查询以检索用户在 LDAP 中所属的所有组
[英]Query to retrieve all groups a user belongs to in LDAP
问题描述
At the same time of providing authentication to the user in LDAP within Microsoft Active Directory, I'm trying to get all groups that specific user belongs to.
在为 Microsoft Active Directory 中的 LDAP 中的用户提供身份验证的同时,我试图获取特定用户所属的所有组。 The following code is in Java.下面的代码是用 Java 编写的。 What I'm doing at the moment is the following:我目前正在做的事情如下:
public static List authenticate(String username, String password) throws Exception {
String LDAPURL = MY_LDAP_URL;
String userBase = MY_USERBASE; //format "dc=***,dc=com"
ArrayList<String> groups = new ArrayList<String>();
Hashtable<String, String> environment = new Hashtable<String, String>();
environment.put(Context.INITIAL_CONTEXT_FACTORY,
"com.sun.jndi.ldap.LdapCtxFactory");
environment.put(Context.PROVIDER_URL, LDAPURL);
environment.put(Context.SECURITY_AUTHENTICATION, "simple");
environment.put(Context.SECURITY_PRINCIPAL, username);
environment.put(Context.SECURITY_CREDENTIALS, password);
DirContext ctx =
new InitialDirContext(environment);
SearchControls ctls = new SearchControls();
String[] attributes = {"cn", "memberOf"};
ctls.setReturningAttributes(attributes);
ctls.setSearchScope( SearchControls.SUBTREE_SCOPE );
String searchFilters = "{sAMAccountName="+username+"}";
NamingEnumeration<?> answer = ctx.search(userBase, searchFilters, ctls);
if(answer == null || !answer.hasMore()) {
logger.info("No result found");
}
else {
SearchResult result = (SearchResult) answer.next();
Attributes attrs = result.getAttributes();
Attribute memberAttr = attrs.get("memberOf");
NamingEnumeration e = memberAttr.getAll();
while(e.hasMore()) {
String group = (String) e.next();
groups.add(group);
logger.info(group);
}
}
return groups;
}
I have tried several ways of doing my query, for example:我尝试了几种查询方式,例如:
String searchFilters = "(&(uid="+username+"),(ou=users),(memberOf=*))"
Or或者
String searchFilters = "(&(objectClass=groupOfNames)(member=cn=" + username + ")(memberOf=*))"
Or或者
String searchFilters = "(&(userPrincipalName=" + username + ")(memberOf=*))"
In none of the cases any groups were retrieved.在所有情况下,都没有检索到任何组。 In some of the cases the login itself failed as well (in some cases it worked but still no groups returned).在某些情况下,登录本身也会失败(在某些情况下,它可以工作但仍然没有返回组)。 What is the correct way to retrieve the groups?检索组的正确方法是什么?
1 个解决方案
解决方案1
0 2021-11-09 08:30:56
Although you can bind with "username" and some other attributes, using ANR , ONLY when using Microsoft Active Directory, you will need to obtain the Fully Distinguished Name for the user to perform many LDAP Searches.尽管您可以使用“用户名”和其他一些属性进行绑定,但仅在使用 Microsoft Active Directory 时才使用ANR ,您将需要获取用户的完全可分辨名称以执行许多 LDAP 搜索。
Assuming username is the samAccountName, which is always Unique within a AD Forrest, your Authentication should work.假设用户名是 samAccountName,它在 AD Forrest 中始终是唯一的,您的身份验证应该可以工作。
After Authentication you can obtain the DN of the entry and then perform a search for Groups the user is a member.身份验证后,您可以获得条目的 DN,然后搜索用户所属的组。 For all groups the user is a member, including nested groups this will usually work .对于用户是成员的所有组,包括嵌套组, 这通常会起作用。
(member:1.2.840.113556.1.4.1941:=(CN=UserName,CN=Users,DC=YOURDOMAIN,DC=NET)) (成员:1.2.840.113556.1.4.1941:=(CN=UserName,CN=Users,DC=YOURDOMAIN,DC=NET))
We have several JNDI Examples in a code repository .我们在代码存储库中有几个 JNDI 示例。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.