在存在循环依赖性的情况下,使用1.2.840.113556.1.4.1941实现安全吗? [英] Is it safe to use 1.2.840.113556.1.4.1941 implementation in case of cyclic dependencies?
问题描述
如果dl中存在循环依赖性,则使用1.2.840.113556.1.4.1941是否正常终止(a-> b->一种情况)
Does using 1.2.840.113556.1.4.1941 terminate gracefully if there are cyclic dependencies in a dl (a -> b -> a situation)
推荐答案
LDAP_MATCHING_RULE_IN_CHAIN
OID可以很好地处理循环依赖关系.它不会使他们窒息.
The LDAP_MATCHING_RULE_IN_CHAIN
OID handles circular dependencies just fine. It won't choke on them.
例如,我建议在确定请考虑是否进行了以下设置:
Consider if you have this setup:
-
A组
-
B组
-
用户1
-
A组
您想知道
User 1
是否是Group A
的成员.您可以将搜索基础设置为A组
,然后使用以下查询:And you want to know if
User 1
is a member ofGroup A
. You would set the search base toGroup A
, and use this query:(member:1.2.840.113556.1.4.1941:=CN=User 1,OU=Users,DC=example,DC=com)
查询将成功(不会使循环组阻塞),您将得到1个结果(
Group A
),表明是,User 1
是一个A组
的成员.(如果没有结果,则意味着该用户不是该组的成员)The query would succeed (it won't choke on the circular groups) and you would get 1 result (
Group A
) indicating that yes,User 1
is a member ofGroup A
. (If you got no results, it would mean that the user is not a member of the group)在不限制搜索基础或不使用其他条件(例如匹配特定帐户)的情况下,切勿使用
LDAP_MATCHING_RULE_IN_CHAIN
条件,否则最终会出现非常低效的查询将永远运行,因为它必须查看存在的每个对象的整个成员资格链.You should never use a
LDAP_MATCHING_RULE_IN_CHAIN
condition without either limiting the search base or using other conditions (like matching a specific account), otherwise you will end up with a very inefficient query that will take forever to run because it has to look at the entire membership chain for every object that exists.这篇关于在存在循环依赖性的情况下,使用1.2.840.113556.1.4.1941实现安全吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
-