在一次搜索中搜索LDAP上的用户和相关组 [英] Searching for a user and associated groups on LDAP in one search

问题描述

LDAP的新功能. LDAP的排列方式是人员和组.人们拥有用户信息，例如姓名，uid和邮件.群组具有群组名称和多个成员字段，其值类似于cn = First Last，cn = people，dc = comic，dc = com，列出了属于该群组成员的人员.

New to LDAP. The way our LDAP is arranged is People and groups. The people have user information such as name, uid, and mail. The groups have group name and multiple member field which has value like cn=First Last,cn=people,dc=comic,dc=com, listing the People that are members of the group.

当前以用户名和密码开头，进行两次搜索: 1)通过在uid = value上的People基础域上搜索来获取用户.然后从用户那里获得名字和姓氏. 2)根据member = cn = First Last，cn = People，dc = comic，dc = com搜索Groups基本域，然后遍历返回到组名字段的组对象列表.

Currently starting with userid and password, doing two searches: 1) Get user by searching on People base domain on uid=value. Then from the user get the first and last name. 2) Search on Groups base domain based on member=cn=First Last,cn=People,dc=comic,dc=com and iterate over the list of group objects returned to the group name field.

我只是想知道是否可以通过一次搜索完成所有这些操作，还是必须进行两次搜索?

Am just wondering is there way to do all this in one search or are two searches necessary?

推荐答案

如果您实现了反向组成员资格维护覆盖.

要确定某个条目所属的组而无需执行额外的搜索， memberOf 覆盖正是您需要的.

To determine which groups an entry is a member of without performing extra searches, the memberOf overlay is exactly what you need.

memberof叠加层会更新属性(默认情况下，memberOf) 每当成员资格属性发生更改时(默认情况下为member) 配置为的对象类(默认为groupOfNames)条目数 触发更新.因此，它可以维护组列表 条目是其中的成员，而通常情况下，组的维护是 修改组条目中的成员.

The memberof overlay updates an attribute (by default memberOf) whenever changes occur to the membership attribute (by default member) of entries of the objectclass (by default groupOfNames) configured to trigger updates. Thus, it provides maintenance of the list of groups an entry is a member of, when usual maintenance of groups is done by modifying the members on the group entry.

您可能会发现此服务器故障帖子对于如何操作很有用.

You may find this Server Fault post useful for a how to.

一旦您准备好可以使用memberOf属性，则可能必须在每个组条目上手动运行ldapmodify，但是只能运行一次，以便可以为所有member条目配备相应的组dn.它们各自的memberOf属性.

Once you have memberOf attribute ready to be used, you may have to run ldapmodify manually on each group entries, but just once, so that all members entries can be provisioned with the corresponding group dn in their respective memberOf attribute.

最后，要对给定用户执行组成员资格搜索，您只需搜索用户条目并迭代memberOf属性即可获得组dn.

Finally, to perform a group membership search for a given user, you would just search for the user entry and iterate the memberOf attribute to get group dn's.

这篇关于在一次搜索中搜索LDAP上的用户和相关组的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！