如何检查用户是否在 LDAP 组中
How to check if a user is in an LDAP group
问题
我想查看用户 "john" 是否在组 "Calltaker" 中。我似乎无法在我的搜索过滤器上获得正确的语法来检查特定组中的特定用户。我可以列出一个组中的所有用户以验证所需的用户是否存在。
问题
- 确定特定用户是否在特定组(在 Tivoli Access Manager 中)的 ldap 搜索过滤器的正确语法是什么?
- 我应该如何检查该搜索字符串给出的返回的 LDAPEntry 对象以查看该用户是否在该组中?
信息
- john 在 "cn=users,dc=ldap,dc=net"
中定义
- Calltaker 在 "cn=groups,dc=ldap,dc=net"
中定义
- 我正在查询来自 java
的 TAM 的 ldap
使用搜索过滤器 "cn=Calltaker" 我可以打印出搜索结果,以便调用 nextEntry.toString 包含用户列表。请参阅下面的示例 1
这是我试过的一些搜索过滤器,但它们不起作用(又名 searchResults.next() 引发错误):
(&(objectclass=groupOfUniqueName)(uniquemember=uid="+ username + ",cn=groups,dc=ldap,dc=net))
(&(objectclass=groupOfUniqueName)(uniquemember=uid="+ username + ",cn=users,dc=ldap,dc=net))
(uniquemember=uid="+ username + ",cn=users,dc=ldap,dc=net)
示例 1) 仅搜索组,使用 searchFilter="cn=Calltaker",验证它包含用户:
System.out.println(nextEntry.toString()); //added newlines for readability
nextEntry:
LDAPEntry:
cn=Calltaker,cn=groups,dc=ldap,dc=net;
LDAPAttributeSet:
LDAPAttribute: {type='objectclass', values='groupOfUniqueNames','top'}
LDAPAttribute: {type='uniquemember',
values=
'uid=placeholder,cn=users,dc=ldap,dc=net',
'secAuthority=default',
'uid=john,cn=users,dc=ldap,dc=net',
'uid=sally,cn=users,dc=ldap,dc=net', ....etc
代码:
public boolean isUserInGroup(username){
boolean userInGroup = false;
String loginDN = "uid=" + admin_username + "," + "cn=users,dc=ldap,dc=net";
String searchBase = "cn=groups,dc=ldap,dc=net";
int searchScope = LDAPConnection.SCOPE_SUB;
searchFilter = "(&(objectclass=ePerson)(uniquemember=uid="+ username + ",cn=users,dc=ldap,dc=net))";
//Connect
LDAPConnection lc = connect(hosts);
lc.bind(LDAPConnection.LDAP_V3, loginDN, admin_password.getBytes("UTF8"));
lc.getAuthenticationDN();
LDAPSearchResults searchResults = lc.search(searchBase,
searchScope,
searchFilter,
null, // return all attributes
false); // return attrs and values
while (searchResults.hasMore()) {
LDAPEntry nextEntry = null;
try {
nextEntry = searchResults.next();
} catch (LDAPException e) {
// Exception is thrown, go for next entry
if (e.getResultCode() == LDAPException.LDAP_TIMEOUT || e.getResultCode() == LDAPException.CONNECT_ERROR)
break;
else
continue;
}
//TODO some check to verify nextEntry shows the user in the group
userInGroup = true;
LDAPAttributeSet attributeSet = nextEntry.getAttributeSet();
Iterator<LDAPAttribute> allAttributes = attributeSet.iterator();
while (allAttributes.hasNext()) {
LDAPAttribute attribute = (LDAPAttribute) allAttributes.next();
String attributeName = attribute.getName();
System.out.println("found attribute '" + attributeName + "' with value '" + attribute.getStringValue() + "'");
}
}
lc.disconnect();
return userInGroup;
}
** 编辑 **
实施了 EJP 的回答,更改了 searchBase 以包含组
有效代码:
private static final String admin_username = "foo";
private static final String[] hosts = new String[]{"foohost.net"};
public boolean isUserInGroup(String username, String group){
boolean userInGroup = false;
String loginDN = "uid=" + admin_username + "," + "cn=users,dc=ldap,dc=net";
String searchBase = "cn=" + group + "," + "cn=groups,dc=ldap,dc=net";
int searchScope = LDAPConnection.SCOPE_SUB;
searchFilter = "(&(objectclass=groupOfUniqueNames)(uniquemember=uid="+ username + ",cn=users,dc=ldap,dc=net))";
//Connect
LDAPConnection lc = connect(hosts);
lc.bind(LDAPConnection.LDAP_V3, loginDN, admin_password.getBytes("UTF8"));
lc.getAuthenticationDN();
LDAPSearchResults searchResults = lc.search(searchBase,
searchScope,
searchFilter,
null, // return all attributes
false); // return attrs and values
while (searchResults.hasMore()) {
LDAPEntry nextEntry = null;
try {
nextEntry = searchResults.next();
} catch (LDAPException e) {
// Exception is thrown, go for next entry
if (e.getResultCode() == LDAPException.LDAP_TIMEOUT || e.getResultCode() == LDAPException.CONNECT_ERROR)
break;
else
continue;
}
//A result was found, therefore the user is in the group
userInGroup = true;
}
lc.disconnect();
return userInGroup;
}
What is the right syntax for a ldap search filter to determine if a specific user is in a specific group(in Tivoli Access Manager)?
