如何对各个字段进行LDAP搜索 [英] How to do an LDAP Search of Various fields
问题描述
我需要在身份验证后从LDAP检索各种值,例如Description,Office等.
I have a requirement of retrieving various values such as Description, Office, etc. from LDAP after authentication.
我已经能够完成身份验证,但是我无法检索其他值.
I have been able to complete the authentication but i am not able to retrieve other values.
我应该使用什么名称来检索完整的数据?
what names should i use to retrieve the complete data??
请帮助.
我的代码如下:
public boolean authenticate(String userid, String pass, String domain) {
boolean retval = false;
String searchFilter ="(&(objectClass=user)(" + LDAP_UID_ATTR + "=" + userid + "))";
try {
System.out.println("Start: getLDAPAttrs");
NamingEnumeration answer =
getLDAPAttrs(userid, pass, searchFilter, domain);
String uid = "";
while (answer.hasMoreElements()) {
SearchResult sr = (SearchResult)answer.next();
Attributes attrs = sr.getAttributes();
try {
uid = attrs.get(LDAP_UID_ATTR).toString();
System.out.println("uid: " + uid);
System.out.println(attrs.get("mail"));
uid = uid.substring(uid.indexOf(':') + 2);
} catch (Exception err) {
// uid = "";
System.out.println(err.getMessage());
err.printStackTrace();
}
// verify userid
if (userid.equalsIgnoreCase(uid)) {
retval = true;
break;
}
}
} catch (NamingException ne) {
System.out.println("In authenticateWithLDAP, LDAP Authentication NamingException : " +
ne.getMessage());
} catch (Exception ex) {
System.out.println("In authenticateWithLDAP, LDAP Authentication Exception : " +
ex.getMessage());
}
return retval;
// return retval;
}
private NamingEnumeration getLDAPAttrs(String userid, String pass,
String searchFilter,
String domain) throws NamingException,
Exception {
String host = getServerName();
String port = getIP_Port();
String dcPart1 = getDcPart1();
String dcPart2 = getDcPart2();
// String attrUserID = getLDAP_UID_ATTR();
// String attrUserName = getLDAP_UNAME_ATTR();
// set attribute names to obtain value of
String[] returnedAtts = { "sAMAccountName", "cn","mail" };
SearchControls searchCtls = new SearchControls();
searchCtls.setReturningAttributes(returnedAtts);
// specify the search scope
searchCtls.setSearchScope(SearchControls.SUBTREE_SCOPE);
// set search base
String searchBase = "DC=" + dcPart1 + ",DC=" + dcPart2;
// set ldap env values
Hashtable environment = new Hashtable();
environment.put(Context.INITIAL_CONTEXT_FACTORY,
"com.sun.jndi.ldap.LdapCtxFactory");
environment.put(Context.PROVIDER_URL, "ldap://" + host + ":" + port);
environment.put(Context.SECURITY_AUTHENTICATION, "simple");
environment.put(Context.SECURITY_PRINCIPAL, userid + "@" + domain);
environment.put(Context.SECURITY_CREDENTIALS, pass);
// set ldap context
DirContext ctxGC = new InitialDirContext(environment);
// perform search to obtain values
NamingEnumeration answer =
ctxGC.search(searchBase, searchFilter, searchCtls);
return answer;
}
推荐答案
LDAP客户端通过将搜索请求发送到服务器,然后读取服务器的响应来检索属性值(问题中称为字段").搜索请求至少包含以下组件:
An LDAP client retrieves attribute values (referred to as "fields" in the question) by transmitting a search request to the server and then reading the server's response. A search request consists of at a minimum the following components:
- 基本DN-开始搜索的对象.没有返回超出基本DN的对象
- scope-搜索范围;这是
base
,one
或subtree
- 过滤器-限制服务器返回的条目的过滤器
- base DN - the object at which to begin the search. No objects above the base DN are returned
- scope - the scope of the search; this is
base
,one
, orsubtree
- filter - a filter which limits the entries that are returned by the server
此外,可以将请求属性的列表与搜索请求一起发送.如果没有提供请求的属性列表,许多LDAP SDK只会返回所有用户属性,而不会返回操作属性.在这种情况下,请请求属性description
和office
以及所有其他必需的属性.
Additionally, a list of requested attributes can be transmitted with the search request. Many LDAP SDKs will simply return all user attributes and no operational attributes if no requested attributes list is provided. In this case, request the attributes description
and office
and any others that are required.
符合LDAP的服务器强制执行访问控制方案,这可能导致服务器不返回某些属性.请咨询LDAP管理员,以确定LDAP客户端连接的身份验证状态是否有权访问所需的属性.
LDAP-compliant servers enforce an access control scheme which might cause the server to not return certain attributes. Consult with the LDAP administrators to determine if the authentication state of the LDAP client connections have permission to access the attributes desired.
- LDAP:使用ldapsearch :本文指的是
ldapsearch
命令行工具,但概念与程序访问相同.
- LDAP: Using ldapsearch: this article refers to the
ldapsearch
command line tool, but the concepts are the same as for programmatic access.
这篇关于如何对各个字段进行LDAP搜索的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!