我正在尝试在自定义声明规则中获取组的自定义属性。
问题是无论我做什么,它总是对用户进行查询。
这是我的自定义声明规则的样子:
//获取所有组用户的规则是:
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/claims/Group"), query = ";tokenGroups;{0}", param = c.Value);
//获取组上的url属性的规则。
c:[Type == "http://schemas.xmlsoap.org/claims/Group"]
=> add(store = "Active Directory", types = ("http://temp/urlsOnGroup"), query = ";url;{0}", param = c.Value);
执行此操作时,我在 AD FS 服务器上的事件日志中看到一个错误,指出它正在尝试查找具有 GroupName 的用户。
我如何指定此规则,以便最后一个查询针对组名而不是用户进行
错误信息:
Microsoft.IdentityServer.ClaimsPolicy.Language.PolicyEvaluationException:
POLICY0018: Query ';url;{0}' to attribute store 'Active Directory' failed:
'POLICY3826: User name 'GroupName' in LDAP query ';url;GroupName' is not in the
required 'domain\user' format. POLICY3824: The LDAP query to the Active
Directory attribute store must have three parts separated by semicolons. The
first part is the LDAP query filter, the second part is a comma-separated list
of LDAP attribute names, and the third part is the user name in 'domain\user'
format.'. --->
Microsoft.IdentityServer.ClaimsPolicy.Engine.AttributeStore.AttributeStoreQueryF
ormatException: POLICY3826: User name 'GroupName' in LDAP query ';url;GroupName'
is not in the required 'domain\user' format. POLICY3824: The LDAP query to the
Active Directory attribute store must have three parts separated by semicolons.
The first part is the LDAP query filter, the second part is a comma-separated
list of LDAP attribute names, and the third part is the user name in
'domain\user' format.
Custom Attribute Store
如果可能的话,我想避免写作。我已经这样做了,但我正在尝试找到本机方式来查询 AD 安全组。