AD通过LDAP - 如何从查询中返回所有祖先组?
[英]AD via LDAP - How can I return all ancestor groups from a query?
问题描述
I am querying Active Directory via LDAP (from Java and PHP) to build a list of all groups that a user is a member of. 
我通过LDAP(来自Java和PHP)查询Active Directory,以构建用户所属的所有组的列表。 This list must contain all least all groups (organizational-units optional) that contain groups the user is directly a member of. 此列表必须包含所有包含用户直接成员的组的所有组(组织单位可选)。 For example: 例如:
User1 is a member of GroupA, GroupB, and GroupC. User1是GroupA,GroupB和GroupC的成员。
GroupA is a member of GroupD. GroupA是GroupD的成员。
I am looking for a way to construct an LDAP query that will return GroupA, GroupB, GroupC, and GroupD all at once. 我正在寻找一种方法来构建一个LDAP查询,它将立即返回GroupA,GroupB,GroupC 和 GroupD。
My current implementation is below, but I am looking for a more efficient way to gather this information. 我目前的实现如下,但我正在寻找一种更有效的方法来收集这些信息。
Current Naive Implementation (In pseudo-code) 当前朴素实现(伪代码)
user = ldap_search('samaccountname=johndoe', baseDN);
allGroups = array();
foreach (user.getAttribute('memberOf') as groupDN) {
allGroups.push(groupDN);
allGroups = allGroups.merge(getAncestorGroups(groupDN));
}
function getAncestorGroups(groupDN) {
allGroups = array();
group = ldap_lookup(groupDN);
parents = group.getAttribute('memberOf');
foreach (parents as groupDN) {
allGroups.push(groupDN);
allGroups = allGroups.merge(getAncestorGroups(groupDN));
}
return allGroups;
}
2 个解决方案
解决方案1
8 2011-09-21 19:30:56
Active Directory has a special search filter option that allows it to filter through chained objects, like nested groups. Active Directory有一个特殊的搜索过滤器选项,允许它通过链接对象(如嵌套组)进行过滤。 The capability is described here . 此功能在此处描述。
Here is an example of how to retrieve all users in a group, including nested groups: 以下是如何检索组中所有用户的示例,包括嵌套组:
(&(objectClass=user)(memberof:1.2.840.113556.1.4.1941:={0}))
where {0} is the DN of the parent group. 其中{0}是父组的DN。
解决方案2
2 已采纳 2009-06-24 17:05:58
You need to map the directory tree, as you move through it, so you can check to see if you have previously explored a DN, some Active Directories contain looped group inclusions. 当您浏览目录树时,需要映射目录树,以便检查是否先前已经探索过DN,某些活动目录包含循环组包含。 So you'll need to guard against it. 所以你需要防范它。
This solution also doesn't require recursion. 此解决方案也不需要递归。
In some pseudo code 在一些伪代码中
def getGroupsOfDN(userDN)
groups = []
groupsExplored = []
groupsToExplore = []
current = userDN
groupsToExplore << userDN
while(!groupsToExplore.empty?)
ldapentry = ldap_lookup(current)
if (!ldapentry.nil?)
groups << current
current_groups = ldapentry.getAttributes("memberOf")
current_groups.each do |groupDN|
if(groupsExplored.indexOf(groupDN) != -1)
groupsToExplore << groupDN
groupsExplored << groupDN
end
end
end
groupsToExplore.remove(current)
if (!groupsToExplore.empty?)
current = groupsToExplore.get(0)
end
return groups
end
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.