如何检查用户是否在LDAP组中
[英]How to check if a user is in an LDAP group
问题描述
Problem 
问题
I want to see if user "john" is in group "Calltaker". 我想查看用户“ john”是否在组“ Calltaker”中。 I can't seem to get the syntax right on my search filter to check for a specific user in a specific group. 我似乎无法在搜索过滤器上正确使用语法来检查特定组中的特定用户。 I can list all users in a group to verify the desired user is there. 我可以列出组中的所有用户以验证所需的用户在那里。
Questions 问题
- What is the right syntax for a ldap search filter to determine if a specific user is in a specific group(in Tivoli Access Manager)? ldap搜索过滤器确定特定用户是否在特定组中的正确语法是什么(在Tivoli Access Manager中)?
- What should I check on the returned LDAPEntry object given by that search string to see that the user is, or isn't, in the group? 我应该如何检查该搜索字符串给出的返回的LDAPEntry对象,以查看该用户是否在组中?
Info 信息
- john is defined in "cn=users,dc=ldap,dc=net" john在“ cn = users,dc = ldap,dc = net”中定义
- Calltaker is defined in "cn=groups,dc=ldap,dc=net" Calltaker在“ cn = groups,dc = ldap,dc = net”中定义
- I'm querying against TAM's ldap, from java 我正在从Java查询TAM的ldap
Using the searchfilter to be "cn=Calltaker" I can print out the search results such that calling nextEntry.toString contains the list of users. 使用searchfilter为"cn=Calltaker"我可以打印出搜索结果,以便调用nextEntry.toString包含用户列表。 See Example 1 below 请参阅下面的示例1
Here's a few searchfilters I've tried that don't work (aka searchResults.next() throws an error): 这是我尝试过的一些不起作用的搜索过滤器(aka searchResults.next()引发错误):
(&(objectclass=groupOfUniqueName)(uniquemember=uid="+ username + ",cn=groups,dc=ldap,dc=net))
(&(objectclass=groupOfUniqueName)(uniquemember=uid="+ username + ",cn=users,dc=ldap,dc=net))
(uniquemember=uid="+ username + ",cn=users,dc=ldap,dc=net)
Example 1) only search group, using searchFilter="cn=Calltaker" , verify it contains users: 示例1)仅使用searchFilter="cn=Calltaker"搜索组,验证其是否包含用户:
System.out.println(nextEntry.toString()); //added newlines for readability
nextEntry:
LDAPEntry:
cn=Calltaker,cn=groups,dc=ldap,dc=net;
LDAPAttributeSet:
LDAPAttribute: {type='objectclass', values='groupOfUniqueNames','top'}
LDAPAttribute: {type='uniquemember',
values=
'uid=placeholder,cn=users,dc=ldap,dc=net',
'secAuthority=default',
'uid=john,cn=users,dc=ldap,dc=net',
'uid=sally,cn=users,dc=ldap,dc=net', ....etc
Code: 码:
public boolean isUserInGroup(username){
boolean userInGroup = false;
String loginDN = "uid=" + admin_username + "," + "cn=users,dc=ldap,dc=net";
String searchBase = "cn=groups,dc=ldap,dc=net";
int searchScope = LDAPConnection.SCOPE_SUB;
searchFilter = "(&(objectclass=ePerson)(uniquemember=uid="+ username + ",cn=users,dc=ldap,dc=net))";
//Connect
LDAPConnection lc = connect(hosts);
lc.bind(LDAPConnection.LDAP_V3, loginDN, admin_password.getBytes("UTF8"));
lc.getAuthenticationDN();
LDAPSearchResults searchResults = lc.search(searchBase,
searchScope,
searchFilter,
null, // return all attributes
false); // return attrs and values
while (searchResults.hasMore()) {
LDAPEntry nextEntry = null;
try {
nextEntry = searchResults.next();
} catch (LDAPException e) {
// Exception is thrown, go for next entry
if (e.getResultCode() == LDAPException.LDAP_TIMEOUT || e.getResultCode() == LDAPException.CONNECT_ERROR)
break;
else
continue;
}
//TODO some check to verify nextEntry shows the user in the group
userInGroup = true;
LDAPAttributeSet attributeSet = nextEntry.getAttributeSet();
