单行 LDAP 查询,从超级组内的组中枚举用户 [英] single line LDAP query that enumerates users from a group within a supergroup
问题描述
我有一个看起来像这样的方案:
I have a scheme that looks like this:
- 用户存在,如 UserA、UserB、UserC.
- 像 OverGroup、SubGroup 一样存在组.
- OverGroup 会自动将 UserA、UserB 等新用户添加到其成员中.
- 我自己创建的子组.我已将 OverGroup 设置为 SubGroup 的成员.
我希望能够单行查询 SubGroup 并检索而不是 OverGroup,即:
I want to be able to one-line query SubGroup and retrieve not OverGroup, i.e.:
Values:
CN=OverGroup,OU=Groups,DC=example,DC=com
但是 OverGroup 中实际用户(用户 A、B、C)的完整枚举,即:
but the full enumeration of the actual Users (User A, B, C) within OverGroup, i.e.:
Values:
CN=UserA,OU=OtherOU,DC=example,DC=com
CN=UserB,OU=OtherOU,DC=example,DC=com
CN=UserC,OU=OtherOU,DC=example,DC=com
是否有可以检索此内容的单行 LDAP 过滤器?(它将被放入请求跟踪器实例中的 ExternalAuth 配置ldap"部分.很确定我只能使用 ExternalAuth 模块可以理解的一个查询来做到这一点.)
Is there a one-liner LDAP filter that could retrieve this? (It will be put into the ExternalAuth configuration 'ldap' section in a Request Tracker instance. Pretty sure I can only do this with one query the ExternalAuth module can understand.)
我尝试的所有方法都不起作用,从我的阅读来看,似乎不可能使用任何单行查询来枚举属于另一个组的成员的组中的用户列表.想法?
Everything I try does not work, and from my reading, it does not seem possible to enumerate a list of users within a group that is a member of another group with any one-line query. Thoughts?
推荐答案
Active Directory 有一个特殊的搜索过滤器选项,允许它过滤链接的对象,如嵌套组.此处描述了该功能.
Active Directory has a special search filter option that allows it to filter through chained objects, like nested groups. The capability is described here.
以下是如何检索组中所有用户(包括嵌套组)的示例:
Here is an example of how to retrieve all users in a group, including nested groups:
(&(objectClass=user)(memberof:1.2.840.113556.1.4.1941:={0}))
其中 {0}
是父组的 DN.
where {0}
is the DN of the parent group.
这篇关于单行 LDAP 查询,从超级组内的组中枚举用户的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!