[英]Get groups and users from LDAP
Hi i am trying to fetch all posixGroup from LDAP and the users in this group. 嗨,我正在尝试从LDAP和该组中的用户获取所有posixGroup。 Code below is what i have done so far, it returns me all the groups but i am not sure how to get the users for these groups.
下面的代码是我到目前为止所做的事情,它返回了我所有的组,但是我不确定如何获得这些组的用户。 Please guide me is this approach good?
请指导我这种方法好吗? or should i go by first getting the users and then based on GID get the group name?
还是我应该先获取用户,然后基于GID获取组名?
public static void main(String[] args) {
Hashtable env = new Hashtable();
env.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL,"ldap://192.168.*.*:389");
env.put(Context.URL_PKG_PREFIXES, "com.sun.jndi.url");
env.put(Context.REFERRAL, "ignore");
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.SECURITY_PRINCIPAL, "cn=manager,dc=*,dc=*");
env.put(Context.SECURITY_CREDENTIALS, "****");
DirContext ctx;
try {
ctx = new InitialDirContext(env);
} catch (NamingException e) {
throw new RuntimeException(e);
}
NamingEnumeration results = null;
try {
SearchControls controls = new SearchControls();
controls.setSearchScope(SearchControls.SUBTREE_SCOPE);
results = ctx.search("ou=path,dc=*,dc=*", "(objectClass=posixGroup)",controls);
// Go through each item in list
while (results.hasMore()) {
SearchResult nc = (SearchResult)results.next();
Attributes att= nc.getAttributes();
System.out.println("Group Name "+ att.get("cn").get(0));
System.out.println("GID "+ att.get("GidNumber").get(0));
}
} catch (NameNotFoundException e) {
System.out.println("Error : "+e);
} catch (NamingException e) {
throw new RuntimeException(e);
} finally {
if (results != null) {
try {
results.close();
} catch (Exception e) {
System.out.println("Error : "+e);
}
}
if (ctx != null) {
try {
ctx.close();
} catch (Exception e) {
System.out.println("Error : "+e);
}
}
}
}
It depends which attribute is used by groups in your directory to denote membership. 它取决于目录中的组使用哪个属性表示成员身份。
posixGroup
uses memberUid
with the username as value (defined in RFC 2307 ). posixGroup
使用memberUid
和用户名作为值(在RFC 2307中定义)。 There are other possible attributes (member, uniquemember) and values (DN) so check what your directory uses. 还有其他可能的属性(成员,唯一成员)和值(DN),因此请检查目录使用的内容。
So in order to load all users from a group, you would have to: 因此,为了从组中加载所有用户,您必须:
(&(objectClass=posixGroup)(cn=<group name>))
(&(objectClass=posixGroup)(cn=<group name>))
memberUid
in the group, for each: memberUid
所有值:
(&(objectClass=posixAccount)(uid=<memberUid>))
(&(objectClass=posixAccount)(uid=<memberUid>))
查询用户对象 uidNumber
. uidNumber
。 This is not a very efficient way of doing it because it will generate lots of small queries, but as far as I know, LDAP has no means to join a group entry with the user entries it references in a single result (unlike SQL). 这不是一种非常有效的方法,因为它会生成许多小的查询,但是据我所知,LDAP无法将组条目与其在单个结果中引用的用户条目联接在一起(不同于SQL)。
You could optimise it a bit by limiting results to the attributes you actually need: gidNumber
for the group query and uidNumber
for the user query. 您可以通过将结果限制为实际需要的属性来对它进行一些优化:对组查询使用
gidNumber
,对用户查询使用uidNumber
。 Using either SearchControls.setReturningAttributes()
or a version of DirContext.search()
that takes a attributesToReturn
argument. 使用
SearchControls.setReturningAttributes()
或带有attributesToReturn
参数的DirContext.search()
版本。 It doesn't reduce the number of queries though, only the volume of data returned. 但是,它不会减少查询数量,只会减少返回的数据量。
posixAccount
and posixGroup
objects (unless your directory server does it, but I doubt it will), otherwise it becomes inconsistent. posixAccount
和posixGroup
对象(除非目录服务器执行此操作,但我怀疑posixAccount
),否则它将变得不一致。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.