Iterator<LDAPAttribute> allAttributes = attributeSet.iterator();
while (allAttributes.hasNext()) {
LDAPAttribute attribute = (LDAPAttribute) allAttributes.next();
String attributeName = attribute.getName();
System.out.println("found attribute '" + attributeName + "' with value '" + attribute.getStringValue() + "'");
}
}
lc.disconnect();
return userInGroup;
}
** EDIT ** ** 编辑 **
Implemented answer from EJP, changed searchBase to include group 从EJP实现了答案,将searchBase更改为包括组
Code that works: 起作用的代码:
private static final String admin_username = "foo";
private static final String[] hosts = new String[]{"foohost.net"};
public boolean isUserInGroup(String username, String group){
boolean userInGroup = false;
String loginDN = "uid=" + admin_username + "," + "cn=users,dc=ldap,dc=net";
String searchBase = "cn=" + group + "," + "cn=groups,dc=ldap,dc=net";
int searchScope = LDAPConnection.SCOPE_SUB;
searchFilter = "(&(objectclass=groupOfUniqueNames)(uniquemember=uid="+ username + ",cn=users,dc=ldap,dc=net))";
//Connect
LDAPConnection lc = connect(hosts);
lc.bind(LDAPConnection.LDAP_V3, loginDN, admin_password.getBytes("UTF8"));
lc.getAuthenticationDN();
LDAPSearchResults searchResults = lc.search(searchBase,
searchScope,
searchFilter,
null, // return all attributes
false); // return attrs and values
while (searchResults.hasMore()) {
LDAPEntry nextEntry = null;
try {
nextEntry = searchResults.next();
} catch (LDAPException e) {
// Exception is thrown, go for next entry
if (e.getResultCode() == LDAPException.LDAP_TIMEOUT || e.getResultCode() == LDAPException.CONNECT_ERROR)
break;
else
continue;
}
//A result was found, therefore the user is in the group
userInGroup = true;
}
lc.disconnect();
return userInGroup;
}
1 个解决方案
解决方案1
1 已采纳 2016-02-17 22:38:21
What is the right syntax for a ldap search filter to determine if a specific user is in a specific group(in Tivoli Access Manager)?
Either of the filters you used, but the objectClass to search on is groupofUniqueNames (plural). 您使用了两种过滤器,但要搜索的objectClass是groupofUniqueNames (复数)。
What should I check on the returned LDAPEntry object given by that search string to see that the user is, or isn't, in the group?
Nothing. 没有。 He will be, otherwise the group won't be returned in the search. 他会的,否则该组将不会在搜索中返回。 All you need to do is check that the search result is non-empty. 您需要做的就是检查搜索结果是否为空。
Here's a few searchfilters I've tried that don't work (aka searchResults.next() throws an error):
Throws what error? 抛出什么错误?
(&(objectclass=groupOfUniqueName)(uniquemember=uid="+ username + ",cn=groups,dc=ldap,dc=net))
Nothing wrong with this except for groupOfUniqueName . 除了groupOfUniqueName ,这没什么不对的。 You should use search filter arguments like {0} rather than building them into the search string. 您应该使用诸如{0}类的搜索过滤器参数,而不是将其构建到搜索字符串中。
(&(objectclass=groupOfUniqueName)(uniquemember=uid="+ username + ",cn=users,dc=ldap,dc=net))
This one will search the cn=users subtree for a group. 这将在cn=users子树中搜索一个组。 It won't work unless you have groups under cn=users , which doesn't seem likely. 除非您在cn=users下具有组,否则这似乎不太可能。
(uniquemember=uid="+ username + ",cn=users,dc=ldap,dc=net)
This will select non-groups. 这将选择非组。 You don't want that: you need the objectClass part. 您不需要这样做:您需要objectClass部分。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.