在搜索过滤器中使用 DN [英] Using DN in Search Filter

问题描述

在我的 LDAP 客户端程序中，有时我必须在搜索过滤器中包含 DN 值.但是这个 DN 经常变化，每次我都必须在我的代码中更改这个过滤器.

In my LDAP Client program sometimes I have to include the DN value within the search filter. But this DN is changing frequently and every I have to change this filter in my code.

当我搜索它时，我得到了类似的东西

When I googled it for that I got something like this

假设您想从研发和人力资源部门拉出 ObjectType = Person 的所有用户，但不从营销和 PM 拉出任何用户.过滤器将是:

Suppose you want to pull all users of ObjectType = Person from the R&D and HR ous, but not any users from Marketing and PM. The filter would be:

(&(objectClass=person)(|(ou:dn:=ResearchAndDevelopment)(ou:dn:=HumanResources)))

谁能详细解释一下?

推荐答案

你应该检查 RFC 2254(LDAP 搜索过滤器的字符串表示).

You should check RFC 2254 (The String Representation of LDAP Search Filters).

LDAP 过滤器对布尔运算符使用 波兰符号.所以运算符写在它的操作数之前:

LDAP filters use polish notation for the boolean operators. So the operator is written before its operands:

(&(condition1)(condition2)(condition3)...)

上面的例子意味着你想要所有满足 condition1 AND condition2 AND condition3 的 LDAP 条目等等.

The example above means that you want all LDAP entries which satisfy condition1 AND condition2 AND condition3 and so on.

然后有条件本身.它们非常简单，只能包含几种类型:

Then there are condition themselves. They are very simple and can consist only of few types:

• 现状 - (attrName=*)
• 简单条件 - (attrName>=value)/(attrName<=value)/(attrNamevalue=value)/(attrName~=value)
• 子字符串条件 - (attrName=*value*)/(attrName=*value)/(attrName=value*)
• 可扩展条件 - (attrName:dn:=value)/(attrName:matchingRule:=value)

• present condition - (attrName=*)
• simple condition - (attrName>=value) / (attrName<=value) / (attrNamevalue=value) / (attrName~=value)
• substring condition - (attrName=*value*) / (attrName=*value) / (attrName=value*)
• extensible condition - (attrName:dn:=value) / (attrName:matchingRule:=value)

带有:dn: 关键字的可扩展条件 意味着您希望条目DN 中的属性也被考虑在内.因此，对于您的案例条目 cn=John Doe,ou=HumanResources,ou=Users,dc=example,dc=com 将匹配过滤器 (ou:dn:=HumanResource).

The extensible condition with the :dn: keyword means, that you want attributes from the entry DN to be considered as well. So for your case entry cn=John Doe,ou=HumanResources,ou=Users,dc=example,dc=com would match the filter (ou:dn:=HumanResource).

将您的示例过滤器翻译成英文句子是:

Translating your example filter to an English sentence would be:

找到所有 objectClass 等于 person 并且在其中包含 ResearchAndDevelopment 或 HumanResources 的 LDAP 条目ou 属性或其 DN 上的某个位置.

Find me all LDAP entries which have objectClass equal to person and have either ResearchAndDevelopment or HumanResources in their ou attribute or somewhere on their DN.

这篇关于在搜索过滤器中使用 DN的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！