問題描述

我需要找到屬于兩個組(GroupA 和 GroupB)的所有用戶.我還需要考慮嵌套組.這樣做的最佳方法是什么?

I need to find all users that are members of two groups (GroupA and GroupB). I also need to take into account nested groups. What is the best way to do this?

我知道使用 memberOf 進行 ldap 搜索不會考慮嵌套組.我還可以專門定位這兩個組，獲取成員列表，并遍歷它們，匹配屬于兩個列表的成員，但組的成員集合也不考慮嵌套組.是否有任何方法適用于嵌套組，或者我是否需要編寫自己的遞歸邏輯?

I know that doing an ldap search using memberOf does not take into account nested groups. I could also locate the two groups specifically, get a list of members, and iterate through them, matching up ones that are members of both lists, but the members collection of a group doesn't take into account nested groups either. Are there any methods that do work with nested groups, or do I need to write my own recursive logic?

編輯嵌套組:如果我有一個名為 GroupA 的安全組.GroupA 可以擁有用戶或其他組的成員.如果 GroupB 是 GroupA 的成員，那么它就是我所說的嵌套組".

Edit Nested group: If I have a security group called GroupA. GroupA can have members which are either users or other groups. GroupB is what I am calling a 'nested group' if it is a member of GroupA.

推薦答案

這里有一些在 ActiveDirectory 2003 ans 2008 R2 中工作的東西.我使用 Microsoft LDAP_MATCHING_RULE_IN_CHAIN 來:

Here is something working in an ActiveDirectory 2003 ans 2008 R2. I use Microsoft LDAP_MATCHING_RULE_IN_CHAIN to :

1) 遞歸搜索(但在一個查詢中)第一組中的所有用戶(小心它返回來自安全和分發(fā)組的用戶)

1) Search recursively (but in one query) all the users from the first group (be careful it return users from security and distributions group)

2) 對于第一個查詢中的每個用戶，我再次遞歸搜索(但在一個查詢中)該用戶是否屬于第二個組.

2) For each user from the first query, I again search recursively (but in one query) if the user belongs to the second group.

static void Main(string[] args)
{
  //Connection to Active Directory
  string sFromWhere = "LDAP://SRVENTR2:389/dc=societe,dc=fr";
  DirectoryEntry deBase = new DirectoryEntry(sFromWhere, "societe\administrateur", "test.2011");

  // To find all the users member of groups "Grp1"  :
  // Set the base to the groups container DN; for example root DN (dc=societe,dc=fr) 
  // Set the scope to subtree
  // Use the following filter :
  // (member:1.2.840.113556.1.4.1941:=CN=Grp1,OU=MonOu,DC=X)
  //
  DirectorySearcher dsLookFor = new DirectorySearcher(deBase);
  dsLookFor.Filter = "(&(memberof:1.2.840.113556.1.4.1941:=CN=Grp1,OU=MonOu,DC=societe,DC=fr)(objectCategory=user))";
  dsLookFor.SearchScope = SearchScope.Subtree;
  dsLookFor.PropertiesToLoad.Add("cn");

  SearchResultCollection srcUsers = dsLookFor.FindAll();

  // Just to know if user is present in an other group
  foreach (SearchResult srcUser in srcUsers)
  {
    Console.WriteLine("{0}", srcUser.Path);

    // To check if a user "user1" is a member of group "group1".
    // Set the base to the user DN (cn=user1, cn=users, dc=x)
    // Set the scope to base
    // Use the following filter :
    // (memberof:1.2.840.113556.1.4.1941:=(cn=Group1,OU=groupsOU,DC=x))
    DirectoryEntry deBaseUsr = new DirectoryEntry(srcUser.Path, "societe\administrateur", "test.2011");
    DirectorySearcher dsVerify = new DirectorySearcher(deBaseUsr);
    dsVerify.Filter = "(memberof:1.2.840.113556.1.4.1941:=CN=Grp3,OU=MonOu,DC=societe,DC=fr)";
    dsVerify.SearchScope = SearchScope.Base;
    dsVerify.PropertiesToLoad.Add("cn");

    SearchResult srcTheUser = dsVerify.FindOne();

    if (srcTheUser != null)
    {
      Console.WriteLine("Bingo {0}", srcTheUser.Path);
    }
  }
  Console.ReadLine();
}

這篇關于查找屬于兩個 Active Directory 組的用戶的文章就介紹到這了，希望我們推薦的答案對大家有所幫助，也希望大家多多支持html5模板網(wǎng)！