如何使用过滤器来避免 Active Directory 中的子 OU? [英] How to use a filter to avoid a sub OU in Active Directory?

问题描述

我有一个从 Active Directory 中的 OU 中提取用户信息的应用程序.它采用的参数是搜索的基础和过滤器字符串.

I have an application that pulls user information from an OU in Active Directory. The parameters it takes are a base for the search and a filter string.

我有一个想从中提取信息的 OU，但有一个我想避免使用的子 OU:

I have an OU I want to pull information from, but there is a sub OU I want to avoid:

来自 OU=People,DC=mydomain,DC=com

来自 OU=Evil,OU=People,DC=mydomain,DC=com

我知道这可以通过重写执行导入的应用程序来停止它搜索子 OU 来完成，但是有没有办法在搜索中使用 LDAP 过滤器来做到这一点?像 (DistinguishedName !contains "Evil") 或类似的东西，可以让我根据用户的路径排除用户，而不是过滤用户的属性.

I know that this could be done by rewriting the application performing teh import to stop it searching sub-OUs, but is there any way to do this with an LDAP filter on the search? Something like (DistinguishedName !contains "Evil") or similar that will let me exclude users based on the path to the user, rather than filtering on a property of the user.

推荐答案

如果你在 .NET 中使用 System.DirectoryServices(.Protocols) 你可以设置SearchScope 到 OneLevel 只在 People-OU 中搜索(没有子 OU).但是如果你有任何 OU=Good,OU=People,DC=mydomain,DC=com...

If you're using System.DirectoryServices(.Protocols) in .NET you could set the SearchScope to OneLevel to only search in the People-OU (and no child-OUs). But that won't work if you have any OU=Good,OU=People,DC=mydomain,DC=com...

第二个选项是查询 People-OU 以获取所有子 OU:s (objectClass=organizationalUnit)，然后发出多个搜索请求；每个人一个(邪恶"的除外).

The second option would be to query the People-OU for all sub-OU:s (objectClass=organizationalUnit) and then issue multiple search requests; one for each of them (except the "Evil" one).

@geoffc - 这真的很难实现.默认情况下，所有经过身份验证的用户都具有对 Active Directory 中所有对象的读取访问权限.仅在 Evil OU 上设置拒绝读取"不会成功，因为经过身份验证的用户的读取权限是在单个用户对象上设置的(在这种情况下)，因此优先于在 OU 上设置的拒绝 ACL.您基本上必须在 Evil-OU 中的每个对象上设置拒绝读取 ACL，并始终确保添加到目录中的新对象获得相同的拒绝权限集.您可以编辑 Active Directory 架构并删除经过身份验证的用户的权限，但这会破坏许多其他内容(包括 Exchange)并且 Microsoft 不支持.

@geoffc - that will be really difficult to implement. By default all authenticated users have read access to all objects in Active Directory. Just setting a "Deny Read" on the Evil OU won't do the trick because the read right for authenticated users is set on the individual user object (in this case) and thus has precedence over the Deny ACL set on the OU. You will essentially have to set the Deny Read ACL on each of the objects in the Evil-OU and always make sure new objects added to the directory get the same Deny rights set. You could edit the Active Directory schema and remove the rights for Authenticated Users but that will break a lot of other things (including Exchange) and is not supported by Microsoft.

这篇关于如何使用过滤器来避免 Active Directory 中的子 OU?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！