如何使用筛选器避免Active Directory中的子OU? [英] How to use a filter to avoid a sub OU in Active Directory?

问题描述

我有一个应用程序，它从Active Directory中的OU中提取用户信息.它需要的参数是搜索的基础和过滤字符串.

I have an application that pulls user information from an OU in Active Directory. The parameters it takes are a base for the search and a filter string.

我有一个要从中提取信息的OU，但是有一个我要避免的子OU:

I have an OU I want to pull information from, but there is a sub OU I want to avoid:

OU=People,DC=mydomain,DC=com

OU=Evil,OU=People,DC=mydomain,DC=com

我知道可以通过重写执行导入操作的应用程序来停止它的子OU来完成此操作，但是有什么方法可以对搜索使用LDAP过滤器吗? (DistinguishedName !contains "Evil")之类的东西，使我可以根据用户的路径排除用户，而不是根据用户的属性进行过滤.

I know that this could be done by rewriting the application performing teh import to stop it searching sub-OUs, but is there any way to do this with an LDAP filter on the search? Something like (DistinguishedName !contains "Evil") or similar that will let me exclude users based on the path to the user, rather than filtering on a property of the user.

推荐答案

如果您在.NET中使用System.DirectoryServices(.Protocols)，则可以将SearchScope设置为OneLevel以仅在人员中搜索-OU(并且没有子OU).但是，如果您有任何OU=Good,OU=People,DC=mydomain,DC=com ...

If you're using System.DirectoryServices(.Protocols) in .NET you could set the SearchScope to OneLevel to only search in the People-OU (and no child-OUs). But that won't work if you have any OU=Good,OU=People,DC=mydomain,DC=com...

第二个选项是查询People-OU中的所有子OU:(c8)，然后发出多个搜索请求.每个都一个(邪恶"一个除外).

The second option would be to query the People-OU for all sub-OU:s (objectClass=organizationalUnit) and then issue multiple search requests; one for each of them (except the "Evil" one).

@geoffc-确实很难实现.默认情况下，所有经过身份验证的用户均具有对Active Directory中所有对象的读取访问权限.仅在Evil OU上设置拒绝读取"不会解决问题，因为已验证用户的读取权限是在单个用户对象上设置的(在这种情况下)，因此优先于在OU上设置的拒绝ACL.本质上，您将必须在Evil-OU中的每个对象上设置拒绝读取" ACL，并始终确保添加到目录中的新对象获得相同的拒绝"权限集.您可以编辑Active Directory架构并删除经过身份验证的用户的权限，但这会破坏很多其他功能(包括Exchange)，并且Microsoft不支持.

@geoffc - that will be really difficult to implement. By default all authenticated users have read access to all objects in Active Directory. Just setting a "Deny Read" on the Evil OU won't do the trick because the read right for authenticated users is set on the individual user object (in this case) and thus has precedence over the Deny ACL set on the OU. You will essentially have to set the Deny Read ACL on each of the objects in the Evil-OU and always make sure new objects added to the directory get the same Deny rights set. You could edit the Active Directory schema and remove the rights for Authenticated Users but that will break a lot of other things (including Exchange) and is not supported by Microsoft.

这篇关于如何使用筛选器避免Active Directory中的子OU?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！