我在openldap中启用了memberof模块。 在他们下面增加了两个小组和一些成员。 (是groupofNames)
当我使用filter(&(objectClass=groupOfNames)(cn=bowlers))打印特定组的成员时,它只打印组的第一个成员,尽pipe它有多个成员。
如何列出一个组的所有成员?
# extended LDIF # # LDAPv3 # base <dc=example,dc=com> with scope subtree # filter: (objectclass=*) # requesting: ALL # # example.com dn: dc=example,dc=com objectClass: top objectClass: dcObject objectClass: organization o: Sierraware dc: example # admin, example.com dn: cn=admin,dc=example,dc=com objectClass: simpleSecurityObject objectClass: organizationalRole cn: admin description: LDAP administrator userPassword:: e1NTSEF9NFZXYit2MlVBS2xRVUdBOWVjK2IrSHBac3VpYnV6ZlM= # People, example.com dn: ou=People,dc=example,dc=com objectClass: organizationalUnit objectClass: top ou: People # Groups, example.com dn: ou=Groups,dc=example,dc=com objectClass: organizationalUnit objectClass: top ou: Groups # adam, People, example.com dn: uid=adam,ou=People,dc=example,dc=com objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount uid: adam sn: hanks givenName: adam cn: Adam hanks displayName: Adam hanks uidNumber: 10000 gidNumber: 5000 userPassword:: YWRhbWxkYXA= gecos: Adam hanks loginShell: /bin/bash homeDirectory: /home/adam # john, People, example.com dn: uid=john,ou=People,dc=example,dc=com objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount uid: john sn: doe givenName:: am9obiA= cn: John Doe displayName: John Doe uidNumber: 10000 gidNumber: 5000 userPassword:: am9obmxkYXA= gecos: John Doe loginShell: /bin/bash homeDirectory: /home/john # wahab, People, example.com dn: uid=wahab,ou=People,dc=example,dc=com objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount uid: wahab sn: riyaz givenName:: d2FoYWIg cn: Wahab Riaz displayName: Wahab Riaz uidNumber: 10008 gidNumber: 5008 userPassword:: d2FoYWJsZGFw gecos:: V2FoYWIgUmlheiA= loginShell: /bin/bash homeDirectory: /home/wahab # sachin, People, example.com dn: uid=sachin,ou=People,dc=example,dc=com objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount uid: sachin sn: ramesh givenName:: c2FjaGluIA== cn: Sachin Ramesh displayName: Sachin Ramesh uidNumber: 10009 gidNumber: 5009 userPassword:: c2FjaGlubGRhcA== gecos:: U2FjaGluIFJhbWVzaCA= loginShell: /bin/bash homeDirectory: /home/sachin # bowlers, People, example.com dn: cn=bowlers,ou=People,dc=example,dc=com objectClass: groupOfNames cn: bowlers description: IT security group member: cn=wahab,ou=People,dc=example,dc=com member: cn=sachin,ou=People,dc=example,dc=com
例如,如果你有这样的组:
dn: cn=people-admins,ou=groups,dc=example,dc=com objectClass: groupOfUniqueNames cn: admins of people group cn: people-admins uniqueMember: uid=test1,ou=people,dc=example,dc=com uniqueMember: uid=test2,ou=people,dc=example,dc=com
你可以打印所有的成员:
ldapsearch -x -LLL -H ldap://127.0.0.1:3000/ -b dc=example,dc=com -s sub '(&(objectClass=inetOrgPerson)(memberof=cn=people-admins,ou=groups,dc=example,dc=com))' -D "cn=admin,dc=example,dc=com" -w admin uid dn: uid=test1,ou=people,dc=example,dc=com uid: evgeniy dn: uid=test2,ou=people,dc=example,dc=com uid: test2
更新
在我的情况下,由于这样的configuration,ldapsearch不能与您的testing数据一起工作:
# Load memberof module dn: cn=module{0},cn=config changetype: modify add: olcModuleLoad olcModuleLoad: memberof # Backend memberOf overlay dn: olcOverlay={0}memberof,olcDatabase={1}hdb,cn=config changetype: add objectClass: olcOverlayConfig objectClass: olcMemberOf olcOverlay: {0}memberof olcMemberOfDangling: ignore olcMemberOfRefInt: TRUE olcMemberOfGroupOC: groupOfUniqueNames olcMemberOfMemberAD: uniqueMember olcMemberOfMemberOfAD: memberOf
所以我把你的testing数据改成:
dn: cn=bowlers,ou=People,dc=example,dc=com objectClass: groupOfUniqueNames cn: bowlers description: IT security group uniqueMember: uid=wahab,ou=People,dc=example,dc=com uniqueMember: uid=sachin,ou=People,dc=example,dc=com
接着:
ldapsearch -x -LLL -H ldap://127.0.0.1:3000/ -b dc=example,dc=com -s sub '(memberof=cn=bowlers,ou=People,dc=example,dc=com)' -D "cn=admin,dc=example,dc=com" -w admin uid dn: uid=wahab,ou=People,dc=example,dc=com uid: wahab dn: uid=sachin,ou=People,dc=example,dc=com uid: sachin
所以你必须configuration你的memberof覆盖层来处理groupOfNames或者把它改成groupOfUniqueNames