LDAP中的memberOf vs.groupMembership(Liferay) [英] memberOf vs. groupMembership in LDAP (Liferay)
问题描述
在Liferay的LDAP身份验证设置中使用b/n memberOf属性和groupMembership属性有什么区别?
用户已成功导入. 这些组也已成功导入.
但是不会自动将用户分配给组.当我将组变量从"groupMembership"更改为"memberOf"时,几个用户无法登录Liferay.
memberOf和groupMembership变量到底是什么?
memberOf不是变量",它是一个属性,或更准确地说,它是一个虚拟属性,或者是动态生成的动态属性由某些目录服务器,但不是全部.有些使用memberOf在搜索过滤器或搜索请求的属性列表中使用,有些使用isMemberOf出于相同的目的,有些使用这两种或两种都不支持,并且可能还有其他我不知道的习惯用法. /p>
通常,要确定组成员身份,请向目录服务器发出搜索请求,并在属性列表中指定要返回的memberOf或isMemberOf.这是使用现代ldapsearch命令行工具的示例:
ldapsearch --port 1389 --baseDn 'ou=people,dc=example,dc=com' \
--sizeLimit 3 --searchScope one --bindDn 'cn=directory manager' \
--bindPasswordFile ~/.pwdFile '(uid=user.0)' isMemberOf
dn: uid=user.0,ou=people,dc=example,dc=com
isMemberOf: cn=Dynamic Home Directories,ou=groups,dc=example,dc=com
isMemberOf: cn=bellevue,ou=groups,dc=example,dc=com
isMemberOf: cn=shadow entries,ou=groups,dc=example,dc=com
isMemberOf: cn=persons,ou=groups,dc=example,dc=com
此搜索响应表明user.0是列出的组的成员.
要反转查询的含义,即确定哪些条目是组的成员,请在搜索请求中使用的过滤器中使用isMemberOf或memberOf并声明:
ldapsearch --port 1389 --baseDn 'ou=people,dc=example,dc=com' \
--sizeLimit 3 --searchScope one --bindDn 'cn=directory manager' \
--bindPasswordFile ~/.pwdFile \
'(isMemberOf=cn=persons,ou=groups,dc=example,dc=com)' 1.1
dn: uid=terrygardner,ou=people,dc=example,dc=com
dn: uid=user.0,ou=people,dc=example,dc=com
dn: uid=user.1,ou=People,dc=example,dc=com
dn: uid=user.10,ou=People,dc=example,dc=com
此搜索响应表明该组中有几个成员的专有名称为cn=persons,ou=groups,dc=example,dc=com.
虽然不是特定于 LifeRay ,但以上是对处理组成员身份和从LDAP的角度来看,也是反向组成员身份.
What is the difference b/n memberOf attribute and groupMembership attribute when used in LDAP Authentication settings in Liferay?
The users are imported successfully. The groups are also imported successfully.
But the users are not assigned to the groups automatically. And when I changed the group variable from 'groupMembership' to 'memberOf', several users are not able to login to Liferay.
What exactly are memberOf and groupMembership variables?
memberOf is not a "variable", it is an attribute, or more accurately, it is a virtual attribute, or a dynamic attribute generated on the fly by some directory servers, but not all. Some use memberOf to use in search filters or in the attribute list of a search request, some use isMemberOf for the same purpose, some support both or neither, and there are probably other idioms of which I am not aware.
Generally speaking, to determine group membership, issue a search request to the directory server and specify memberOf or isMemberOf to be returned in the attribute list. Here is an example using a modern ldapsearch command line tool:
ldapsearch --port 1389 --baseDn 'ou=people,dc=example,dc=com' \
--sizeLimit 3 --searchScope one --bindDn 'cn=directory manager' \
--bindPasswordFile ~/.pwdFile '(uid=user.0)' isMemberOf
dn: uid=user.0,ou=people,dc=example,dc=com
isMemberOf: cn=Dynamic Home Directories,ou=groups,dc=example,dc=com
isMemberOf: cn=bellevue,ou=groups,dc=example,dc=com
isMemberOf: cn=shadow entries,ou=groups,dc=example,dc=com
isMemberOf: cn=persons,ou=groups,dc=example,dc=com
This search response indicated that user.0 is a member of the listed groups.
To reverse the sense of the query, that is, to determine which entries are the member of a group, use the isMemberOf or memberOf with an assertion in the filter used in the search request:
ldapsearch --port 1389 --baseDn 'ou=people,dc=example,dc=com' \
--sizeLimit 3 --searchScope one --bindDn 'cn=directory manager' \
--bindPasswordFile ~/.pwdFile \
'(isMemberOf=cn=persons,ou=groups,dc=example,dc=com)' 1.1
dn: uid=terrygardner,ou=people,dc=example,dc=com
dn: uid=user.0,ou=people,dc=example,dc=com
dn: uid=user.1,ou=People,dc=example,dc=com
dn: uid=user.10,ou=People,dc=example,dc=com
This search response indicates that there are several member of the group whose distinguished name is cn=persons,ou=groups,dc=example,dc=com.
While not specific to LifeRay, the above is a general explanation of one way to deal with group membership and also of reverse group membership from an LDAP perspective.
这篇关于LDAP中的memberOf vs.groupMembership(Liferay)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
