python - 使用 python-ldap 获取嵌套的 LDAP 组成员

Question

我正在尝试找到最佳方法来获取属于使用 python-ldap 的 groupOfNames 成员的组的所有 LDAP 用户帐户的列表。这是在 OpenLDAP 服务器上，而不是 AD。我写了下面的函数，它完成了这项工作，但需要永远运行。我希望 python-ldap 有一些我不知道的内置函数，或者我可以修改一些东西以使其运行得更快。如果没有，希望其他人会发现此代码有用。提前感谢您的帮助！

def get_nested_members(con, dn):
    """
    Parameters
    ----------
    con : LDAPObject
        An authenticated python-ldap connection object
    dn : string
        The dn of the groupOfNames to be checked

    Returns
    -------
    members : list
        A list of all accounts that are members of the given dn
    """

    members = []
    searched = []
    to_search = [dn]

    while len(to_search) > 0:
        current_dn = to_search.pop()
        cn = current_dn.split(',')[0]
        r = con.search_s(base_dn, ldap.SCOPE_SUBTREE, cn, [])[0][1]
        if 'groupOfNames' in r['objectClass']:
            if 'member' in r:
                for i in r['member']:
                    if((i != current_dn) and (i not in searched)):
                        to_search.append(i)
            searched.append(current_dn)
        elif 'posixGroup' in r['objectClass']:
            if 'memberUid' in r:
                for i in r['memberUid']:
                    members.append(i)
            searched.append(current_dn)
        elif 'posixAccount' in r['objectClass']:
            if 'uid' in r:
                members.append(r['uid'][0])
        else:
            print('ERROR: encountered record of unknown type:')
            pprint(str([current_dn, r]))
    return list(set(members))

Answer 1

我意识到重复运行 ldapsearch 是限制因素，所以我制作了一个新版本，它首先构建了一个包含所有组和 groupOfNames 记录的字典。它比旧解决方案占用更多内存，但对 LDAP 服务器的负担更少，运行速度明显更快（我的应用程序从大约 15 分钟降至 <1 秒）。我将把原始代码留在新版本下面，以供参考。merge_dicts() 函数的功劳归功于Aaron Hall。

import ldap

def merge_dicts(*dict_args):
    """Given any number of dicts, shallow copy and merge into a new dict,
    precedence goes to key value pairs in latter dicts.
    """

    result = {}
    for dictionary in dict_args:
        result.update(dictionary)
    return result


def get_nested_members(con, dn, base_dn='dc=example'):
    """Search a groupOfNames and return all posixAccount members from all its subgroups

    Parameters
    ----------
    con: LDAPObject
        An authenticated LDAP connection object
    dn: string
        The dn of the groupOfNames to be searched for members
    (optional) base_dn: string
        The base dn to search on.  Make sure to change the default value to fit your LDAP server

    Returns
    -------
    members: list
        A list of all nested members from the provided groupOfNames
    """

    logging.info('Getting nested members of ' + str(dn))
    print('Getting nested members of ' + str(dn))

    if type(dn) is list:
        to_search = [] + dn
    elif type(dn) is str:
        to_search = [dn]
    else:
        print('ERROR: Invalid dn value.  Please supply either a sting or list of strings.')
        return []

    members = []
    searched = []

    groupOfNames_list = con.search_s(base_dn, ldap.SCOPE_SUBTREE, 'objectClass=groupOfNames', ['dn', 'member', 'cn'])
    groupOfNames_dict = {}
    for g in range(len(groupOfNames_list)):
        groupOfNames_dict[groupOfNames_list[g][0]] = groupOfNames_list[g][1]
    groupOfNames_list = None    #To free up memory

    group_list = con.search_s(base_dn, ldap.SCOPE_SUBTREE, 'objectClass=posixGroup', ['dn', 'memberUid', 'cn'])
    group_dict = {}
    for g in range(len(group_list)):
        group_dict[group_list[g][0]] = group_list[g][1]
    group_list = None   #To free up memory

    all_groups = merge_dicts(groupOfNames_dict, group_dict)
    group_dict = None   #To free up memory
    groupOfNamesdict = None #To free up memory

    while len(to_search) > 0:
        search_dn = to_search.pop()
        try:
            g = all_groups[search_dn]
            if 'memberUid' in g:
                members += g['memberUid']
                searched.append(search_dn)
            elif 'member' in g:
                m = g['member']
                for i in m:
                    if i.startswith('uid='):
                        members.append((i.split(',')[0]).split('=')[1])
                    elif i.startswith('cn='):
                        if i not in searched:
                            to_search.append(i)
                searched.append(search_dn)
            else:
                searched.append(search_dn)
        except:
            searched.append(search_dn)
    return list(set(members))