在一次搜索中搜索 LDAP 上的用户和关联组 [英] Searching for a user and associated groups on LDAP in one search

问题描述

LDAP 新手.我们的 LDAP 的排列方式是人员和组.人们拥有用户信息，例如姓名、uid 和邮件.这些组具有组名和多个成员字段，其值类似于 cn=First Last,cn=people,dc=comic,dc=com，列出了属于该组的成员.

New to LDAP. The way our LDAP is arranged is People and groups. The people have user information such as name, uid, and mail. The groups have group name and multiple member field which has value like cn=First Last,cn=people,dc=comic,dc=com, listing the People that are members of the group.

目前从用户名和密码开始，进行两次搜索:1) 通过在 uid=value 上的 People 基础域上搜索来获取用户.然后从用户那里得到名字和姓氏.2) 根据 member=cn=First Last,cn=People,dc=comic,dc=com 在 Groups 基域上搜索并遍历返回到组名字段的组对象列表.

Currently starting with userid and password, doing two searches: 1) Get user by searching on People base domain on uid=value. Then from the user get the first and last name. 2) Search on Groups base domain based on member=cn=First Last,cn=People,dc=comic,dc=com and iterate over the list of group objects returned to the group name field.

我只是想知道有没有办法在一次搜索中完成所有这些操作，还是需要两次搜索?

Am just wondering is there way to do all this in one search or are two searches necessary?

推荐答案

有可能，只要你实现了一个 反向组成员维护覆盖.

It is possible, provided that you implement a Reverse Group Membership Maintenance Overlay.

要在不执行额外搜索的情况下确定条目属于哪些组，memberOf 覆盖正是您所需要的.

To determine which groups an entry is a member of without performing extra searches, the memberOf overlay is exactly what you need.

memberof 覆盖更新属性(默认为 memberOf)每当会员属性发生变化时(默认为会员)对象类的条目(默认为 groupOfNames)配置为触发更新.因此，它提供了组列表的维护当通常的组维护由以下人员完成时，条目是其中的成员修改组条目上的成员.

The memberof overlay updates an attribute (by default memberOf) whenever changes occur to the membership attribute (by default member) of entries of the objectclass (by default groupOfNames) configured to trigger updates. Thus, it provides maintenance of the list of groups an entry is a member of, when usual maintenance of groups is done by modifying the members on the group entry.

您可能会发现此服务器故障帖子对操作方法很有用.

You may find this Server Fault post useful for a how to.

一旦您准备好使用 memberOf 属性，您可能必须在每个组条目上手动运行 ldapmodify，但只需一次，以便所有 member 的条目可以在其各自的 memberOf 属性中使用相应的组 dn 进行配置.

Once you have memberOf attribute ready to be used, you may have to run ldapmodify manually on each group entries, but just once, so that all members entries can be provisioned with the corresponding group dn in their respective memberOf attribute.

最后，要对给定用户执行组成员身份搜索，您只需搜索用户条目并迭代 memberOf 属性以获取组 dn.

Finally, to perform a group membership search for a given user, you would just search for the user entry and iterate the memberOf attribute to get group dn's.

这篇关于在一次搜索中搜索 LDAP 上的用户和关联组的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！