简体繁体 English

嵌套组LDAP搜索过滤器

[英]Nested Group LDAP Search Filter

原文 2012-12-07 07:21:09 5 2 ldap/ openldap/ ldap-query/ nested-groups

I need information regarding LDAP search filter to extract nested group membership. 我需要有关LDAP搜索过滤器的信息以提取嵌套的组成员身份。 Basically, my idea is say for instance, a user is belonging to 5 groups [A, B, C, D, E] Can I write a single LDAP search query to get the member groups to which group [A, B, C, D, E] may be a part of? 基本上，我的想法是说，例如，一个用户属于5个组[A，B，C，D，E]我可以编写一个LDAP搜索查询来获取组[A，B，C， D，E]可能是其中的一部分？ And I can use this logc recursively to retrieve all group information till the complete root of the AD? 而且我可以递归地使用此logc来检索所有组信息，直到AD的完整根目录为止？

And I need this solution to be for generic AD, so I cannot use LDAP_RULE_IN_CHAIN filter which works only for MS AD. 而且我需要针对通用广告的解决方案，因此无法使用仅适用于MS AD的LDAP_RULE_IN_CHAIN过滤器。

2 个解决方案

Groups are not something defined in the LDAP standard. 组不是LDAP标准中定义的。 As far as LDAP is concerned, group entries are just LDAP entries -- nothing more. 就LDAP而言，组条目只是LDAP条目-仅此而已。 The implementation of group support including how data structures like nested and dynamic groups are handled, queried, verified, etc. is totally up to the directory software vendor. 组支持的实现，包括如何处理，查询，验证诸如嵌套和动态组之类的数据结构，完全取决于目录软件供应商。 For example, IBM's Security Directory Server (SDS) software supports nested and dynamic groups through its own proprietary objectclasses and attributes, which are specially recognized by the software, and traversing (for nested groups) and expansion (for dynamic groups) to verify membership or to obtain group structure are automatically done for the LDAP client. 例如，IBM的Security Directory Server（SDS）软件通过其专有的对象类和属性（由软件专门识别）支持嵌套和动态组，并遍历（对于嵌套组）和扩展（对于动态组）以验证成员资格或LDAP客户端自动完成获取组结构的操作。 For instance, SDS provides operational attributes like ibm-allgroups and ibm-allmembers to help LDAP clients to pull group and membership information in nested and dynamic groups in single searches. 例如，SDS提供诸如ibm-allgroups ibm-allmembers和ibm-allmembers类的操作属性，以帮助LDAP客户端在单个搜索中提取嵌套和动态组中的组和成员资格信息。 Other directory vendors solve the same problem differently. 其他目录供应商以不同的方式解决相同的问题。 Therefore, your solution will vary depending on the LDAP software you use. 因此，您的解决方案将根据所使用的LDAP软件而有所不同。 You can design your application to support multiple directory server software, but that depends on how sophisticated you want to get with group support in your application. 您可以将应用程序设计为支持多个目录服务器软件，但这取决于您希望在应用程序中获得组支持的复杂程度。

All Groups a User is a member of including Nested groups 用户所属的所有组包括嵌套组

As an example, to find all the groups that "CN=John Smith,DC=MyDomain,DC=NET" is a member of, set the base to the groups container DN; 例如，要查找“ CN = John Smith，DC = MyDomain，DC = NET”所属的所有组，请将基数设置为组容器DN； for example (OU=groupsOU,DC=MyDomain,DC=NET) and the scope to subtree, and use the following filter. 例如（OU = groupsOU，DC = MyDomain，DC = NET）和范围子树，并使用以下过滤器。

(member:1.2.840.113556.1.4.1941:=(CN=John Smith,DC=MyDomain,DC=NET)) （成员：1.2.840.113556.1.4.1941：=（CN = John Smith，DC = MyDomain，DC = NET））

Where CN=John Smith,DC=MyDomain,DC=NET is the user's FDN and the Extensible Match Rule 1.2.840.113556.1.4.1941. 其中CN = John Smith，DC = MyDomain，DC = NET是用户的FDN和可扩展匹配规则1.2.840.113556.1.4.1941。

-jim -Jim