member-attribute-name
cas.authn.surrogate.ldap.search-filter=sAMAccountName={user}

# used to validate that the account is authorized to impersonate
cas.authn.surrogate.ldap.surrogate-search-filter=(&(sAMAccountName={user})(memberOf:1.2.840.113556.1.4.1941:=cn={surrogate}-IMP,ou=sso_impersonation,ou=Groups,dc=example,dc=org))

# This is not working right... works for the ldap attribute repository, but not here.
cas.authn.surrogate.ldap.search-entry-handlers[0].type=RECURSIVE_ENTRY
cas.authn.surrogate.ldap.search-entry-handlers[0].recursive.search-attribute=memberOf
cas.authn.surrogate.ldap.search-entry-handlers[0].recursive.merge-attributes=memberOf

# how we find the list of accounts elligible for impersonation to the user. 
cas.authn.surrogate.ldap.member-attribute-name=memberOf
cas.authn.surrogate.ldap.member-attribute-value-regex=CN=(.+)-IMP.+

Any help would be appreciated.