LDAP 组成员资格(包括域用户) [英] LDAP group membership (including Domain Users)
问题描述
如何获取 LDAP 组中的用户列表,即使该组恰好是某些用户的主要组?
How can I get a list of users within an LDAP group, even if that group happens to be the primary group for some users?
例如,假设Domain Users"在德语中是Domain Leute".我想要CN=Domain Leute,DC=mycompany,DC=com"的所有成员.我怎么知道那是著名的域用户"组?
For example, suppose "Domain Users" is "Domain Leute" in German. I want all members of "CN=Domain Leute,DC=mycompany,DC=com". How would I know that is the well-known "Domain Users" group?
或者如果某些用户的主要组更改为CN=rebels,DC=mycompany,DC=com",我想获得该组的成员怎么办?用户的主组没有 memberOf 属性,主组也没有列出他们的成员属性.
Or what if some users' primary group was changed to "CN=rebels,DC=mycompany,DC=com", and I wanted to get members of THAT group? Users don't have a memberOf property for their primary group, and the primary group won't have a member property listing them.
这是我通过 LDAP 查看时看到的(即,没有 MS 扩展):
This is what I see when viewed via LDAP (ie, no MS extensions):
推荐答案
需要先从Group对象中找出primaryGroupToken.如果您使用的是 ADSIEdit,则需要确保已启用构造"过滤器才能查看此计算属性.对于域用户,primaryGroupToken 应该是 513.
You need to find out primaryGroupToken from the Group object first. If you are using ADSIEdit, you need to make sure you have "Constructed" filter on to see this calculated attribute. For Domain Users, the primaryGroupToken should be 513.
然后,您需要找到所有将 primaryGroupID 设置为该值的用户.这是您应该编写的 ldap 查询,以找出所有将域用户设置为主要组的用户.
Then, you neeed to find all the users with primaryGroupID set to this value. Here is the ldap query you should write to find out all users with Domain Users set as the primary group.
(&(objectCategory=person)(objectClass=user)(primaryGroupID=513))
编辑
这是在 LDAP 浏览器中显示 primaryGroupToken 的步骤.我正在使用 LDAP 浏览器 2.6 build 650.右键单击您的配置文件并单击属性
Here is the steps to show primaryGroupToken in LDAP Browser. I am using LDAP browser 2.6 build 650. Right click your profile and click properties
转到 LDAP 设置选项卡并单击高级按钮.
Go to LDAP Settings tab and click Advanced button.
添加额外的操作属性primaryGroupToken
单击应用按钮并关闭属性页面.现在,您应该会在您的组对象中看到 primaryGroupToken.
Click Apply button and close the properties page. Now, you should see the primaryGroupToken in your group object.
这篇关于LDAP 组成员资格(包括域用户)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
