在存在循环依赖性的情况下，使用1.2.840.113556.1.4.1941实现安全吗? [英] Is it safe to use 1.2.840.113556.1.4.1941 implementation in case of cyclic dependencies?

问题描述

如果dl中存在循环依赖性，则使用1.2.840.113556.1.4.1941是否正常终止(a-> b->一种情况)

Does using 1.2.840.113556.1.4.1941 terminate gracefully if there are cyclic dependencies in a dl (a -> b -> a situation)

推荐答案

LDAP_MATCHING_RULE_IN_CHAIN OID可以很好地处理循环依赖关系.它不会使他们窒息.

The LDAP_MATCHING_RULE_IN_CHAIN OID handles circular dependencies just fine. It won't choke on them.

例如，我建议在确定请考虑是否进行了以下设置:

Consider if you have this setup:

• A组
  • B组
  • 用户1
  • A组

  您想知道 User 1 是否是 Group A 的成员.您可以将搜索基础设置为 A组，然后使用以下查询:

  And you want to know if User 1 is a member of Group A. You would set the search base to Group A, and use this query:

  (member:1.2.840.113556.1.4.1941:=CN=User 1,OU=Users,DC=example,DC=com)
  

  查询将成功(不会使循环组阻塞)，您将得到1个结果( Group A )，表明是， User 1 是一个 A组的成员.(如果没有结果，则意味着该用户不是该组的成员)

  The query would succeed (it won't choke on the circular groups) and you would get 1 result (Group A) indicating that yes, User 1 is a member of Group A. (If you got no results, it would mean that the user is not a member of the group)

  在不限制搜索基础或不使用其他条件(例如匹配特定帐户)的情况下，切勿使用 LDAP_MATCHING_RULE_IN_CHAIN 条件，否则最终会出现非常低效的查询将永远运行，因为它必须查看存在的每个对象的整个成员资格链.

  You should never use a LDAP_MATCHING_RULE_IN_CHAIN condition without either limiting the search base or using other conditions (like matching a specific account), otherwise you will end up with a very inefficient query that will take forever to run because it has to look at the entire membership chain for every object that exists.

  这篇关于在存在循环依赖性的情况下，使用1.2.840.113556.1.4.1941实现安全吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！