我需要为通用AD服务实现嵌套组成员资格。 以前,我使用了一个特定的搜索过滤器(“成员:1.2.840.113556.1.4.1941:=”),通过该搜索过滤器使用单个搜索请求,我能够获得该用户所属的所有组成员资格。 。但是,看起来搜索过滤器似乎只适用于MS AD服务器,而不适用于通用AD服务器。
那么,是否有人知道我们可以在搜索请求中发送的任何特定搜索过滤器(适用于所有AD服务器),通过该搜索过程我可以通过单个搜索查询派生嵌套组成员资格。
先谢谢你的帮助。
答案 0 :(得分:0)
“member:1.2.840.113556.1.4.1941”是LDAP_MATCHING_RULE_IN_CHAIN,其他LDAP供应商很可能无法实现。 LDAP Wiki
编辑:
如果要重新组合群组,可以执行以下操作:
使用过滤器:
(&(objectCategory=organizationalPerson)(objectClass=User)(sAMAccountName=YOURUSER)
get "distinguishedName" (this is the user's distinguishedName)
get "memberOf" (this is a collection of distinguishedNames of the groups the user is a member of (minus the primary group in MS Active Directory, which should be "Domain Users"))
Foreach memberOf in the collection: (This is the first level, so there is no need to check if he is there, because he is.)
(&(objectCategory=group)(distinguishedName=THISMEMBEROF))
get "member" (this is a collection of distinguishedNames of group members)
Foreach memberOf in the collection:
This is the second level (the groups within the groups), so first check if the users distinguishedName is present.
(&(objectCategory=group)(distinguishedName=THISMEMBEROF))
get "member" (this is a collection of distinguishedNames of group members)
Foreach memberOf in the collection:
This is the third level (the groups within the groups), so first check if the users distinguishedName is present.
(&(objectCategory=group)(distinguishedName=THISMEMBEROF))
get "member" (this is a collection of distinguishedNames of group members)
etc.