单行 LDAP 查询,枚举来自超组内的组的用户 [英] single line LDAP query that enumerates users from a group within a supergroup
问题描述
我有一个如下所示的方案:
I have a scheme that looks like this:
- 用户存在,如 UserA、UserB、UserC.
- 存在诸如 OverGroup、SubGroup 之类的组.
- OverGroup 会自动将新用户(如 UserA、UserB 等)添加到其成员资格中.
- 我自己创建的子组.我已将 OverGroup 设置为 SubGroup 的成员.
我希望能够单行查询 SubGroup 而不是检索 OverGroup,即:
I want to be able to one-line query SubGroup and retrieve not OverGroup, i.e.:
Values:
CN=OverGroup,OU=Groups,DC=example,DC=com
但 OverGroup 中实际用户(用户 A、B、C)的完整枚举,即:
but the full enumeration of the actual Users (User A, B, C) within OverGroup, i.e.:
Values:
CN=UserA,OU=OtherOU,DC=example,DC=com
CN=UserB,OU=OtherOU,DC=example,DC=com
CN=UserC,OU=OtherOU,DC=example,DC=com
是否有可以检索此内容的单行 LDAP 过滤器?(它将被放入 Request Tracker 实例中的 ExternalAuth 配置ldap"部分.很确定我只能通过 ExternalAuth 模块可以理解的一个查询来做到这一点.)
Is there a one-liner LDAP filter that could retrieve this? (It will be put into the ExternalAuth configuration 'ldap' section in a Request Tracker instance. Pretty sure I can only do this with one query the ExternalAuth module can understand.)
我尝试的所有方法都不起作用,并且根据我的阅读,似乎不可能通过任何单行查询枚举属于另一个组的组中的用户列表.想法?
Everything I try does not work, and from my reading, it does not seem possible to enumerate a list of users within a group that is a member of another group with any one-line query. Thoughts?
推荐答案
Active Directory 有一个特殊的搜索过滤器选项,允许它过滤链接对象,如嵌套组.该功能在此处进行了描述.
Active Directory has a special search filter option that allows it to filter through chained objects, like nested groups. The capability is described here.
以下是如何检索组中所有用户的示例,包括嵌套组:
Here is an example of how to retrieve all users in a group, including nested groups:
(&(objectClass=user)(memberof:1.2.840.113556.1.4.1941:={0}))
其中 {0} 是父组的 DN.
where {0} is the DN of the parent group.
这篇关于单行 LDAP 查询,枚举来自超组内的组的用户的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
