我的 LDAP 搜索过滤器语法是否错误
这是我第一次尝试向 LDAP 服务器查询 AD 信息。当我尝试查询 LDAP 服务器时,这里是我想要检索的内容:
我正在尝试检索所有活跃员工,其计数限制为 500 条记录,其显示名以“sav”开头,具有电子邮件地址并具有 userAccountControl 属性512。我遇到的问题是我总共只取回 8 条记录。我实际上应该取回至少 10 条记录。
我对搜索中未检索到的 2 条记录进行了单独搜索,每条记录都有一个电子邮件地址和一个 userAccountControl 值 512。所以我不确定为什么这 2 条记录丢失。
我确信我的语法做错了,但我找不到它是什么。任何帮助/指示将不胜感激。谢谢。
谷歌搜索后,我将搜索过滤器定义为:
String searchFilter = "(&(objectClass=user)(displayname="+displayname+"*"+")(mail=*)(userAccountControl=512))";
请参阅下面的完整方法:
public List<String> getAutocompleteEmpRecordsList(String displayname, LdapContext ctx) {
List<String> activeEmpAttributes = new ArrayList<String>();
Attributes attrs = null;
int count = 0;
int empEmailAddrLen = 0;
try {
SearchControls constraints = new SearchControls();
constraints.setCountLimit(500);
constraints.setSearchScope(SearchControls.SUBTREE_SCOPE);
String[] attrIDs = {"displayname", "mail", "userAccountControl"};
constraints.setReturningAttributes(attrIDs);
String searchFilter = "(&(objectClass=user)(displayname="+displayname+"*"+")(mail=*)(userAccountControl=512))";
NamingEnumeration answer = ctx.search("OU=Standard,OU=Users,DC=xxx,DC=org", searchFilter, constraints);
if (answer != null) {
while (answer.hasMore()) {
attrs = ((SearchResult) answer.next()).getAttributes();
if (attrs.get("displayname") != null) {
int empNameLen = attrs.get("displayname").toString().length();
activeEmpAttributes.add(attrs.get("displayname").toString().substring(13, empNameLen));
}
count++;
ctx.close();
}
}
else {
throw new Exception("Invalid User");
}
System.out.println("activeEmpAttributes: " + activeEmpAttributes);
System.out.println("count: " + activeEmpAttributes.size());
} catch (Exception ex) {
ex.printStackTrace();
}
return activeEmpAttributes;
}
This is my first attempt in trying to query our LDAP server for AD info. When I am trying to query the LDAP server here is what I'm trying to retrieve:
I am trying to retrieve all active employees with a countlimit of 500 records whose displayname starts with "sav", has an email address and has a userAccountControl attribute of 512. The problem I'm encountering is that I'm only getting back 8 records total. I should literally be getting back at least 10 records.
I did a separate search on the 2 records that were NOT retrieved in my search and each had an email address and a userAccountControl value of 512. So I'm not sure why those 2 records were missing.
I'm sure I've done something wrong in my syntax but I cannot find what it is. Any HELP/DIRECTION would be appreciated. Thank you.
After googling I've defined the SEARCH FILTER as:
String searchFilter = "(&(objectClass=user)(displayname="+displayname+"*"+")(mail=*)(userAccountControl=512))";
Please see my complete method below:
public List<String> getAutocompleteEmpRecordsList(String displayname, LdapContext ctx) {
List<String> activeEmpAttributes = new ArrayList<String>();
Attributes attrs = null;
int count = 0;
int empEmailAddrLen = 0;
try {
SearchControls constraints = new SearchControls();
constraints.setCountLimit(500);
constraints.setSearchScope(SearchControls.SUBTREE_SCOPE);
String[] attrIDs = {"displayname", "mail", "userAccountControl"};
constraints.setReturningAttributes(attrIDs);
String searchFilter = "(&(objectClass=user)(displayname="+displayname+"*"+")(mail=*)(userAccountControl=512))";
NamingEnumeration answer = ctx.search("OU=Standard,OU=Users,DC=xxx,DC=org", searchFilter, constraints);
if (answer != null) {
while (answer.hasMore()) {
attrs = ((SearchResult) answer.next()).getAttributes();
if (attrs.get("displayname") != null) {
int empNameLen = attrs.get("displayname").toString().length();
activeEmpAttributes.add(attrs.get("displayname").toString().substring(13, empNameLen));
}
count++;
ctx.close();
}
}
else {
throw new Exception("Invalid User");
}
System.out.println("activeEmpAttributes: " + activeEmpAttributes);
System.out.println("count: " + activeEmpAttributes.size());
} catch (Exception ex) {
ex.printStackTrace();
}
return activeEmpAttributes;
}
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
您可能会混淆
displayname属性和cn属性。在 Windows 服务器上,您有一个名为 LDIDIFDE.EXE 的命令行工具,它可以让您测试过滤器。
在用户和计算机 MMC 中,您还可以测试您的过滤器。
启动用户和计算机 Active-Directory :
注册请求上的右键:
选择个性化搜索,您将获得一个通用属性的帮助选项卡:
您可以为技术属性选择个性化选项卡
您可以测试并复制生成的 LDAP 过滤器(您不需要两个 (& 一个就足够了):
You may be confusing
displaynameattribute andcnattribute.On Windows server you've got a command line tool called LDIDIFDE.EXE which can allow you to test your filter.
In the User and computer MMC you can also test your filter.
Start User and computer Active-Directory :
Right buton on registered request :
Choose personalize search, you've got an helper tab for common attributes :
You can choose personalized tab for technical attributes
You can test en copy the resulting LDAP filter (you don't need the double (& one is enough):
您可以发布两个排除用户的 userAccountControl、displayName 和邮件值吗?
FWIW 如果您向其添加元组索引,则在 displayName 上的媒体搜索会运行得更快。
Can you post your userAccountControl, displayName, and mail values for the two excluded users?
FWIW the medial search on displayName would run alot faster if you add a tuple index to it.
我下载了一个免费的 AD 工具来查看 AD 中我需要的所有内容,它告诉我数据不是问题,但我只是没有找到我需要的所有 OU,因为不只有 1 个 OU 存储我们所有的用户。
因此,在谷歌搜索更多内容后,我在 Oracle 站点上找到了一个有关 LDAP 的页面,并将我的 LDAPContext 更改为 DirContext,以便我的连接在目录内进行搜索以及使用此上下文的 REFERRAL 并将值设置为“follow”以避免部分搜索异常。
我想我应该发布我的发现,以防万一其他新手遇到同样的问题。
如果您发现我所做的更改有缺点,请告诉我。问候。
这是我更正后的代码:
无论如何,谢谢。
I downloaded a free AD tool to view all in AD that I needed and it showed me that the data was not the problem but I was just not hitting all the OU's that I needed because there is NOT just 1 OU where all our users are stored.
Consequently, after googling some more I found a page on the Oracle site regarding LDAP and I changed my LDAPContext to DirContext for my connection to do searches within the directory as well as using this context's REFERRAL and set the value to "follow" to avoid the PartialSearchException.
I thought I'd post my findings just in case some other newbie ran into the same issue.
If you see a downside to the changes I made please let me know. Regards.
Here is my corrected code:
Thanks anyway.