LDAP 和用户组（需要 ldap-group）

发布于 2024-11-19 11:57:48 字数 724 浏览 2 评论 0原文

我正在开发一个应用程序，我想将此应用程序与我们的 LDAP 一起使用并按组过滤用户。我在 APACHE 中有这段代码：

           AuthLDAPURL ldap://localhost/ou=users,dc=domain,dc=com?uid
           AuthLDAPGroupAttribute memberUid
           AuthLDAPGroupAttributeIsDN off
           AuthzLDAPAuthoritative on
           Require ldap-group cn=developer,cn=testers,cn=groups,dc=domain,dc=com

它工作正常。只有开发人员和测试人员列表中的人员才能获得在这个区域内。我试图在 Web2py 中做同样的事情，但我不能从组中创建一个过滤器

我有此代码并且在没有组的情况下工作正常：

auth.settings.login_methods=[ldap_auth(mode='uid_r',server='localhost',port='389',
base_dn='ou=users,dc=domain,dc=com', filterstr='objectClass=*')]

我不知道如何使用：在 web2py 中需要 ldap-group。

有人可以帮助我吗？

预先非常感谢

原文

I am developing a APP and I would like to use this APP with our LDAP
and filter the users by groups. I have this code in APACHE:

           AuthLDAPURL ldap://localhost/ou=users,dc=domain,dc=com?uid
           AuthLDAPGroupAttribute memberUid
           AuthLDAPGroupAttributeIsDN off
           AuthzLDAPAuthoritative on
           Require ldap-group cn=developer,cn=testers,cn=groups,dc=domain,dc=com

It works fine. Only people from the list developer and tester can get
inside this area. I am trying to do the same in Web2py, but I can not
make a filter from the groups

I have this code and is working ok without groups:

auth.settings.login_methods=[ldap_auth(mode='uid_r',server='localhost',port='389',
base_dn='ou=users,dc=domain,dc=com', filterstr='objectClass=*')]

I not sure how to use: Require ldap-group in web2py.

Anyone can help me?

In advance many thanks

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

维持三分热 2024-11-26 11:57:48

我自己也一直在努力解决这个问题。我认为解决方案是通过执行一些 LDAP 查询从 LDAP 导入组。

这种方法的缺点是，它要求您（1）在 use FIRST 登录时将组插入 web2py auth_group 表中。（2）如果组倾向于更改，则需要对其进行维护。这可以通过 cron 作业或手动完成。

您可以像这样查明用户之前是否登录过：

query = (db.auth_event.description.like('%Logged-in%'))&(db.auth_event.user_id==auth.user.id)

if db(query).count() == 1:
  # Query LDAP for group membership, update auth_group table

这是 LDAP 查询的一些示例代码 - 这个代码基于查找用户信息（我不确定 LDAP 如何组织组 - 我将编写代码在一两周内提取组）：
导入LDAP
from ldap.filter import filter_format as ff

ldap_attrs = ['sn','givenName','telephoneNumber', 'mail' ]

FILTER_TPL = '(&%s(objectclass=i3person))'
sch = ff('(%s=%s)', ('uid', auth.user.username))

ldap_filter = FILTER_TPL % sch
con = ldap.initialize("ldap://YOUR-LDAP-SERVER")
dn= "YOUR-DN-FOR-USERS/GROUPS"
mode = "uid"
port = 389
ldap_results = con.search_s(dn, ldap.SCOPE_SUBTREE, ldap_filter, ldap_attrs)

dn, res = ldap_results[0]

您可以在此处获取有关 python ldap 的更多信息：
http://www.python-ldap.org/docs.shtml

（这个有与查询组相关的代码示例）
http://www.ibm.com/developerworks/aix/library/au- ldap_crud/

另外，不要忘记使用filter_format（上面导入为ff），如果允许任何用户输入，它将转义您的ldap查询，防止LDAP注入代码。出于我的目的，我正在制作一个可公开访问的表单，用于搜索人员的 LDAP 条目。

这是一篇关于将 ActiveDirectory 组镜像到 LDAP 组的帖子。我发布这个是因为虽然它做了相反的事情，但其中一些仍然有用，特别是用于从 LDAP 获取组的过滤器，因为无论是读取还是写入都是相同的，并且它使用 python-ldap：
http://oxpedia.org/wiki/index.php?title=Mirorring_Active_Directory_user_acconts_in_LDAP

如果您的 LDAP 组没有太大变化，您可以创建一个执行以下操作的脚本：

删除所有组成员身份web2py 帐户（重新开始）。
对于每个帐户，查询 ldap 中的组
- 对于每个查询，提取所有组。
- 将组复制到 auth_groups（如果不存在）
- 向群组添加成员（auth_membership 还是其他什么？）

然后根据需要运行脚本。我喜欢在运行这样的 ETL 脚本时删除一些内容，因为这样您就可以重新开始，并且不会重复内容，也不会在内容已经存在并违反数据库约束时遇到错误。

I've been wrestling with this myself. I think the solution is to import the groups from LDAP by doing some LDAP queries.

The bad part with this approach is that it requires you to (1) insert groups into web2py auth_group tables when the use FIRST logs in. (2) It would require maintenance of the groups if they tend to change. This could be done with a cron job or manually.

You can find out if the user has logged in before like this:

query = (db.auth_event.description.like('%Logged-in%'))&(db.auth_event.user_id==auth.user.id)

if db(query).count() == 1:
  # Query LDAP for group membership, update auth_group table

Here is some example code for an LDAP query - this one is based off of just looking up user info (I'm not sure how LDAP organizes groups - I will be writing code to extract groups in a week or two):
import ldap
from ldap.filter import filter_format as ff

ldap_attrs = ['sn','givenName','telephoneNumber', 'mail' ]

FILTER_TPL = '(&%s(objectclass=i3person))'
sch = ff('(%s=%s)', ('uid', auth.user.username))

ldap_filter = FILTER_TPL % sch
con = ldap.initialize("ldap://YOUR-LDAP-SERVER")
dn= "YOUR-DN-FOR-USERS/GROUPS"
mode = "uid"
port = 389
ldap_results = con.search_s(dn, ldap.SCOPE_SUBTREE, ldap_filter, ldap_attrs)

dn, res = ldap_results[0]

You can get more info on python's ldap here:
http://www.python-ldap.org/docs.shtml

(this one has code examples related to querying groups)
http://www.ibm.com/developerworks/aix/library/au-ldap_crud/

Also, DON'T forget to use filter_format (imported as ff above), it will escape your ldap queries preventing LDAP injection if any user input is allowed to make it to the code. For my purposes, I was making a publicly accessible form that searched LDAP entries for people.

Here is a posting on mirroring ActiveDirectory Groups into LDAP groups. I'm posting this because while it does the opposite, some of it is still useful, particularly the filter for getting groups from LDAP since that's the same whether reading or writing, and it uses python-ldap:
http://oxpedia.org/wiki/index.php?title=Mirorring_Active_Directory_user_acconts_in_LDAP

If your ldap groups don't change much, you could create a script that does the following:

Delete all group membership for web2py accounts (start fresh).
For each account, query ldap for groups
- For each query, extract all the groups.
- Copy the groups into auth_groups if not exists
- Add member to group (auth_membership or something?)

Then just run the script on an as-needed basis. I like to delete things when running ETL scripts like this because then you start fresh and don't duplicate things or run into errors when things already exist and violate DB constraints.

回复收藏 0 原文

~没有更多了~