[英]Failing to find groups by member in Active Directory with java ldap
My ldap queries from Java aren't returning any group objects when my filter is about a member contained in the groups.当我的过滤器是关于组中包含的成员时,来自 Java 的 ldap 查询没有返回任何组对象。 These queries work using other tools, like ldp
or the Active Directory Users and Group tab.这些查询使用其他工具工作,例如ldp
或 Active Directory 用户和组选项卡。 But in java they return nothing:但在 java 中,它们什么也不返回:
Options: scope=subtree, requested attributes={"sAMAccountName"}
Search base: OU=Groups,DC=blah
Filter: (member=CN=Hunt\, Jeremy (Admin),OU=Users,DC=blah)
// no results
However, I can successfully query the other way round:但是,我可以通过相反的方式成功查询:
Options: scope=subtree, requested attributes={"member"}
Search base: OU=Groups,DC=blah
Filter: (&)
// returns Admins group, member=CN=Hunt\, Jeremy (Admin),OU=Users,DC=blah
So specifically, the issue is I can't seem to filter on (member={0})
or unless I'm also using scope=base
.所以具体来说,问题是我似乎无法过滤(member={0})
或者除非我也在使用scope=base
。 But I need a subtree
search that returns groups.但我需要一个返回组的subtree
搜索。
What could be the problem?可能是什么问题呢? What can I ask the admins to check?我可以要求管理员检查什么?
The correct escaping for DNs within ldap query filters should be according to RFC 2254. You need to handle backslash, asterisk, brackets/parentheses, and NUL. 886467366588 查询过滤器中 DNs 的正确 escaping 应符合 RFC 2254。您需要处理反斜杠、星号、方括号/圆括号和 NUL。
For example, from the Apache Tomcat source of JNDIRealm.java
:例如,来自 JNDIRealm.java 的JNDIRealm.java
Tomcat 来源:
protected String doRFC2254Encoding(String inString) {
StringBuilder buf = new StringBuilder(inString.length());
for (int i = 0; i < inString.length(); i++) {
char c = inString.charAt(i);
switch (c) {
case '\\':
buf.append("\\5c");
break;
case '*':
buf.append("\\2a");
break;
case '(':
buf.append("\\28");
break;
case ')':
buf.append("\\29");
break;
case '\0':
buf.append("\\00");
break;
default:
buf.append(c);
break;
}
}
return buf.toString();
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.