We use kerberos-sso, ldap plugin, and role strategy for authentication and authorization.
A freeipa is configured as ldap server.
Authorization work well with kerberos login. However, with basic authentication, ldap plugin doesn't return indirect groups of user for authorization.
test.groovy: script for check return authorities of login
ldap-plugin.conf: a part of ldap plugin config
0001-Fix-bug-basic-authentication-can-t-work-with-group-m.patch: a temporary solution