如何获取特定用户的所有LDAP组?
[英]How to get all the LDAP groups for a particular user?
问题描述
I have a weblogic server using an external LDAP as Provider for authentication. 
我有一个weblogic服务器使用外部LDAP作为身份验证提供程序。 I than need to recover the groups that a specific user has associated with in an LDAP repository. 我需要恢复特定用户在LDAP存储库中关联的组。
The login uses standard java notation: 登录使用标准的java表示法:
<form method="POST" action="j_security_check">
<p>Username: <input type="text" name="j_username"/></p>
<p>Password: <input type="password" name="j_password"/></p>
<input type="submit" value="Login"/>
</form>
And after the login I can recover the Princial using: <%= request.getUserPrincipal() %> 登录后我可以使用以下方法恢复Princial:<%= request.getUserPrincipal()%>
But What I need now is to recover all associated groups for this principal from LDAP? 但我现在需要的是从LDAP恢复此主体的所有关联组? Is it possible? 可能吗?
[]s []中
3 个解决方案
解决方案1
2 已采纳 2011-08-15 01:50:53
It may not be possible to get a list of all groups without using LDAP. 如果不使用LDAP,可能无法获取所有组的列表。 JAAS APIs generally give you a way to ask whether the user belongs to a certain group but not to get all groups at once. JAAS API通常会为您提供一种方法来询问用户是属于某个组,还是不是一次性获取所有组。
The best you may be able to do without accessing LDAP directly is something like 如果不直接访问LDAP,您可以做的最好的事情就像
for (String group : allGroups) {
if (request.isUserInRole(group)) {
userGroups.add(group);
}
}
The performance hit should not be too bad if you do it once on session creation and then make userGroups session-scoped. 如果在创建会话时执行一次,然后使userGroups会话作用域,性能命中率应该不会太差。 (The container may well get all the groups on login.) (容器可能会在登录时获得所有组。)
解决方案2
1 2013-08-26 23:48:25
I had the same problem. 我有同样的问题。 Looking in google i found this: http://buttso.blogspot.com/2011/06/weblogic-server-listing-groups-of.html 在google中查找我发现: http : //buttso.blogspot.com/2011/06/weblogic-server-listing-groups-of.html
I hope this help you! 希望这对你有所帮助!
解决方案3
1 2011-08-05 00:21:42
There might be many answers. 可能有很多答案。 One possible answer is to construct a base DN using the principal and query the directory server using a scope of base , a filter '(&)' and request the isMemberOf attribute. 一个可能的答案是使用主体构造基本DN并使用base的范围查询目录服务器,过滤器'(&)'并请求isMemberOf属性。 For example, on my test system using a modern ldapsearch command line tool and a principal of user.0 : 例如,在我的测试系统上使用现代ldapsearch命令行工具和user.0的主体:
ldapsearch --hostname localhost --port 1389 \
--bindDN 'cn=directory manager' --baseDn \
'uid=user.0,ou=people,dc=example,dc=com' \
--searchScope base '(&)' isMemberOf
Password for user 'cn=directory manager':
dn: uid=user.0,ou=people,dc=example,dc=com
isMemberOf: cn=shadow entries,ou=groups,dc=example,dc=com
isMemberOf: cn=persons,ou=groups,dc=example,dc=com
This method requires knowledge of the namingContext , in this case dc=example,dc=com , and where the users are located in the tree. 此方法需要了解namingContext ,在本例中为dc=example,dc=com ,以及用户位于树中的位置。 Another, similar method when the location of the user is not known would be be to first search for the user, then use the distinguished name from the search results to perform the above query. 当用户的位置未知时,另一种类似的方法是首先搜索用户,然后使用搜索结果中的可分辨名称来执行上述查询。 If the namingContext is not known, it might be possible to discover the namingContext from the root DSE. 如果namingContext未知,则可以从根DSE发现namingContext 。 To recover the namingContext from the root DSE, see this article . 要从根DSE恢复namingContext ,请参阅此文章 。
There are some widely used directory servers that do not correctly support the LDAP standard and will reject the filter '(&)' , if your directory server is one of these, simply substitute the presence filter '(objectClass=*)' . 有一些广泛使用的目录服务器不能正确支持LDAP标准,并且将拒绝过滤器'(&)' ,如果您的目录服务器是其中之一,只需替换在线过滤器'(objectClass=*)' 。 There are many LDAP SDKs for Java, the one I prefer is the one from UnboundID . 有许多适用于Java的LDAP SDK,我更喜欢的是来自UnboundID的SDK 。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.