检查 Perl Net::LDAP 中的用户组
我有一个 Perl Subversion 预提交挂钩,它允许我验证用户是否有权更改或添加到 Subversion 存储库中的特定点。它使用如下所示的控制文件:
[GROUP SERVER]
users = bob, ted, carol, alice
[GROUP CLIENT]
users = tom, dick, harry
[FILE Client Developers don't touch the Server]
file = proj/server
users = @CLIENT
permission = read-only
[FILE Server people don't touch the Client]
file = proj/client
users = @SERVER
permission = read-only
[FILE Let Tom Do everything]
file = .*
users = tom
permission = read-write
如您所见,我可以定义组并在设置权限时使用组。我认为如果我可以使用 LDAP 组来做同样的事情,那就太有趣了。这样,我们的 Windows 管理员就可以找出谁属于哪个组,这让我有更多时间来更新我的 Facebook 状态。
我在 Subversion 中对 LDAP 进行了如下配置:
<Location /mfx>
DAV svn
SVNParentPath /subversion/svn_repos
AuthType basic
AuthName "Source Repository"
AuthBasicProvider ldap
AuthzLDAPAuthoritative off
AuthLDAPURL "ldap://ldapserver:3268/dc=mycompany,dc=com?sAMAccountName" NONE
AuthLDAPBindDN "CN=SubVersion,OU=Users,OU=Accounts,DC=mycompany,DC=com"
AuthLDAPBindPassword "Swordfish"
Require valid-user
</Location>
我与 LDAP 服务器的连接工作正常,但现在,我需要找出该用户所在的组。我在 $svnUser< 中拥有用户的 Subversion 名称/code>,现在我需要在 LDAP 数据库中找到该用户,并验证他们所在的各个组(这是其 LDAP 记录中的 memberOf 值)。但是,我不知道该怎么做。
到目前为止,我的代码如下所示:
#! /usr/bin/env perl
#
use strict;
use warnings;
use feature qw(say);
use constant {
LDAP_URL => "ldapserver",
LDAP_PORT => 3268,
LDAP_SCHEME => "ldap",
BIND_DN => "CN=SubVersion,OU=Users,OU=Accounts,DC=mycompany,DC=com",
BIND_PWORD => "Swordfish",
USER_DN => "sAMAccountName",
};
use Net::LDAP;
#
# Create LDAP Connection
#
my $ldap = Net::LDAP->new(LDAP_URL, port=> LDAP_PORT, scheme=> LDAP_SCHEME);
my $message;
$message = $ldap->bind(BIND_DN, password => BIND_PWORD);
if ($message->code != 0) {
die qq(Error in LDAP Binding: ) . $message->error_desc;
}
现在,我需要执行 $ldap->search,但是执行什么操作呢?我只是对语法感到困惑。
I have a Perl Subversion pre-commit hook that allows me to verify whether or not a user has permissions to change or add to a particular point in a Subversion repository. It uses a Control file that looks like this:
[GROUP SERVER]
users = bob, ted, carol, alice
[GROUP CLIENT]
users = tom, dick, harry
[FILE Client Developers don't touch the Server]
file = proj/server
users = @CLIENT
permission = read-only
[FILE Server people don't touch the Client]
file = proj/client
users = @SERVER
permission = read-only
[FILE Let Tom Do everything]
file = .*
users = tom
permission = read-write
As you can see, I can define groups and use groups when setting permissions. I thought it would be a hoot if I could use the LDAP groups to do the same. That way, our Windows administrators can figure out who's in what group which gives me more time to keep my Facebook status up to date.
I have LDAP configured as thus in Subversion:
<Location /mfx>
DAV svn
SVNParentPath /subversion/svn_repos
AuthType basic
AuthName "Source Repository"
AuthBasicProvider ldap
AuthzLDAPAuthoritative off
AuthLDAPURL "ldap://ldapserver:3268/dc=mycompany,dc=com?sAMAccountName" NONE
AuthLDAPBindDN "CN=SubVersion,OU=Users,OU=Accounts,DC=mycompany,DC=com"
AuthLDAPBindPassword "Swordfish"
Require valid-user
</Location>
I've got the connection to our LDAP server working fine, but now, I need to find out what groups that user is in. I have the user's Subversion name in $svnUser, and now I need to find that user in our LDAP database, and verify the various groups they're in (which is the memberOf value in their LDAP record). However, I have no idea how to go about this.
So far, my code looks like this:
#! /usr/bin/env perl
#
use strict;
use warnings;
use feature qw(say);
use constant {
LDAP_URL => "ldapserver",
LDAP_PORT => 3268,
LDAP_SCHEME => "ldap",
BIND_DN => "CN=SubVersion,OU=Users,OU=Accounts,DC=mycompany,DC=com",
BIND_PWORD => "Swordfish",
USER_DN => "sAMAccountName",
};
use Net::LDAP;
#
# Create LDAP Connection
#
my $ldap = Net::LDAP->new(LDAP_URL, port=> LDAP_PORT, scheme=> LDAP_SCHEME);
my $message;
$message = $ldap->bind(BIND_DN, password => BIND_PWORD);
if ($message->code != 0) {
die qq(Error in LDAP Binding: ) . $message->error_desc;
}
Now, I need to do $ldap->search, but on what? I'm just befuddled by the syntax.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
好吧,我花了一段时间,但我想通了...
如果有一些示例代码会很有帮助,但在阅读了一些 LDAP 文档后,我发现我可以做这样的事情:
所以我尝试了this:
我以为这只会返回memberOf的属性,但事实并非如此。事实上,它返回了单个成员的数组,尽管我知道这个特定用户是三个组的成员。
我花了一段时间才意识到它正在返回一个
Net::LDAP::Search对象,这意味着我必须查找该模块才能找到方法。从那里,我发现我可以使用pop_entry方法来检索Net::LDAP::Entry对象。好的,可以找到另一个 CPAN 页面。从那里,我可以对
sMAAccountName执行get_value方法,并获取代表该人所属组的 DN 数组。我现在可以解析 Subversion 将使用的组的这些名称。这意味着我现在可以在预提交脚本中使用 Windows 组来设置存储库中的写入权限。这使得它更容易维护。
All right, it took me a while, but I figured it out...
It would have been helpful if there was some sample code, but after reading a few LDAP documents, I found out I could do something like this:
So I tried this:
I thought this would return only the attributes of memberOf, but didn't. In fact, it returned an array of a single member although I knew this particular user was a member of three groups.
It took me a while to realize that it was returning a
Net::LDAP::Searchobject which meant I had to look up that module to find the methods. From there, I found that I could use thepop_entrymethod to retrieve aNet::LDAP::Entryobject. Okay, another CPAN page to find.From there, I can do a
get_valuemethod on thesMAAccountName, and get an array of DNs that represent the group that person belongs to. I can now parse those names for the groups that Subversion will use.This means I can now use Windows Groups in my pre-commit script to set write permissions in my repository. This makes it much, much easier to maintain.