問題描述
Пошукавы фільтр укладзеных груп LDAP (Nested Group LDAP Search Filter)
I need information regarding LDAP search filter to extract nested group membership. Basically, my idea is say for instance, a user is belonging to 5 groups [A, B, C, D, E] Can I write a single LDAP search query to get the member groups to which group [A, B, C, D, E] may be a part of? And I can use this logc recursively to retrieve all group information till the complete root of the AD?
And I need this solution to be for generic AD, so I cannot use LDAP_RULE_IN_CHAIN filter which works only for MS AD.
‑‑‑‑‑
參考解法
方法 1:
Groups are not something defined in the LDAP standard. As far as LDAP is concerned, group entries are just LDAP entries ‑‑ nothing more. The implementation of group support including how data structures like nested and dynamic groups are handled, queried, verified, etc. is totally up to the directory software vendor. For example, IBM's Security Directory Server (SDS) software supports nested and dynamic groups through its own proprietary objectclasses and attributes, which are specially recognized by the software, and traversing (for nested groups) and expansion (for dynamic groups) to verify membership or to obtain group structure are automatically done for the LDAP client. For instance, SDS provides operational attributes like ibm‑allgroups and ibm‑allmembers to help LDAP clients to pull group and membership information in nested and dynamic groups in single searches. Other directory vendors solve the same problem differently. Therefore, your solution will vary depending on the LDAP software you use. You can design your application to support multiple directory server software, but that depends on how sophisticated you want to get with group support in your application.
方法 2:
All Groups a User is a member of including Nested groups
As an example, to find all the groups that "CN=John Smith,DC=MyDomain,DC=NET" is a member of, set the base to the groups container DN; for example (OU=groupsOU,DC=MyDomain,DC=NET) and the scope to subtree, and use the following filter.
(member:1.2.840.113556.1.4.1941:=(CN=John Smith,DC=MyDomain,DC=NET))
Where CN=John Smith,DC=MyDomain,DC=NET is the user's FDN and the Extensible Match Rule 1.2.840.113556.1.4.1941.
‑jim
(by puzzled confused、Bora、jwilleke)