您使用的任一过滤器,但要搜索的 objectClass 是 groupofUniqueNames(复数)。
What should I check on the returned LDAPEntry object given by that search string to see that the user is, or isn't, in the group?
没有。他会的,否则该组将不会在搜索中返回。您需要做的就是检查搜索结果是否为空。
Here's a few searchfilters I've tried that don't work (aka searchResults.next() throws an error):
抛出什么错误?
(&(objectclass=groupOfUniqueName)(uniquemember=uid="+ username + ",cn=groups,dc=ldap,dc=net))
除了 groupOfUniqueName 之外,这没有任何问题。您应该使用像 {0} 这样的搜索过滤器参数,而不是将它们构建到搜索字符串中。
(&(objectclass=groupOfUniqueName)(uniquemember=uid="+ username + ",cn=users,dc=ldap,dc=net))
这个将在 cn=users 子树中搜索一个组。它不会工作,除非你在 cn=users 下有组,这似乎不太可能。
(uniquemember=uid="+ username + ",cn=users,dc=ldap,dc=net)
这将 select 非团体。你不想要那个:你需要 objectClass 部分。
问题
我想查看用户 "john" 是否在组 "Calltaker" 中。我似乎无法在我的搜索过滤器上获得正确的语法来检查特定组中的特定用户。我可以列出一个组中的所有用户以验证所需的用户是否存在。
问题
- 确定特定用户是否在特定组(在 Tivoli Access Manager 中)的 ldap 搜索过滤器的正确语法是什么?
- 我应该如何检查该搜索字符串给出的返回的 LDAPEntry 对象以查看该用户是否在该组中?
信息
- john 在 "cn=users,dc=ldap,dc=net" 中定义
- Calltaker 在 "cn=groups,dc=ldap,dc=net" 中定义
- 我正在查询来自 java 的 TAM 的 ldap
使用搜索过滤器 "cn=Calltaker" 我可以打印出搜索结果,以便调用 nextEntry.toString 包含用户列表。请参阅下面的示例 1
这是我试过的一些搜索过滤器,但它们不起作用(又名 searchResults.next() 引发错误):
(&(objectclass=groupOfUniqueName)(uniquemember=uid="+ username + ",cn=groups,dc=ldap,dc=net))
(&(objectclass=groupOfUniqueName)(uniquemember=uid="+ username + ",cn=users,dc=ldap,dc=net))
(uniquemember=uid="+ username + ",cn=users,dc=ldap,dc=net)
示例 1) 仅搜索组,使用 searchFilter="cn=Calltaker",验证它包含用户:
System.out.println(nextEntry.toString()); //added newlines for readability
nextEntry:
LDAPEntry:
cn=Calltaker,cn=groups,dc=ldap,dc=net;
LDAPAttributeSet:
LDAPAttribute: {type='objectclass', values='groupOfUniqueNames','top'}
LDAPAttribute: {type='uniquemember',
values=
'uid=placeholder,cn=users,dc=ldap,dc=net',
'secAuthority=default',
'uid=john,cn=users,dc=ldap,dc=net',
'uid=sally,cn=users,dc=ldap,dc=net', ....etc
代码:
public boolean isUserInGroup(username){
boolean userInGroup = false;
String loginDN = "uid=" + admin_username + "," + "cn=users,dc=ldap,dc=net";
String searchBase = "cn=groups,dc=ldap,dc=net";
int searchScope = LDAPConnection.SCOPE_SUB;
searchFilter = "(&(objectclass=ePerson)(uniquemember=uid="+ username + ",cn=users,dc=ldap,dc=net))";
//Connect
LDAPConnection lc = connect(hosts);
lc.bind(LDAPConnection.LDAP_V3, loginDN, admin_password.getBytes("UTF8"));
lc.getAuthenticationDN();
LDAPSearchResults searchResults = lc.search(searchBase,
searchScope,
searchFilter,
null, // return all attributes
false); // return attrs and values
while (searchResults.hasMore()) {
LDAPEntry nextEntry = null;
try {
nextEntry = searchResults.next();
} catch (LDAPException e) {
// Exception is thrown, go for next entry
