个人中心
gpt4 book ai didi

active-directory - LDAP根查询语法可搜索多个特定的OU

转载 作者:行者123 更新时间:2023-12-03 10:24:12 26 4
gpt4 key购买 nike

我需要运行一个LDAP查询,该查询将在根查询中搜索两个特定的组织单位(OU),但是我很难过。我在下面尝试了以下查询,但均未成功:

(|(OU=Staff,DC=my,DC=super,DC=org)(OU=Vendors,DC=my,DC=super,DC=org))

((OU=Staff,DC=my,DC=super,DC=org) | (OU=Vendors,DC=my,DC=super,DC=org))

我的问题是;是否可以在一个查询中查询多个OU 假定这是在LDAP根查询中这种类型的表达式的正确语法。

最佳答案

您可以!!!简而言之,将其用作连接字符串:

ldap://<host>:3268/DC=<my>,DC=<domain>?cn

连同您的搜索过滤器,例如 
(&(sAMAccountName={0})(&((objectCategory=person)(objectclass=user)(mail=*)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(memberOf:1.2.840.113556.1.4.1941:=CN=<some-special-nested-group>,OU=<ou3>,OU=<ou2>,OU=<ou1>,DC=<dc3>,DC=<dc2>,DC=<dc1>))))

这将在我们的环境中开箱即用的所谓的 Global Catalog中搜索。

在我们的环境具有多个OU的环境中不起作用,而不是已知/常见的其他版本(或其组合): 
ldap://<host>/DC=<my>,DC=<domain>
ldap://<host>:389/DC=<my>,DC=<domain>  (standard port)
ldap://<host>/OU=<someOU>,DC=<my>,DC=<domain>
ldap://<host>/CN=<someCN>,DC=<my>,DC=<domain>
ldap://<host>/(|(OU=<someOU1>)(OU=<someOU2>)),DC=<my>,DC=<domain> (search filters here shouldn't work at all by definition)

(我是一名开发人员,而不是AD / LDAP专家:)可恶的是,我一直在各处搜索该解决方案将近2天,几乎放弃了,习惯了我可能必须手动实现这种非常普遍的情况的想法(与Jasperserver / Spring安全性(/ Tomcat))。
(因此,如果将来有人或我再次遇到此问题,这将提醒您):)

在研究过程中,我发现以下一些其他相关的线程几乎没有什么帮助:
  • the solution hidden in a comment of LarreDo from 2006
  • some Microsoft answered question of best practices how to design your organization in the directory, stating using multiple top-level OUs in bigger companies is not unusual or even suitable
  • Tim Wong (2011) added that this may be a problem of unresolvable DNS names in the ForestDNSZones (part of the AD top-level domain used)
  • example code for implementing it by hand when using Spring security (e.g. also used in Jasper)
  • John Morrissey (2012) suggested it could be related to some security settings and it may work if you use TLS (I guess if the LDAP server wants to restrict such global searches for non-secure connections - which would not seem a good (its kind of half-baked) security approach to me)
  • awatkins (2012) used some hacking approach in some mod_ldap.c code (of whatever software)

    • 在这里,我将提供匿名的Tomcat LDAP配置,以防可能有用
    ( /var/lib/tomcat7/webapps/jasperserver/WEB-INF/applicationContext-externalAUTH-LDAP.xml): 
    <beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd">

    <!-- ############ LDAP authentication ############ - Sample configuration 
        of external authentication via an external LDAP server. -->


    <bean id="proxyAuthenticationProcessingFilter"
        class="com.jaspersoft.jasperserver.api.security.externalAuth.BaseAuthenticationProcessingFilter">
        <property name="authenticationManager">
            <ref local="ldapAuthenticationManager" />
        </property>
        <property name="externalDataSynchronizer">
            <ref local="externalDataSynchronizer" />
        </property>

        <property name="sessionRegistry">
            <ref bean="sessionRegistry" />
        </property>

        <property name="internalAuthenticationFailureUrl" value="/login.html?error=1" />
        <property name="defaultTargetUrl" value="/loginsuccess.html" />
        <property name="invalidateSessionOnSuccessfulAuthentication"
            value="true" />
        <property name="migrateInvalidatedSessionAttributes" value="true" />
    </bean>

