oracle 使用 PLSQL 获取 LDAP 用户列表
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/4123861/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Get LDAP user list using PLSQL
提问by Rene
One of the new requirements for our database application is to synchronize the contents of the user table with the users in Active Directory. So basically I need to connect to the Active Directory server and retrieve a list of user names, from within a plsql procedure.
我们的数据库应用程序的新要求之一是将用户表的内容与 Active Directory 中的用户同步。所以基本上我需要连接到 Active Directory 服务器并从 plsql 过程中检索用户名列表。
What I have achieved so far is connect to the active directory server, using my own credentials, and query some attributes.
到目前为止,我所取得的成就是使用我自己的凭据连接到活动目录服务器,并查询一些属性。
Example:
例子:
ldap_password := '****';
ldap_user := 'cn=me,OU=Users,OU=mygroup,DC=mytown,DC=mycompany,DC=com';
ldap_base := 'OU=Users,OU=mygroup,DC=mytown,DC=mycompany,DC=com';
search_filter := '(&(objectClass=Person)!((sn=him)(cn=me)))';
res_attrs(1) := 'displayName';
res_attrs(2) := 'cn';
res_attrs(3) := 'telephoneNumber';
It seems I can only query my own attributes or somebody else's if I already know who that someone else is.
如果我已经知道其他人是谁,我似乎只能查询我自己或其他人的属性。
- How do I get a list of usernames?
- Is this possible using any account or does this require an account with the proper privileges?
- 如何获取用户名列表?
- 这是否可以使用任何帐户或是否需要具有适当权限的帐户?
回答by Rene
I got my script working. The scope setting prevented me from seeing all data. DBMS_LDAP.SCOPE_SUBTREE
我让我的脚本工作。范围设置使我无法查看所有数据。DBMS_LDAP.SCOPE_SUBTREE
回答by Harrison
Rene, You can do all searched in Active directory via Oracle's LDAP components that it seems you have already touched upon. While I am no expert on LDAP/AD, I believe that you may need rights to perform these actions or better yet get an ID/Password created that has the rights (this way you can keep your id/psw out of the system and allow either an unexpiring pswrd or pswrd that is supported by the AD administrators. I know that I have always had full query access to AD, not sure if that is how I am set up or out-of-the-box functionality.
Rene,您可以通过您似乎已经接触过的 Oracle LDAP 组件在 Active Directory 中进行所有搜索。虽然我不是 LDAP/AD 方面的专家,但我相信您可能需要执行这些操作的权限,或者更好地创建一个具有权限的 ID/密码(这样您可以将您的 ID/psw 保留在系统之外并允许AD 管理员支持的未到期 pswrd 或 pswrd。我知道我一直对 AD 拥有完整的查询访问权限,不确定这是我的设置方式还是开箱即用的功能。
But look @ this site http://www.oracle-base.com/articles/9i/LDAPFromPLSQL9i.php
但是看看@这个站点 http://www.oracle-base.com/articles/9i/LDAPFromPLSQL9i.php
as the article demonstrates, I would recommend paring back your searchFilter (get more then whittle it down until it suits your needs)
正如文章所展示的那样,我建议减少您的搜索过滤器(获得更多然后减少它,直到它适合您的需要)
l_attrs(1) := '*'; -- retrieve all attributes
l_retval :=
DBMS_LDAP.search_s(ld => l_session,
base => l_ldap_base,
scope => DBMS_LDAP.SCOPE_SUBTREE,
filter => 'objectclass=*',
attrs => l_attrs,
attronly => 0,
res => l_message);
回答by geoffc
Active Directory has about 4 naming attributes.
Active Directory 有大约 4 个命名属性。
sAMAccountName(aka Pre-Windows2000 name) is a 20 or so character short name that must be unique within each domain.userPrinicipalName, usually [email protected], but it turns out AD will honour almost any string. (I know this experimentally as we once accidentally reset 2000 out of 6000 such values in a running AD domain.displayName, that which shows up in ADUC (dsa.msc, Active Directory Users and Computers)- The
CN=part of the DN. Using ADUC, the CN is usually the Display Name. However it too can be anything legal in an LDAP name.
sAMAccountName(又名 Windows2000 之前的名称)是一个 20 个左右的字符的短名称,在每个域中必须是唯一的。userPrinicipalName,通常是 [email protected],但事实证明 AD 几乎可以接受任何字符串。(我通过实验知道这一点,因为我们曾经在运行的 AD 域中不小心重置了 6000 个这样的值中的 2000 个。displayName,显示在 ADUC 中的内容(dsa.msc,Active Directory 用户和计算机)CN=DN的一部分。使用 ADUC,CN 通常是显示名称。但是,它也可以是 LDAP 名称中的任何合法名称。
So which 'name' are you looking for? Basically query for any of those attributes in the list and see what you get.
那么你在寻找哪个“名字”?基本上查询列表中的任何这些属性,看看你得到了什么。
As for seeing other objects, yes, you would need an account with sufficient rights to see those attributes for users.
至于查看其他对象,是的,您需要一个具有足够权限的帐户才能查看用户的这些属性。