if (e.getResultCode() == LDAPException.LDAP_TIMEOUT || e.getResultCode() == LDAPException.CONNECT_ERROR)
break;
else
continue;
}
//TODO some check to verify nextEntry shows the user in the group
userInGroup = true;
LDAPAttributeSet attributeSet = nextEntry.getAttributeSet();
Iterator<LDAPAttribute> allAttributes = attributeSet.iterator();
while (allAttributes.hasNext()) {
LDAPAttribute attribute = (LDAPAttribute) allAttributes.next();
String attributeName = attribute.getName();
System.out.println("found attribute '" + attributeName + "' with value '" + attribute.getStringValue() + "'");
}
}
lc.disconnect();
return userInGroup;
}
** 编辑 **
实施了 EJP 的回答,更改了 searchBase 以包含组
有效代码:
private static final String admin_username = "foo";
private static final String[] hosts = new String[]{"foohost.net"};
public boolean isUserInGroup(String username, String group){
boolean userInGroup = false;
String loginDN = "uid=" + admin_username + "," + "cn=users,dc=ldap,dc=net";
String searchBase = "cn=" + group + "," + "cn=groups,dc=ldap,dc=net";
int searchScope = LDAPConnection.SCOPE_SUB;
searchFilter = "(&(objectclass=groupOfUniqueNames)(uniquemember=uid="+ username + ",cn=users,dc=ldap,dc=net))";
//Connect
LDAPConnection lc = connect(hosts);
lc.bind(LDAPConnection.LDAP_V3, loginDN, admin_password.getBytes("UTF8"));
lc.getAuthenticationDN();
LDAPSearchResults searchResults = lc.search(searchBase,
searchScope,
searchFilter,
null, // return all attributes
false); // return attrs and values
while (searchResults.hasMore()) {
LDAPEntry nextEntry = null;
try {
nextEntry = searchResults.next();
} catch (LDAPException e) {
// Exception is thrown, go for next entry
if (e.getResultCode() == LDAPException.LDAP_TIMEOUT || e.getResultCode() == LDAPException.CONNECT_ERROR)
break;
else
continue;
}
//A result was found, therefore the user is in the group
userInGroup = true;
}
lc.disconnect();
return userInGroup;
}
What is the right syntax for a ldap search filter to determine if a specific user is in a specific group(in Tivoli Access Manager)?
您使用的任一过滤器,但要搜索的 objectClass 是 groupofUniqueNames(复数)。
What should I check on the returned LDAPEntry object given by that search string to see that the user is, or isn't, in the group?
没有。他会的,否则该组将不会在搜索中返回。您需要做的就是检查搜索结果是否为空。
Here's a few searchfilters I've tried that don't work (aka searchResults.next() throws an error):
抛出什么错误?
(&(objectclass=groupOfUniqueName)(uniquemember=uid="+ username + ",cn=groups,dc=ldap,dc=net))
除了 groupOfUniqueName 之外,这没有任何问题。您应该使用像 {0} 这样的搜索过滤器参数,而不是将它们构建到搜索字符串中。
(&(objectclass=groupOfUniqueName)(uniquemember=uid="+ username + ",cn=users,dc=ldap,dc=net))
这个将在 cn=users 子树中搜索一个组。它不会工作,除非你在 cn=users 下有组,这似乎不太可能。
(uniquemember=uid="+ username + ",cn=users,dc=ldap,dc=net)
这将 select 非团体。你不想要那个:你需要 objectClass 部分。