Fixes #26889: Support recursive Active Directory group membership in LDAP auth

[abhayguptas]

Describe your changes:

Fixes #26889

I worked on adding an opt-in recursiveGroupMembership flag to LDAP configuration so OpenMetadata can resolve nested Active Directory group membership during role mapping.

This was needed because the existing LDAP auth flow only matched direct group members, which meant users in nested AD groups were not assigned the expected roles. When the flag is enabled, OpenMetadata now uses Active Directory’s transitive membership matching rule to resolve nested groups on the server side.

How I tested it:

• Added unit tests for the LDAP filter selection logic
• Verified the service compiles with Java 21
• Verified the new LDAP unit test passes

Type of change:

• Bug fix
• Improvement
• New feature
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Documentation

Checklist:

• I have read the CONTRIBUTING document.
• My PR title is Fixes <issue-number>: <short explanation>
• I have commented on my code, particularly in hard-to-understand areas.
• For JSON Schema changes: I updated the migration scripts or explained why it is not needed.

• The issue properly describes why the new feature is needed, what's the goal, and how we are building it. Any discussion or decision-making process is reflected in the issue.
• I have updated the documentation.
• I have added tests around the new logic.

[github-actions]

Hi there 👋 Thanks for your contribution!

The OpenMetadata team will review the PR shortly! Once it has been labeled as safe to test, the CI workflows
will start executing and we'll be able to make sure everything is working as expected.

Let us know if you need any help!

[github-actions]

Hi there 👋 Thanks for your contribution!

The OpenMetadata team will review the PR shortly! Once it has been labeled as safe to test, the CI workflows
will start executing and we'll be able to make sure everything is working as expected.

Let us know if you need any help!

[abhayguptas]

hi @harshach, please check this PR and let me know if we need to make any more changes. Let's finalise this and merge it. :)

[github-actions]

The Java checkstyle failed.

Please run mvn spotless:apply in the root of your repository and commit the changes to this PR.
You can also use pre-commit to automate the Java code formatting.

You can install the pre-commit hooks with make install_test precommit_install.

[github-actions]

Jest test Coverage

UI tests summary

Lines	Statements	Branches	Functions
	61.94% (60265/97284)	41.98% (31615/75292)	45% (9495/21098)

[github-actions]

🟡 Playwright Results — all passed (23 flaky)

✅ 3687 passed · ❌ 0 failed · 🟡 23 flaky · ⏭️ 89 skipped

Shard	Passed	Failed	Flaky	Skipped
🟡 Shard 1	479	0	2	4
🟡 Shard 2	654	0	2	7
🟡 Shard 3	660	0	5	1
🟡 Shard 4	645	0	3	27
🟡 Shard 5	607	0	4	42
🟡 Shard 6	642	0	7	8

🟡 23 flaky test(s) (passed on retry)

• Pages/AuditLogs.spec.ts › should apply both User and EntityType filters simultaneously (shard 1, 1 retry)
• Pages/UserCreationWithPersona.spec.ts › Create user with persona and verify on profile (shard 1, 1 retry)
• Features/BulkEditEntity.spec.ts › Glossary (shard 2, 1 retry)
• Features/ColumnBulkOperations.spec.ts › should show success notification after bulk update (shard 2, 1 retry)
• Features/RestoreEntityInheritedFields.spec.ts › Validate restore with Inherited domain and data products assigned (shard 3, 2 retries)
• Features/RestoreEntityInheritedFields.spec.ts › Validate restore with Inherited domain and data products assigned (shard 3, 1 retry)
• Features/RestoreEntityInheritedFields.spec.ts › Validate restore with Inherited domain and data products assigned (shard 3, 1 retry)
• Features/RTL.spec.ts › Verify Following widget functionality (shard 3, 1 retry)
• Features/UserProfileOnlineStatus.spec.ts › Should show "Active recently" for users active within last hour (shard 3, 1 retry)
• Pages/Customproperties-part2.spec.ts › entityReferenceList shows item count, scrollable list, no expand toggle (shard 4, 1 retry)
• Pages/DataContracts.spec.ts › Create Data Contract and validate for Directory (shard 4, 1 retry)
• Pages/DomainUIInteractions.spec.ts › Edit domain style - change icon URL (shard 4, 1 retry)
• Pages/EntityDataConsumer.spec.ts › UpVote & DownVote entity (shard 5, 1 retry)
• Pages/EntityDataConsumer.spec.ts › Tier Add, Update and Remove (shard 5, 1 retry)
• Pages/ExplorePageRightPanel.spec.ts › Should verify deleted user not visible in owner selection for table (shard 5, 1 retry)
• Pages/Glossary.spec.ts › Add and Remove Assets (shard 5, 1 retry)
• Pages/InputOutputPorts.spec.ts › Cancel port removal (shard 6, 1 retry)
• Pages/Lineage/DataAssetLineage.spec.ts › Column lineage for dashboard -> table (shard 6, 1 retry)
• Pages/Lineage/LineageFilters.spec.ts › Verify lineage schema filter selection (shard 6, 1 retry)
• Pages/Lineage/LineageRightPanel.spec.ts › Verify custom properties tab IS visible for supported type: searchIndex (shard 6, 1 retry)
• Pages/Lineage/PlatformLineage.spec.ts › Verify table search with special characters as handled (shard 6, 1 retry)
• Pages/ODCSImportExport.spec.ts › Multi-object ODCS contract - object selector shows all schema objects (shard 6, 1 retry)
• Pages/Users.spec.ts › Permissions for table details page for Data Consumer (shard 6, 1 retry)

📦 Download artifacts

How to debug locally

# Download playwright-test-results-<shard> artifact and unzip
npx playwright show-trace path/to/trace.zip    # view trace

[github-actions]

The Java checkstyle failed.

Please run mvn spotless:apply in the root of your repository and commit the changes to this PR.
You can also use pre-commit to automate the Java code formatting.

You can install the pre-commit hooks with make install_test precommit_install.

[abhayguptas]

hi @PubChimps, I fixed everything here. Please review it and let's merge the PR.

[harshach]

@aji-aju review this PR please

[gitar-bot]

Code Review ✅ Approved 1 resolved / 1 findings

Adds support for recursive Active Directory group membership in LDAP auth. Refactored test assertions to use assertNull for improved clarity, with no remaining issues found.

✅ 1 resolved

✅ Quality: Use assertNull instead of assertTrue(... == null)

📄 openmetadata-service/src/test/java/org/openmetadata/service/security/auth/LdapAuthenticatorTest.java:27
In the test buildGroupMemberFilterUsesEqualityWhenRecursiveMembershipIsDisabled, line 27 uses assertTrue(filter.getMatchingRuleID() == null). This should use assertNull(filter.getMatchingRuleID()) for clearer failure messages and consistency with the rest of the assertions in the file.

Options

Display: compact → Showing less information.

Comment with these commands to change:

Compact

gitar display:verbose

_{Was this helpful? React with 👍 / 👎 | Gitar}

[sonarqubecloud]

Quality Gate passed for 'open-metadata-ui'

Issues
1021 New issues
0 Accepted issues

Measures
15 Security Hotspots
0.0% Coverage on New Code
3.8% Duplication on New Code

See analysis details on SonarQube Cloud

[sonarqubecloud]

Quality Gate passed for 'open-metadata-ingestion'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud