php LDAP/AD 过滤器 - “对象类不等于”不起作用
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/5263235/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
LDAP/AD filter - "objectclass not equal to" is not working
提问by shadyyx
I am working with LDAP Active Directory and trying to list all users. I have this filter which works perfect:
我正在使用 LDAP Active Directory 并尝试列出所有用户。我有这个完美的过滤器:
(&(objectclass=user)(|(memberOf=...)(memberOf=...)...)(|(userprincipalname=...)(displayname=...)))
Unfortunately, we have also a computer units and other devices present in AD with objectclass "user" so with previous filter I got all users, computers, devices, rooms, etc.
不幸的是,我们还有一个计算机单元和其他设备存在于 AD 中,对象类为“用户”,因此使用以前的过滤器,我得到了所有用户、计算机、设备、房间等。
These computer and devices have also an objectclass "computer" so I need to extend the filter with objectclass!="computer" in order to list only real users. So far I'd tried these filters, none of them working (no data returned!):
这些计算机和设备还有一个对象类“计算机”,因此我需要使用 objectclass!="computer" 扩展过滤器,以便仅列出真实用户。到目前为止,我已经尝试过这些过滤器,但它们都不起作用(没有返回数据!):
(&(objectclass=user)(!objectclass=computer)(|(memberOf=...)(memberOf=...)...)(|(userprincipalname=...)(displayname=...)))
(&(objectclass=user)(!(objectclass=computer))(|(memberOf=...)(memberOf=...)...)(|(userprincipalname=...)(displayname=...)))
(!(objectclass=computer))(&(objectclass=user)(|(memberOf=...)(memberOf=...)...)(|(userprincipalname=...)(displayname=...)))
(!objectclass=computer)(&(objectclass=user)(|(memberOf=...)(memberOf=...)...)(|(userprincipalname=...)(displayname=...)))
(real users do not have the objectclass "computer").
(真正的用户没有对象类“计算机”)。
I am working with PHP ldap implementation so using an ldap_search()method.
我正在使用 PHP ldap 实现,因此使用一种ldap_search()方法。
The "not equal to" syntax was found e.g. here: http://technet.microsoft.com/en-us/library/aa996205%28EXCHG.65%29.aspxor here: http://msdn.microsoft.com/en-us/library/aa746475%28v=vs.85%29.aspx
“不等于”语法可在此处找到,例如:http: //technet.microsoft.com/en-us/library/aa996205%28EXCHG.65%29.aspx或此处:http: //msdn.microsoft.com/ en-us/library/aa746475%28v=vs.85%29.aspx
Maybe I could try to filter users where (!CN=Computers) in DN, but first I'd like to filter (!objectclass=computer) as it is more logical for me.
也许我可以尝试过滤 DN 中 (!CN=Computers) 的用户,但首先我想过滤 (!objectclass=computer) ,因为这对我来说更合乎逻辑。
What is the correct syntax for objectclass != "computer"expression?
objectclass != "computer"表达式的正确语法是什么?
回答by user207421
Contrary to the first linkyou provided, (!objectclass=computer)is not a valid filter expression. It should be (!(objectclass=computer)). See RFC 2254:
与您提供的第一个链接相反,(!objectclass=computer)它不是有效的过滤器表达式。应该是(!(objectclass=computer))。请参阅 RFC 2254:
filter ::= "(" filtercomp ")"
not ::= "!" filter
过滤器 ::= "(" filtercomp ")"
不是 ::= "!" 筛选
So your filter should be
所以你的过滤器应该是
(&(!(objectclass=computer))(objectclass=user)(|(memberOf=...)(memberOf=...)...)(|(userprincipalname=...)(displayname=...)))
回答by dearlbry
If you are trying to get allusers, you could just do this:
如果您想获取所有用户,您可以这样做:
(&
(objectclass=user)
(!(objectClass=computer))
)
It looks like you're trying to get users who are members of specific groups AND who have a specified principalname (right?). If so, you could do:
看起来您正在尝试获取属于特定组成员且具有指定主体名称的用户(对吗?)。如果是这样,你可以这样做:
(&
(objectclass=user)
(!(objectClass=computer))
(|
([email protected])
(displayName=John Doe)
)
(|
(memberOf=CN\=group1,CN\=Groups,DC\=domain,DC\=com)
(memberOf=CN\=group2,CN\=Groups,DC\=domain,DC\=com)
)
)
These work on my end (you may need to remove whitespace in you PHP code)
这些对我有用(您可能需要删除 PHP 代码中的空格)