    <bean id="proxyAuthenticationSoapProcessingFilter"
        class="com.jaspersoft.jasperserver.api.security.externalAuth.DefaultAuthenticationSoapProcessingFilter">
        <property name="authenticationManager" ref="ldapAuthenticationManager" />
        <property name="externalDataSynchronizer" ref="externalDataSynchronizer" />

        <property name="invalidateSessionOnSuccessfulAuthentication"
            value="true" />
        <property name="migrateInvalidatedSessionAttributes" value="true" />
        <property name="filterProcessesUrl" value="/services" />
    </bean>

    <bean id="proxyRequestParameterAuthenticationFilter"
        class="com.jaspersoft.jasperserver.war.util.ExternalRequestParameterAuthenticationFilter">
        <property name="authenticationManager">
            <ref local="ldapAuthenticationManager" />
        </property>
        <property name="externalDataSynchronizer" ref="externalDataSynchronizer" />

        <property name="authenticationFailureUrl">
            <value>/login.html?error=1</value>
        </property>
        <property name="excludeUrls">
            <list>
                <value>/j_spring_switch_user</value>
            </list>
        </property>
    </bean>

    <bean id="proxyBasicProcessingFilter"
        class="com.jaspersoft.jasperserver.api.security.externalAuth.ExternalAuthBasicProcessingFilter">
        <property name="authenticationManager" ref="ldapAuthenticationManager" />
        <property name="externalDataSynchronizer" ref="externalDataSynchronizer" />

        <property name="authenticationEntryPoint">
            <ref local="basicProcessingFilterEntryPoint" />
        </property>
    </bean>

    <bean id="proxyAuthenticationRestProcessingFilter"
        class="com.jaspersoft.jasperserver.api.security.externalAuth.DefaultAuthenticationRestProcessingFilter">
        <property name="authenticationManager">
            <ref local="ldapAuthenticationManager" />
        </property>
        <property name="externalDataSynchronizer">
            <ref local="externalDataSynchronizer" />
        </property>

        <property name="filterProcessesUrl" value="/rest/login" />
        <property name="invalidateSessionOnSuccessfulAuthentication"
            value="true" />
        <property name="migrateInvalidatedSessionAttributes" value="true" />
    </bean>



    <bean id="ldapAuthenticationManager" class="org.springframework.security.providers.ProviderManager">
        <property name="providers">
            <list>
                <ref local="ldapAuthenticationProvider" />
                <ref bean="${bean.daoAuthenticationProvider}" />
                <!--anonymousAuthenticationProvider only needed if filterInvocationInterceptor.alwaysReauthenticate 
                    is set to true <ref bean="anonymousAuthenticationProvider"/> -->
            </list>
        </property>
    </bean>

    <bean id="ldapAuthenticationProvider"
        class="org.springframework.security.providers.ldap.LdapAuthenticationProvider">
        <constructor-arg>
            <bean
                class="org.springframework.security.providers.ldap.authenticator.BindAuthenticator">
                <constructor-arg>
                    <ref local="ldapContextSource" />
                </constructor-arg>
                <property name="userSearch" ref="userSearch" />
            </bean>
        </constructor-arg>
        <constructor-arg>
            <bean
                class="org.springframework.security.ldap.populator.DefaultLdapAuthoritiesPopulator">
                <constructor-arg index="0">
                    <ref local="ldapContextSource" />
                </constructor-arg>
                <constructor-arg index="1">
                    <value></value>
                </constructor-arg>

                <property name="groupRoleAttribute" value="cn" />
                <property name="convertToUpperCase" value="true" />
                <property name="rolePrefix" value="ROLE_" />
                <property name="groupSearchFilter"
                    value="(&amp;(member={0})(&amp;(objectCategory=Group)(objectclass=group)(cn=my-nested-group-name)))" />
                <property name="searchSubtree" value="true" />
                <!-- Can setup additional external default roles here <property name="defaultRole" 
                    value="LDAP"/> -->
            </bean>
        </constructor-arg>
    </bean>

