堆栈内存溢出
  简体   繁体   English

如何在不指定用户凭证的情况下绑定和查询LDAP服务器

[英]How to bind and query LDAP server without specifying user credentials

 原文  2016-12-23 01:39:25       macos/ active-directory/ ldap/ macos-sierra

问题描述

Currently my Mac has been successfully configured to be in Active Directory Domain. 目前,我的Mac已成功配置为位于Active Directory域中。 (System Preferences -> Users & Groups -> Login Options -> Network Account Server) (系统偏好设置->用户和组->登录选项->网络帐户服务器)

We are developing a Mac application that has following requirements: 我们正在开发具有以下要求的Mac应用程序:

  1. It should communicate with the LDAP server in Active Directory Domain and retrieve users & their attributes from LDAP server. 它应该与Active Directory域中的LDAP服务器通信,并从LDAP服务器中检索用户及其属性。
  2. While communicating (bind or search) with the LDAP server, we are not allowed to explicitly specify logged-in user's credentials. 与LDAP服务器通信(绑定或搜索)时,不允许我们明确指定登录用户的凭据。 (eg we should not prompt username / password screen to the user) (例如,我们不应该向用户提示用户名/密码屏幕)

If we explicitly specify logged-in user's credentials, 如果我们明确指定登录用户的凭据,

• we are able to bind to the LDAP server •我们能够绑定到LDAP服务器

• we are able to search the users & their attributes in LDAP server. •我们能够在LDAP服务器中搜索用户及其属性。

If we do not specify logged-in user's credentials, 如果我们未指定登录用户的凭据,

• we are able to bind to the LDAP server •我们能够绑定到LDAP服务器

• but it does not allow us to search the users & their attributes in LDAP server. •但是,它不允许我们在LDAP服务器中搜索用户及其属性。

We are currently using OpenLDAP framework for LDAP operations. 我们目前正在使用OpenLDAP框架进行LDAP操作。

Is there a way with which we can use logged-in user's credentials implicitly while communicating with the LDAP server? 与LDAP服务器通信时,有没有一种方法可以隐式使用登录用户的凭证?

Can you please guide us how we can query LDAP server (search users & their attributes in LDAP server) without specifying logged-in user's credentials explicitly. 您能否指导我们如何查询LDAP服务器(在LDAP服务器中搜索用户及其属性),而无需明确指定登录用户的凭据。

Any kind of help is highly appreciated. 任何帮助都将受到高度赞赏。

1 个解决方案

解决方案1
 0  2016-12-24 09:52:27

Is there a way with which we can use logged-in user's credentials implicitly while communicating with the LDAP server? 与LDAP服务器通信时,有没有一种方法可以隐式使用登录用户的凭证?

Maybe. 也许。

IF you CAN set up Kerberos (and SPNEGO is using a WEB browser) you might be able to obtain a "ticket" that you could then use a GSSAPI to Authenticate the user. 如果可以设置Kerberos (并且SPNEGO使用的是WEB浏览器),则可以获取“凭单”,然后可以使用GSSAPI对用户进行身份验证。

You would probably be more secure if you used a one of the many third-party Access Manager Products to perform these services due to the inherent security risks involved. 如果您使用许多第三方Access Manager产品之一来执行这些服务,则可能会更安全,因为它涉及固有的安全风险。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 我们如何使用opendirectory在mac中缓存ldap登录凭据 - How can we cache ldap login credentials in mac using opendirectory 如何在不重新提示凭据的情况下运行长Python脚本 - How to run long Python script without re-prompt for credentials 如何在 Mac OS (Sierra) 上重置 Jenkins 的用户凭据 - How to reset the user credentials for Jenkins on Mac OS (Sierra) 如何在OS X上包含“ omp.h”而不指定确切路径 - how to include “omp.h” without specifying exact path on OS X 如何使用标准用户权限创建进程以在MacOS 10.9上验证用户输入的系统凭据? - How can I make a process with standard-user privileges to authenticate a user entered system credentials on MacOS 10.9? 如何将python-ldap模块部署到没有Internet访问的Mac计算机(独立包) - How to deploy python-ldap module to Mac computer without Internet access (standalone package) 如何通过Mac OS X上的Unix域套接字传递用户凭据? - How can I pass user credentials through a Unix-domain socket on Mac OS X? 在 Mac OSX 中设置本地 LDAP 服务器 - Setup local LDAP server in mac OSX 如何解决这个异常:Cannot convert a NSColorType.Catalog color without指定颜色空间,使用重载指定一个NSColorSpace - How to fix this exception:Cannot convert a NSColorType.Catalog color without specifying the color space, use the overload to specify an NSColorSpace 使用用户凭据通过终端命令挂载到webdav - mount to webdav over terminal command with user credentials
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM