单行 LDAP 查询，枚举来自超组内的组的用户

本文介绍了单行 LDAP 查询，枚举来自超组内的组的用户的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！ 问题描述

我有一个如下所示的方案:

I have a scheme that looks like this:

用户存在，如 UserA、UserB、UserC.

存在诸如 OverGroup、SubGroup 之类的组.

OverGroup 会自动将新用户(如 UserA、UserB 等)添加到其成员资格中.

我自己创建的子组.我已将 OverGroup 设置为 SubGroup 的成员.

我希望能够单行查询 SubGroup 而不是检索 OverGroup，即:

I want to be able to one-line query SubGroup and retrieve not OverGroup, i.e.:

Values: CN=OverGroup,OU=Groups,DC=example,DC=com

但 OverGroup 中实际用户(用户 A、B、C)的完整枚举，即:

but the full enumeration of the actual Users (User A, B, C) within OverGroup, i.e.:

Values: CN=UserA,OU=OtherOU,DC=example,DC=com CN=UserB,OU=OtherOU,DC=example,DC=com CN=UserC,OU=OtherOU,DC=example,DC=com

是否有可以检索此内容的单行 LDAP 过滤器?(它将被放入 Request Tracker 实例中的 ExternalAuth 配置ldap"部分.很确定我只能通过 ExternalAuth 模块可以理解的一个查询来做到这一点.)

Is there a one-liner LDAP filter that could retrieve this? (It will be put into the ExternalAuth configuration 'ldap' section in a Request Tracker instance. Pretty sure I can only do this with one query the ExternalAuth module can understand.)

我尝试的所有方法都不起作用，并且根据我的阅读，似乎不可能通过任何单行查询枚举属于另一个组的组中的用户列表.想法?

Everything I try does not work, and from my reading, it does not seem possible to enumerate a list of users within a group that is a member of another group with any one-line query. Thoughts?

推荐答案

Active Directory 有一个特殊的搜索过滤器选项，允许它过滤链接对象，如嵌套组.该功能在此处进行了描述.

Active Directory has a special search filter option that allows it to filter through chained objects, like nested groups. The capability is described here.

以下是如何检索组中所有用户的示例，包括嵌套组:

Here is an example of how to retrieve all users in a group, including nested groups:

(&(objectClass=user)(memberof:1.2.840.113556.1.4.1941:={0}))

其中 {0} 是父组的 DN.

where {0} is the DN of the parent group.