    <bean id="userSearch"
        class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
        <constructor-arg index="0">
            <value></value>
        </constructor-arg>
        <constructor-arg index="1">
            <value>(&amp;(sAMAccountName={0})(&amp;((objectCategory=person)(objectclass=user)(mail=*)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(memberOf:1.2.840.113556.1.4.1941:=CN=my-nested-group-name,OU=ou3,OU=ou2,OU=ou1,DC=dc3,DC=dc2,DC=dc1))))
            </value>
        </constructor-arg>
        <constructor-arg index="2">
            <ref local="ldapContextSource" />
        </constructor-arg>
        <property name="searchSubtree">
            <value>true</value>
        </property>
    </bean>

    <bean id="ldapContextSource"
        class="com.jaspersoft.jasperserver.api.security.externalAuth.ldap.JSLdapContextSource">
        <constructor-arg value="ldap://myhost:3268/DC=dc3,DC=dc2,DC=dc1?cn" />
        <!-- manager user name and password (may not be needed) -->
        <property name="userDn" value="CN=someuser,OU=ou4,OU=1,DC=dc3,DC=dc2,DC=dc1" />
        <property name="password" value="somepass" />
        <!--End Changes -->
    </bean>
    <!-- ############ LDAP authentication ############ -->

    <!-- ############ JRS Synchronizer ############ -->
    <bean id="externalDataSynchronizer"
        class="com.jaspersoft.jasperserver.api.security.externalAuth.ExternalDataSynchronizerImpl">
        <property name="externalUserProcessors">
            <list>
                <ref local="externalUserSetupProcessor" />
                <!-- Example processor for creating user folder -->
                <!--<ref local="externalUserFolderProcessor"/> -->
            </list>
        </property>
    </bean>

    <bean id="abstractExternalProcessor"
        class="com.jaspersoft.jasperserver.api.security.externalAuth.processors.AbstractExternalUserProcessor"
        abstract="true">
        <property name="repositoryService" ref="${bean.repositoryService}" />
        <property name="userAuthorityService" ref="${bean.userAuthorityService}" />
        <property name="tenantService" ref="${bean.tenantService}" />
        <property name="profileAttributeService" ref="profileAttributeService" />
        <property name="objectPermissionService" ref="objectPermissionService" />
    </bean>

    <bean id="externalUserSetupProcessor"
        class="com.jaspersoft.jasperserver.api.security.externalAuth.processors.ExternalUserSetupProcessor"
        parent="abstractExternalProcessor">
        <property name="userAuthorityService">
            <ref bean="${bean.internalUserAuthorityService}" />
        </property>
        <property name="defaultInternalRoles">
            <list>
                <value>ROLE_USER</value>
            </list>
        </property>

        <property name="organizationRoleMap">
            <map>
                <!-- Example of mapping customer roles to JRS roles -->
                <entry>
                    <key>
                        <value>ROLE_MY-NESTED-GROUP-NAME</value>
                    </key>
                    <!-- JRS role that the <key> external role is mapped to -->
                    <value>ROLE_USER</value>
                </entry>
            </map>
        </property>
    </bean>

    <!--bean id="externalUserFolderProcessor" class="com.jaspersoft.jasperserver.api.security.externalAuth.processors.ExternalUserFolderProcessor" 
        parent="abstractExternalProcessor"> <property name="repositoryService" ref="${bean.unsecureRepositoryService}"/> 
        </bean -->

    <!-- ############ JRS Synchronizer ############ -->

    关于active-directory - LDAP根查询语法可搜索多个特定的OU,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/9184978/

    26 4 0
    文章推荐: wordpress - 403 禁止 : permission to access images
    文章推荐: c# - 使用 IoC 将参数从 ViewModel 传递到另一个
    文章推荐: c# - 多次调用我的 WCF 服务方法
    文章推荐: wcf - WCF 服务与 Web 服务和 REST 服务的区别
    行者123
    个人简介

    我是一名优秀的程序员,十分优秀!

    滴滴打车优惠券免费领取
    滴滴打车优惠券
    全站热门文章
    Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
    广告合作:1813099741@qq.com 6ren.com