通用ldap嵌套组实现

时间:2012-12-04 10:28:09

标签: active-directory ldap nested openldap ldap-query

我需要为通用AD服务实现嵌套组成员资格。 以前,我使用了一个特定的搜索过滤器(“成员:1.2.840.113556.1.4.1941:=”),通过该搜索过滤器使用单个搜索请求,我能够获得该用户所属的所有组成员资格。 。但是,看起来搜索过滤器似乎只适用于MS AD服务器,而不适用于通用AD服务器。

那么,是否有人知道我们可以在搜索请求中发送的任何特定搜索过滤器(适用于所有AD服务器),通过该搜索过程我可以通过单个搜索查询派生嵌套组成员资格。

先谢谢你的帮助。

1 个答案:

答案 0 :(得分:0)

“member:1.2.840.113556.1.4.1941”是LDAP_MATCHING_RULE_IN_CHAIN,其他LDAP供应商很可能无法实现。 LDAP Wiki

编辑:

如果要重新组合群组,可以执行以下操作:

使用过滤器:

    (&(objectCategory=organizationalPerson)(objectClass=User)(sAMAccountName=YOURUSER)

    get "distinguishedName"  (this is the user's distinguishedName)
    get "memberOf"  (this is a collection of distinguishedNames of the groups the user is a member of (minus the primary group in MS Active Directory, which should be "Domain Users"))



    Foreach memberOf in the collection: (This is the first level, so there is no need to check if he is there, because he is.)

    (&(objectCategory=group)(distinguishedName=THISMEMBEROF))

    get "member" (this is a collection of distinguishedNames of group members)



    Foreach memberOf in the collection: 

    This is the second level (the groups within the groups), so first check if the users distinguishedName is present.
    (&(objectCategory=group)(distinguishedName=THISMEMBEROF))

    get "member" (this is a collection of distinguishedNames of group members)

Foreach memberOf in the collection: 

This is the third level (the groups within the groups), so first check if the users distinguishedName is present.
(&(objectCategory=group)(distinguishedName=THISMEMBEROF))

get "member" (this is a collection of distinguishedNames of group members)



etc.