如何通过 LDAP 搜索属性与指定模式匹配的项目?
我正在尝试在 LDAP 服务器中搜索完全指定属性的所有项目。
我正在处理的 LDAP 模式通过以下方式记录用户角色:
- 创建可能包含多个属性(角色)中的任何一个的对象类型,并将
- 每个角色的值设置为其名称相同
属性不共享公共基本类型,并且对象类(“roleuser”)包含非角色的其他属性。 角色通过以“Role”结尾的属性名称来区分。 (恶心。)
例子。 用户的对象类型将包括对象类型 roleuser,并且可能具有以下属性=值对:
cn=userX
objectclass=roleuser,...
managerrole=managerrole
clerkrole=clerkrole
cn=userY
objectclass=roleuser,...
managerrole=managerrole
cn=userZ
objectclass=roleuser,...
clerkrole=clerkrole
我能够查找职员、经理和经理职员。 但是,当我查找职员(使用 (&(clerkrole=*)(objectclass=roleuser)))时,我会返回具有角色职员 (userZ) 以及具有角色经理和职员 (用户X)。
我可以指定 (&(clerkrole=*)(!managerrole=*)(objectclass=roleuser))) 来获取不是经理的职员。 但这需要我列出(并否定)所有可能的其他角色。
由于各种原因,我不希望我的应用程序必须知道所有可能的角色,因为这些角色的变化可能比我的应用程序更快。
所以。 有没有办法查询架构中位于 roleuser 且名为 *role 的所有属性,以便我可以动态指定(和否定)所有其他角色?
或者有没有办法查询 (clerkrole=*) 并且该角色用户上不存在名为 *role 的其他属性?
I'm trying to search an LDAP server for all items with exactly the attributes specified.
The LDAP schema I'm dealing records user roles by:
- creating a object type that may contain any of several attributes (the roles), and
- setting the each role's value to be the same as its name
The attributes do not share a common base type, and the objectclass ("roleuser") contains other attributes that are not roles. Roles are distinguished by attribute names that end in "Role". (Yuck.)
Example. A user's object types would include object type roleuser, and might have the following attributes=value pairs:
cn=userX
objectclass=roleuser,...
managerrole=managerrole
clerkrole=clerkrole
cn=userY
objectclass=roleuser,...
managerrole=managerrole
cn=userZ
objectclass=roleuser,...
clerkrole=clerkrole
I'm able to look up clerks, and managers, and manager clerks. But when I look up clerks (with (&(clerkrole=*)(objectclass=roleuser))), I get back users both with role clerk (userZ) and those with roles manager and clerk (userX).
I could specify (&(clerkrole=*)(!managerrole=*)(objectclass=roleuser))) to get clerks who are not managers. But that would require me to list (and negate) all possible other roles.
For various reasons, I don't want my application to have to know all possible roles, as these may change more quickly than my application will.
So. Is there a way to query the schema for all attributes that are in roleuser and are named *role, so that I could dynamically specify (and negate) all other roles?
Or is there a way to query for (clerkrole=*) and no other attribute named *role exists on that roleuser?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
您是否考虑过动态构建过滤器? 您可以查询架构并检索以“role”结尾的所有属性,然后迭代它们,丢弃您想要的属性并为每一项添加 (!___role=*),然后添加您想要的属性并查询使用那个。
Did you consider building your filter dynamically? You could query the schema and retrieve all attributes ending in 'role', then iterate through them, discarding the one you want and adding (!___role=*) for each item and then add on the filter for the one you do want and query using that.