问题
我想查看用户“john”是否在“Calltaker”组中。我似乎无法在搜索过滤器上使用正确的语法来检查特定组中的特定用户。我可以列出组中的所有用户,以验证所需的用户是否存在。
问题
- LDAP 搜索过滤器确定特定用户是否属于特定组(在 Tivoli Access Manager 中)的正确语法是什么?
- 我应该对搜索字符串给出的返回的 LDAPEntry 对象进行哪些检查,以了解用户是否在组中?
信息
- john 在“cn=users,dc=ldap,dc=net”中定义
- Calltaker 在“cn=groups,dc=ldap,dc=net”中定义
- 我正在从 java 查询 TAM 的 ldap
使用搜索过滤器“cn=Calltaker”
我可以打印出搜索结果,以便调用nextEntry.toString包含用户列表。请参见下面的示例 1
这里有一些我尝试过的搜索过滤器不起作用(又名 searchResults.next() 抛出错误):
(&(objectclass=groupOfUniqueName)(uniquemember=uid="+ username + ",cn=groups,dc=ldap,dc=net))
(&(objectclass=groupOfUniqueName)(uniquemember=uid="+ username + ",cn=users,dc=ldap,dc=net))
(uniquemember=uid="+ username + ",cn=users,dc=ldap,dc=net)
示例1)仅搜索组,使用searchFilter="cn=Calltaker"
,验证其包含用户:
System.out.println(nextEntry.toString()); //added newlines for readability
nextEntry:
LDAPEntry:
cn=Calltaker,cn=groups,dc=ldap,dc=net;
LDAPAttributeSet:
LDAPAttribute: {type='objectclass', values='groupOfUniqueNames','top'}
LDAPAttribute: {type='uniquemember',
values=
'uid=placeholder,cn=users,dc=ldap,dc=net',
'secAuthority=default',
'uid=john,cn=users,dc=ldap,dc=net',
'uid=sally,cn=users,dc=ldap,dc=net', ....etc
代码:
public boolean isUserInGroup(username){
boolean userInGroup = false;
String loginDN = "uid=" + admin_username + "," + "cn=users,dc=ldap,dc=net";
String searchBase = "cn=groups,dc=ldap,dc=net";
int searchScope = LDAPConnection.SCOPE_SUB;
searchFilter = "(&(objectclass=ePerson)(uniquemember=uid="+ username + ",cn=users,dc=ldap,dc=net))";
//Connect
LDAPConnection lc = connect(hosts);
lc.bind(LDAPConnection.LDAP_V3, loginDN, admin_password.getBytes("UTF8"));
lc.getAuthenticationDN();
LDAPSearchResults searchResults = lc.search(searchBase,
searchScope,
searchFilter,
null, // return all attributes
false); // return attrs and values
while (searchResults.hasMore()) {
LDAPEntry nextEntry = null;
try {
nextEntry = searchResults.next();
} catch (LDAPException e) {
// Exception is thrown, go for next entry
if (e.getResultCode() == LDAPException.LDAP_TIMEOUT || e.getResultCode() == LDAPException.CONNECT_ERROR)
break;
else
continue;
}
//TODO some check to verify nextEntry shows the user in the group
userInGroup = true;
LDAPAttributeSet attributeSet = nextEntry.getAttributeSet();
Iterator<LDAPAttribute> allAttributes = attributeSet.iterator();
while (allAttributes.hasNext()) {
LDAPAttribute attribute = (LDAPAttribute) allAttributes.next();
String attributeName = attribute.getName();
System.out.println("found attribute '" + attributeName + "' with value '" + attribute.getStringValue() + "'");
}
}
lc.disconnect();
return userInGroup;
}
** 编辑 **
实现了 EJP 的答案,更改了 searchBase 以包含组
有效的代码:
private static final String admin_username = "foo";
private static final String[] hosts = new String[]{"foohost.net"};
public boolean isUserInGroup(String username, String group){
boolean userInGroup = false;
String loginDN = "uid=" + admin_username + "," + "cn=users,dc=ldap,dc=net";
String searchBase = "cn=" + group + "," + "cn=groups,dc=ldap,dc=net";
int searchScope = LDAPConnection.SCOPE_SUB;
searchFilter = "(&(objectclass=groupOfUniqueNames)(uniquemember=uid="+ username + ",cn=users,dc=ldap,dc=net))";
//Connect
LDAPConnection lc = connect(hosts);
lc.bind(LDAPConnection.LDAP_V3, loginDN, admin_password.getBytes("UTF8"));
lc.getAuthenticationDN();
LDAPSearchResults searchResults = lc.search(searchBase,
searchScope,
searchFilter,
null, // return all attributes
false); // return attrs and values
while (searchResults.hasMore()) {
LDAPEntry nextEntry = null;
try {
nextEntry = searchResults.next();
} catch (LDAPException e) {
// Exception is thrown, go for next entry
if (e.getResultCode() == LDAPException.LDAP_TIMEOUT || e.getResultCode() == LDAPException.CONNECT_ERROR)
break;
else
continue;
}
//A result was found, therefore the user is in the group
userInGroup = true;
}
lc.disconnect();
return userInGroup;
}
最佳答案
What is the right syntax for a ldap search filter to determine if a specific user is in a specific group(in Tivoli Access Manager)?
您使用的任一过滤器,但要搜索的 objectClass
是 groupofUniqueNames
(复数)。
What should I check on the returned LDAPEntry object given by that search string to see that the user is, or isn't, in the group?
什么都没有。他会的,否则搜索中将不会返回该组。您所需要做的就是检查搜索结果是否为空。
Here's a few searchfilters I've tried that don't work (aka searchResults.next() throws an error):
抛出什么错误?
(&(objectclass=groupOfUniqueName)(uniquemember=uid="+ username + ",cn=groups,dc=ldap,dc=net))
除了groupOfUniqueName
之外,这没有任何问题。您应该使用 {0}
等搜索过滤器参数,而不是将它们构建到搜索字符串中。
(&(objectclass=groupOfUniqueName)(uniquemember=uid="+ username + ",cn=users,dc=ldap,dc=net))
此命令将在 cn=users
子树中搜索组。除非您在 cn=users
下有组,否则它不会起作用,这似乎不太可能。
(uniquemember=uid="+ username + ",cn=users,dc=ldap,dc=net)
这将选择非组。您不希望这样:您需要 objectClass
部分。
关于java - 如何检查用户是否在 LDAP 组中,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/35468916/