如何使用UnboundID LDAP SDK查找用戶在LDAP中的所有角色？

Question

我無法找到用戶所屬的角色，我嘗試了以下代碼，它提供了很多屬性，但我感興趣的是用戶在某個應用中屬於哪些角色。

我正在搜索的用戶屬於以下兩個組（userrole和adminrole）。 我該如何檢索這些信息？

DN：cn = userrole，ou = roles，ou = appname，ou = apps，ou = groups，dc = example，dc = no

DN：cn = adminrole，ou = roles，ou = appname，ou = apps，ou = groups，dc = example，dc = no

private final String host = "host.example.com";
private final int port = 389;
private final String bindDn = "uid=appname,ou=systems,dc=example,dc=no";
private final String password = "password";
private final String searchDn = "dc=example,dc=no";

public SearchResultEntry getUserDetails(String username) {
    try {
        final LDAPConnection connection = new LDAPConnection(host, port,
                bindDn, password);
        SearchResult searchResults;
        searchResults = connection.search(searchDn, SearchScope.SUB,
                "(uid=" + username + ")", "+");

        if (searchResults.getEntryCount() == 1) {
            SearchResultEntry entry = searchResults.getSearchEntries().get(
                    0);
            connection.close();
            return entry;
        } else {
            LOGGER.error("NOT FOUND!");
            connection.close();
            return null;
        }
    } catch (LDAPException e) {
        LOGGER.error("Exception");
        return null;
    }
}

Answer 1

使用以下功能。 假設您使用SUN LDAP（使用uid ）：

編輯

private boolean isGroupContainUser(LDAPConnection ldapConnection, String groupDn, String userDn) throws LDAPException {
    boolean ret = false;
    Entry groupEntry = ldapConnection.getEntry(groupDn);

    String[] memberValues = groupEntry.getAttributeValues("uniquemember");
    if (memberValues != null) {
        DN ldapUserDn = new DN(userDn);
        for (String memberEntryDnString : memberValues) {
            DN memberEntryDn = new DN(memberEntryDnString);
            if (memberEntryDn.equals(ldapUserDn)) {
                ret = true;
                break;
            }
        }
    }
    return ret;
}

Answer 2

服務器可能支持memberOf或isMemberOf 。 這些屬性（在大多數服務器中，這些屬性是虛擬的 ，即，它們不占用任何存儲並且在客戶端請求時生成），其在對象中的存在指示對象的組成員資格。 這是一個假設服務器支持isMemberOf屬性的isMemberOf ：

String[] getGroupMembership() {

    try {

        // SSL can be supported by using a SocketFactory
        SocketFactory socketFactory = createSocketFactory();

        LDAPConnectionOptions options = new LDAPConnectionOptions();
        options.setConnectTimeoutMillis(connectTimeoutMillis);

        // Try to connect to a single server. It is also possible to use
        // a 'ServerSet' for support of multiple servers.
        LDAPConnection ldapConnection =
            new LDAPConnection(socketFactory,options,hostname,port,
                userDN,userPassword); 

        try {

            // Some broken directory servers, most notably the old Sun 
            // directory servers, do not support the legal filter "(&)".
            // If this is the case, use the present filter "(objectClass=*)"
            // instead. 
            SearchRequest searchRequest =
               new SearchRequest(userDN,SearchScope.BASE,"(&)","isMemberOf");
            searchRequest.setResponseTimeoutMillis(responseTimeoutMillis);

            SearchResult searchResult = ldapConnection.search(searchRequest);

            if(searchResult.getEntryCount() == 1) {
                Entry entry = searchResult.getSearchEntry(userDN);
                return getAttributeValues("isMemberOf");
           }

        } catch(LDAPException ex) {
            // Handle the exception
        } finally {
            ldapConnection.close();
        }

    } catch(LDAPException ldapException) {
        // Handle the connection exception here
    } 

    return null;
}

也可以看看

• LDAP：編程實踐
• LDAP：搜索最佳實踐