LDAP:使用过滤器,以避免子OU在Active Directory [英] LDAP: using a filter to avoid a sub OU in Active Directory
问题描述
我有拉从一个OU中的Active Directory用户信息的应用程序。它需要的参数对于搜索和过滤字符串的魅力。
I have an application that pulls user information from an OU in Active Directory. The parameters it takes are a base for the search and a filter string.
我有一个OU我想拉的信息,但有一个子OU我想避免:
I have an OU I want to pull information from, but there is a sub OU I want to avoid:
求购:用户OU =人,DC = MYDOMAIN,DC = COM 没曾想:从OU用户=邪恶,OU =人,DC = MYDOMAIN,DC = COM
Wanted: users from OU=People,DC=mydomain,DC=com Not Wanted: users from OU=Evil,OU=People,DC=mydomain,DC=com
我知道,这可能通过改写进行德进口来阻止它寻找子OU中的应用程序来完成,但有什么办法可以对搜索LDAP过滤器做到这一点?喜欢的东西(的distinguishedName!包含恶)或类似的,可以让我排除根据用户的路径上向用户,而不是用户的属性过滤。
I know that this could be done by rewriting the application performing teh import to stop it searching sub-OUs, but is there any way to do this with an LDAP filter on the search? Something like (DistinguishedName !contains "Evil") or similar that will let me exclude users based on the path to the user, rather than filtering on a property of the user.
推荐答案
如果你使用的System.DirectoryServices(.Protocols)在.NET中你可以设置SearchScope的为ONELEVEL只有在人民-OU搜索(无子OU中)。但是,如果您有任何这是行不通的OU =好,OU =人,DC = MYDOMAIN,DC = COM......
If you're using System.DirectoryServices(.Protocols) in .NET you could set the SearchScope to OneLevel to only search in the People-OU (and no child-OUs). But that won't work if you have any "OU=Good,OU=People,DC=mydomain,DC=com"...
第二个选择是查询人欧的所有子OU:■(对象类=组织单位),然后发出多个搜索请求;一人一个(除了邪恶一节)。
The second option would be to query the People-OU for all sub-OU:s (objectClass=organizationalUnit) and then issue multiple search requests; one for each of them (except the "Evil" one).
编辑: @geoffc - 这将是非常难以实现。默认情况下所有的身份验证的用户具有读取权限在Active Directory中的所有对象。只设置一个对邪恶的OU拒绝读取不会做的伎俩,因为看错了身份验证的用户设置单独的用户对象(在这种情况下),因此有precedence在拒绝ACL的设置OU。您将主要需要设置拒绝读取ACL对每个邪恶-OU中的对象,并始终确保新的对象添加到目录中获得相同的拒绝设置权限。您可以编辑Active Directory架构和删除权限身份验证的用户,但将打破很多其他的事情(包括Exchange),并且不支持通过Microsoft。
@geoffc - that will be really difficult to implement. By default all authenticated users have read access to all objects in Active Directory. Just setting a "Deny Read" on the Evil OU won't do the trick because the read right for authenticated users is set on the individual user object (in this case) and thus has precedence over the Deny ACL set on the OU. You will essentially have to set the Deny Read ACL on each of the objects in the Evil-OU and always make sure new objects added to the directory get the same Deny rights set. You could edit the Active Directory schema and remove the rights for Authenticated Users but that will break a lot of other things (including Exchange) and is not supported by Microsoft.
这篇关于LDAP:使用过滤器,以避免子OU在Active Directory的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
