Active Directory搜索查询,用于在搜索过滤器中使用通配符模式的嵌套组 [英] Active Directory search query for nested groups with wildcard pattern in search filter
问题描述
我正在尝试允许Active Directory中嵌套组中的用户登录到我的基于spring boot / security的应用程序。我已经找到了如何通过spring-security配置提供搜索查询的方法,但是搜索查询本身遇到了麻烦。
I am trying to allow the users from nested groups in Active Directory to login to my spring boot/security based application. I have figured how to provide the search query through spring-security configuration, but I am having trouble with the search query itself.
这是当前正在运行的搜索查询按预期:
Here is the search query that is currently working as expected:
(&(objectCategory=Person)(userPrincipalName=user1@domain.local)
(memberOf:1.2.840.113556.1.4.1941:=CN=parent_group1,OU=Another Group,OU=Groups,OU=Company,DC=Company-Domain,DC=local))
这可以按预期工作,因为user1属于parent_group1或其子组之一。但是我有多个带有常数前缀的parent_group。因此,我试图在该查询中以 CN = parent_group * 的形式提供通配符,但无法正常工作。
This is working as expected as user1 belongs to parent_group1 or one of its sub groups. But I have more than one parent_group, with constant prefix. So I am trying to provide wildcard in that query as CN=parent_group*, but its not working.
I在此处看到了一种变体,其中每个parent_group都可以添加OR像这样:
I have seen a variation here where each parent_group can be added with an OR like this:
(&(objectCategory=Person)(userPrincipalName=user1@domain.local)
(|(memberOf:1.2.840.113556.1.4.1941:=CN=parent_group1,OU=Another Group,OU=Groups,OU=Company,DC=Company-Domain,DC=local)
(memberOf:1.2.840.113556.1.4.1941:=CN=parent_group2,OU=Another Group,OU=Groups,OU=Company,DC=Company-Domain,DC=local)
(memberOf:1.2.840.113556.1.4.1941:=CN=parent_group3,OU=Another Group,OU=Groups,OU=Company,DC=Company-Domain,DC=local)
这也可行,但是问题是,每次添加新的新父组时,都需要更新。
And this works too. But the problem with this is, every time a new new parent group is added this needs to be updated. I have gone through the link specified in the answer to the above question, but nothing from there works.
理想情况下,我希望这样的方法能起作用(parent_group的通配符模式):
Ideally, I was hoping something like this would work (wildcard pattern for parent_group):
(&(objectCategory=Person)(userPrincipalName=user1@domain.local)
(memberOf:1.2.840.113556.1.4.1941:=CN=parent_group*,OU=Another Group,OU=Groups,OU=Company,DC=Company-Domain,DC=local))
但是它不起作用。它不会返回任何结果。有人可以帮我一个更好的方法吗?
But its not working. It doesn't return any results. Can someone help me if there is a better way of doing this?
此外,是否有可能不提及整个层次结构?
CN = parent_group *,OU =另一个组,OU = Groups,OU = Company,DC = Company-Domain,DC = local
Also, is it possible not to mention the entire hierarchy like this?
CN=parent_group*,OU=Another Group,OU=Groups,OU=Company,DC=Company-Domain,DC=local
我已经对此进行了几天的研究,并遍历了在线或SO上提供的大多数文章,但使用通配链命令的通配符模式一无所获
I have been researching on this for a couple of days now and gone through most of the articles provided online or on SO, but nothing with the wildcard pattern with the chain command works so far.
推荐答案
无法执行您描述的操作。将一个父组嵌套在您的所有其他父组中,将为您提供良好的服务。每当创建一个新的父组时,您都将其嵌套在主组中,以便对其进行访问。这是一个很普通的模型。
It is not possible to do what you describe. You'd be well served by having one parent group which all your "other" parent groups are nested in. Anytime a new parent group is created, you would nest it in your master group so that it's granted access. This is a pretty common model.
这篇关于Active Directory搜索查询,用于在搜索过滤器中使用通配符模式的嵌套组的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
