如何进行 LDAP 查询，只返回所有级别的 OU=Groups 组? [英] How can I make a LDAP query that returns only groups having OU=Groups from all levels?

问题描述

如果我要查找所有 Groups，我会得到太多垃圾.

If I am looking for all Groups, I get too much garbage.

如果我试图缩小基数，我得到的太少了.

If I try to narrow down the base, I get too few.

这是一个例子:

CN=A Team,OU=Groups,OU=Americas,DC=example,DC=com
CN=B TEAM,OU=Groups,OU=EMEA,DC=example,DC=com
CN=C Team,OU=Legacy Groups,DC=example,DC=com
CN=D Team,OU=Groups,OU=Bangalore,OU=APAC,DC=example,DC=com
CN=E Team,OU=Common Groups,DC=example,DC=com

我正在寻找一个返回 ABDE(不带 C)的 LDAP filter - 主要逻辑是让我得到所有最后一个 OU=Groups 或 OU=公共组

I am looking for a LDAP filter that returns A B D E (without C) - mainly the logic would be get me all groups that do have last OU=Groups or OU=Common Groups

我当前的搜索正在使用:

My current search is using:

 Search base: CN=Users,DC=citrite,DC=net
 Filter: (objectCategory=Group)

推荐答案

首先，在 Microsoft Active Directory 上不可能在单个搜索中做到这一点，这是因为 AD 不完全兼容 LDAP.

First, on Microsoft Active Directory is impossible to do this in a single search, that's because AD is not fully LDAP compatible.

LDAP 兼容的服务器支持 extensible-match 过滤器，它提供了必要的过滤.来自 RFC4511:

LDAP-compliant servers support an extensible-match filter which provides the necessary filtering. From RFC4511:

如果 dnAttributes 字段设置为 TRUE，则匹配应用于条目中的所有 AttributeValueAssertions专有名称，如果至少有可分辨名称中的一个属性或子类型，过滤器项目评估为 TRUE.存在 dnAttributes 字段减轻对多个版本的通用匹配的需求规则(例如单词匹配)，其中一个适用于条目和另一个也适用于条目和 DN 属性.

If the dnAttributes field is set to TRUE, the match is additionally applied against all the AttributeValueAssertions in an entry's distinguished name, and it evaluates to TRUE if there is at least one attribute or subtype in the distinguished name for which the filter item evaluates to TRUE. The dnAttributes field is present to alleviate the need for multiple versions of generic matching rules (such as word matching), where one applies to entries and another applies to entries and DN attributes as well.

请注意，extensible-match 过滤器技术仅适用于符合 LDAP 的服务器，AD 不是其中之一.

Note that the extensible-match filter technique only works with LDAP-compliant servers, of which AD is not one.

例如，我将以下条目添加到服务器:

For example, I added the following entries to a server:

dn: ou=legacy groups,o=training
objectClass: top
objectClass: organizationalUnit
ou: legacy groups

dn: ou=common groups,o=training
objectClass: top
objectClass: organizationalUnit
ou: common groups

dn: ou=groups,o=training
objectClass: top
objectClass: organizationalUnit
ou: groups

dn: cn=a,ou=common groups,o=training
objectClass: top
objectClass: groupOfUniqueNames
uniqueMember: uid=user.0,ou=people,o=training
cn: a

dn: cn=b,ou=groups,o=training
objectClass: top
objectClass: groupOfUniqueNames
uniqueMember: uid=user.0,ou=people,o=training
cn: b

dn: cn=c,ou=legacy groups,o=training
objectClass: top
objectClass: groupOfUniqueNames
uniqueMember: uid=user.0,ou=people,o=training
cn: c

在添加上述条目后，在以下搜索中检查过滤器:

Examine the filter in the following search after the above entries were added:

ldapsearch --propertiesFilePath ds-setup/11389/ldap-connection.properties 
    --baseDN o=training 
    --searchScope sub '(|(ou:dn:=groups)(ou:dn:=common groups))' 1.1

dn: ou=common groups,o=training

dn: cn=a,ou=common groups,o=training

dn: ou=groups,o=training

dn: cn=b,ou=groups,o=training

注意 ou=common groups、ou=groups 以及它们的下属都返回，但不返回ou=legacy groups 和下属.

Note that ou=common groups, ou=groups, and their subordinates are returned, but not ou=legacy groups and subordinates.

此示例使用 ldapsearch 命令行工具的现代语法.如果用户是利用 ldapsearch 的旧 OpenLDAP 版本，命令行工具的参数是有些不同，但这没关系.重要的是过滤器.

这篇关于如何进行 LDAP 查询，只返回所有级别的 OU=Groups 组?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！