通过java应用程序将用户添加到LDAP会导致组搜索

时间:2013-06-12 17:49:56

标签: ldap openldap

我有一个将用户添加到slapd的spring应用程序。用户已添加并与组关联。 应用程序是模块化的,不同的模块能够创建要添加到slapd的用户。原始开发人员没有考虑该组,其中两个模块将创建一个无法登录到第三个模块的用户。一旦我纠正了这一点,我看到slapd正在搜索组中的所有dn:

conn=1020 op=1 SRCH base="ou=groups,dc=example,dc=com" scope=1 deref=3 filter="(member=uid=hack-a-tack,ou=users,dc=example,dc=com)"

然后,此搜索会遍历组中的每个用户,而不仅仅是过滤器中的每个用户。

Jun 12 10:07:16 cm-coret1 slapd[8145]: conn=1020 op=1 SRCH base="ou=groups,dc=example,dc=com" scope=1 deref=3 filter="(member=uid=hack-a-tack,ou=users,dc=example,dc=com)"
Jun 12 10:07:16 cm-coret1 slapd[8145]: conn=1020 op=1 SRCH attr=cn
Jun 12 10:07:16 cm-coret1 slapd[8145]: => access_allowed: search access to "ou=groups,dc=example,dc=com" "entry" requested
Jun 12 10:07:16 cm-coret1 slapd[8145]: => dn: [2] ou=users,dc=example,dc=com
Jun 12 10:07:16 cm-coret1 slapd[8145]: => acl_get: [3] attr entry
Jun 12 10:07:16 cm-coret1 slapd[8145]: => acl_mask: access to entry "ou=groups,dc=example,dc=com", attr "entry" requested
Jun 12 10:07:16 cm-coret1 slapd[8145]: => acl_mask: to all values by "cn=manager,ou=users,dc=example,dc=com", (=0)
Jun 12 10:07:16 cm-coret1 slapd[8145]: <= check a_dn_pat: cn=admin,dc=example,dc=com
Jun 12 10:07:16 cm-coret1 slapd[8145]: <= check a_dn_pat: cn=manager,ou=users,dc=example,dc=com
Jun 12 10:07:16 cm-coret1 slapd[8145]: <= acl_mask: [2] applying write(=wrscxd) (stop)
Jun 12 10:07:16 cm-coret1 slapd[8145]: <= acl_mask: [2] mask: write(=wrscxd)
Jun 12 10:07:16 cm-coret1 slapd[8145]: => slap_access_allowed: search access granted by write(=wrscxd)
Jun 12 10:07:16 cm-coret1 slapd[8145]: => access_allowed: search access granted by write(=wrscxd)
Jun 12 10:07:16 cm-coret1 slapd[8145]: => bdb_filter_candidates
Jun 12 10:07:16 cm-coret1 slapd[8145]: #011EQUALITY
Jun 12 10:07:16 cm-coret1 slapd[8145]: bdb_idl_fetch_key: [01872a84]
Jun 12 10:07:16 cm-coret1 slapd[8145]: <= bdb_filter_candidates: id=0 first=0 last=0
Jun 12 10:07:16 cm-coret1 slapd[8145]: bdb_idl_fetch_key: %ou=groups,dc=example,dc=com
Jun 12 10:07:16 cm-coret1 slapd[8145]: => bdb_filter_candidates
Jun 12 10:07:16 cm-coret1 slapd[8145]: #011AND
Jun 12 10:07:16 cm-coret1 slapd[8145]: => bdb_list_candidates 0xa0
Jun 12 10:07:16 cm-coret1 slapd[8145]: => bdb_filter_candidates
Jun 12 10:07:16 cm-coret1 slapd[8145]: #011EQUALITY
Jun 12 10:07:16 cm-coret1 slapd[8145]: bdb_idl_fetch_key: [757973d2]
Jun 12 10:07:16 cm-coret1 slapd[8145]: <= bdb_filter_candidates: id=1 first=6 last=6
Jun 12 10:07:16 cm-coret1 slapd[8145]: <= bdb_list_candidates: id=1 first=6 last=6
Jun 12 10:07:16 cm-coret1 slapd[8145]: <= bdb_filter_candidates: id=1 first=6 last=6
Jun 12 10:07:16 cm-coret1 slapd[8145]: => test_filter
Jun 12 10:07:16 cm-coret1 slapd[8145]:     EQUALITY
Jun 12 10:07:16 cm-coret1 slapd[8145]: => access_allowed: search access to "cn=USER,ou=groups,dc=example,dc=com" "member" requested
Jun 12 10:07:16 cm-coret1 slapd[8145]: => dn: [2] ou=users,dc=example,dc=com
Jun 12 10:07:16 cm-coret1 slapd[8145]: => acl_get: [3] attr member
Jun 12 10:07:16 cm-coret1 slapd[8145]: => acl_mask: access to entry "cn=USER,ou=groups,dc=example,dc=com", attr "member" requested
Jun 12 10:07:16 cm-coret1 slapd[8145]: => acl_mask: to value by "cn=manager,ou=users,dc=example,dc=com", (=0)
Jun 12 10:07:16 cm-coret1 slapd[8145]: <= check a_dn_pat: cn=admin,dc=example,dc=com
Jun 12 10:07:16 cm-coret1 slapd[8145]: <= check a_dn_pat: cn=manager,ou=users,dc=example,dc=com
Jun 12 10:07:16 cm-coret1 slapd[8145]: <= acl_mask: [2] applying write(=wrscxd) (stop)
Jun 12 10:07:16 cm-coret1 slapd[8145]: <= acl_mask: [2] mask: write(=wrscxd)
Jun 12 10:07:16 cm-coret1 slapd[8145]: => slap_access_allowed: search access granted by write(=wrscxd)
Jun 12 10:07:16 cm-coret1 slapd[8145]: => access_allowed: search access granted by write(=wrscxd)
Jun 12 10:07:16 cm-coret1 slapd[8145]: dnMatch -3#012#011"uid=redients,ou=users,dc=example,dc=com"#012#011"uid=hack-a-tack,ou=users,dc=example,dc=com"
........> just continues to loop after this

然后阻止尝试进行任何类型的搜索或更新的所有其他连接。 有谁知道我是否可以配置SLAPD.conf来发送此搜索?

1 个答案:

答案 0 :(得分:0)

'发送此搜索'?你是说停止这个搜索?答案是否定的,您必须修复正在执行此操作的应用程序。