问题
We have an LDAP with a number of groups that follow this pattern:
Acme-MyApp-ABC-Admin
Acme-MyApp-ABC-Bottlewasher
Acme-MyApp-ABC-Cook
Acme-MyApp-DEF-Admin
Acme-MyApp-DEF-Bottlewasher
Acme-MyApp-DEF-Cook
etc repeated many times.
(&(objectClass=person)(memberOf=cn=Acme-MyApp-ABC-Admin,ou=Groups,dc=acme,dc=com))
correctly returns members of the Acme-MyApp-ABC-Admin group. We'd like to find members of all of the Admin groups.
(&(objectClass=person)(memberOf=cn=*-Admin,ou=Groups,dc=acme,dc=com))
Is it possible to put a wildcard within a DN?
回答1:
Generally, Wildcard searches on DN's syntax attributes are not supported.
Some LDAP server implementation may support them. You question is tagged as OpenLDAP but the search filter appears to be more like an AD implementation.
I did find "Question about using an LDAP filter to get memberOf from an AD Group" on TechNet stating, ".. that wildcards are no allowed." (I am assuming he met NOT vs no)
-jim
回答2:
The easiest solution I found was to create an access group and add all the permission groups as member.
- Acme-MyApp-Admin-Access
Then filter based on recursive membership.
(&(objectClass=person)(memberOf:1.2.840.113556.1.4.1941:=CN=Acme-MyApp-Admin-Access,ou=Groups,dc=acme,dc=com))
This way you only need to take care that every new admin group is added as a member of the access group, but you do not need to modify the ldap filter.
来源:https://stackoverflow.com/questions/28975894/ldap-search-wildcards-in-memberof