我需要为通用 AD 服务实现嵌套组成员身份。以前,我使用的是特定的搜索过滤器(“member:1.2.840.113556.1.4.1941:="),通过它使用单个搜索请求,我能够获取该用户所属的所有组成员身份. 但是,看起来搜索过滤器似乎只适用于 MS AD 服务器,而不适用于通用 AD 服务器。
那么,是否有人知道我们可以在搜索请求中发送的任何特定搜索过滤器(适用于所有 AD 服务器),通过它我可以通过单个搜索查询获得嵌套组成员资格。
提前感谢您对此的帮助。
问问题
823 次
1 回答
0
“member:1.2.840.113556.1.4.1941”是 LDAP_MATCHING_RULE_IN_CHAIN,其他 LDAP 供应商很可能不会实现。 LDAP 维基
编辑:
如果您想重新分配组,您可以执行以下操作:
使用过滤器:
(&(objectCategory=organizationalPerson)(objectClass=User)(sAMAccountName=YOURUSER)
get "distinguishedName" (this is the user's distinguishedName)
get "memberOf" (this is a collection of distinguishedNames of the groups the user is a member of (minus the primary group in MS Active Directory, which should be "Domain Users"))
Foreach memberOf in the collection: (This is the first level, so there is no need to check if he is there, because he is.)
(&(objectCategory=group)(distinguishedName=THISMEMBEROF))
get "member" (this is a collection of distinguishedNames of group members)
Foreach memberOf in the collection:
This is the second level (the groups within the groups), so first check if the users distinguishedName is present.
(&(objectCategory=group)(distinguishedName=THISMEMBEROF))
get "member" (this is a collection of distinguishedNames of group members)
Foreach memberOf in the collection:
This is the third level (the groups within the groups), so first check if the users distinguishedName is present.
(&(objectCategory=group)(distinguishedName=THISMEMBEROF))
get "member" (this is a collection of distinguishedNames of group members)
etc.
于 2012-12-05T20:32:31.133 回答