使用 PLSQL 获取 LDAP 用户列表
我们的数据库应用程序的新要求之一是将用户表的内容与 Active Directory 中的用户同步。所以基本上我需要连接到 Active Directory 服务器并从 plsql 过程中检索用户名列表。
到目前为止,我所取得的成就是使用我自己的凭据连接到活动目录服务器,并查询一些属性。
示例:
ldap_password := '****';
ldap_user := 'cn=me,OU=Users,OU=mygroup,DC=mytown,DC=mycompany,DC=com';
ldap_base := 'OU=Users,OU=mygroup,DC=mytown,DC=mycompany,DC=com';
search_filter := '(&(objectClass=Person)!((sn=him)(cn=me)))';
res_attrs(1) := 'displayName';
res_attrs(2) := 'cn';
res_attrs(3) := 'telephoneNumber';
看来我只能查询我自己的属性或其他人的属性(如果我已经知道其他人是谁)。
- 如何获取用户名列表?
- 使用任何帐户都可以做到这一点,还是需要具有适当权限的帐户?
One of the new requirements for our database application is to synchronize the contents of the user table with the users in Active Directory. So basically I need to connect to the Active Directory server and retrieve a list of user names, from within a plsql procedure.
What I have achieved so far is connect to the active directory server, using my own credentials, and query some attributes.
Example:
ldap_password := '****';
ldap_user := 'cn=me,OU=Users,OU=mygroup,DC=mytown,DC=mycompany,DC=com';
ldap_base := 'OU=Users,OU=mygroup,DC=mytown,DC=mycompany,DC=com';
search_filter := '(&(objectClass=Person)!((sn=him)(cn=me)))';
res_attrs(1) := 'displayName';
res_attrs(2) := 'cn';
res_attrs(3) := 'telephoneNumber';
It seems I can only query my own attributes or somebody else's if I already know who that someone else is.
- How do I get a list of usernames?
- Is this possible using any account or does this require an account with the proper privileges?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
我的脚本开始工作了。范围设置使我无法看到所有数据。
DBMS_LDAP.SCOPE_SUBTREE
I got my script working. The scope setting prevented me from seeing all data.
DBMS_LDAP.SCOPE_SUBTREE
雷内,
您可以通过 Oracle 的 LDAP 组件在 Active Directory 中执行所有搜索,您似乎已经接触过这些组件。虽然我不是 LDAP/AD 方面的专家,但我相信您可能需要执行这些操作的权限,或者更好的是创建一个具有权限的 ID/密码(这样您就可以将您的 id/psw 排除在系统之外并允许未过期的 pswrd 或 AD 管理员支持的 pswrd 我知道我一直拥有对 AD 的完全查询访问权限,不确定这是否是我的设置方式或开箱即用的功能,
但看看@ 。这个网站
http://www.oracle-base.com/articles/9i/LDAPFromPLSQL9i。 正如文章
所示,我建议削减你的 searchFilter (获取更多然后削减它,直到它满足你的需求)
Rene,
You can do all searched in Active directory via Oracle's LDAP components that it seems you have already touched upon. While I am no expert on LDAP/AD, I believe that you may need rights to perform these actions or better yet get an ID/Password created that has the rights (this way you can keep your id/psw out of the system and allow either an unexpiring pswrd or pswrd that is supported by the AD administrators. I know that I have always had full query access to AD, not sure if that is how I am set up or out-of-the-box functionality.
But look @ this site
http://www.oracle-base.com/articles/9i/LDAPFromPLSQL9i.php
as the article demonstrates, I would recommend paring back your searchFilter (get more then whittle it down until it suits your needs)
Active Directory 大约有 4 个命名属性。
sAMAccountName(也称为 Windows2000 之前的名称)是一个大约 20 个字符的短名称,在每个域中必须是唯一的。userPrincipalName,通常是[电子邮件受保护],但是事实证明,AD 几乎可以支持任何字符串。 (我通过实验知道了这一点,因为我们曾经在运行的 AD 域中意外重置了 6000 个此类值中的 2000 个。displayName,该值 code>CN= 是 DN 的一部分,CN 通常是 LDAP 名称中的任何合法名称。列表中的这些属性并查看您得到的内容
至于查看其他对象,是的,您需要一个具有足够权限的帐户来查看用户的这些属性。
Active Directory has about 4 naming attributes.
sAMAccountName(aka Pre-Windows2000 name) is a 20 or so character short name that must be unique within each domain.userPrinicipalName, usually [email protected], but it turns out AD will honour almost any string. (I know this experimentally as we once accidentally reset 2000 out of 6000 such values in a running AD domain.displayName, that which shows up in ADUC (dsa.msc, Active Directory Users and Computers)CN=part of the DN. Using ADUC, the CN is usually the Display Name. However it too can be anything legal in an LDAP name.So which 'name' are you looking for? Basically query for any of those attributes in the list and see what you get.
As for seeing other objects, yes, you would need an account with sufficient rights to see those attributes for users.