Go/Ldap 获取用户的主要组

huangapple go评论84阅读模式
英文:

Go/Ldap get primary groups of a user

问题

我正在使用go/ldap查询我的活动目录以获取特定用户的所有组,该函数工作正常,但未返回主要组,例如域用户。

代码示例

package main
import (
   "encoding/json"
   "errors"
   "fmt"
   "github.com/go-ldap/ldap/v3"
   "github.com/techoner/gophp"
   "handlers"
   "log"
   "reflect"
   "strconv"
   "strings"
)

func main(){
      conn, err := connect(bindServer,BindPort)
      if err != nil {
         log.Printf("连接到AD/LDAP失败,错误:%s", err)
         return nil, fmt.Errorf("连接到AD/LDAP失败,错误:%s", err)
      }
      errBind := conn.Bind(bindUser, bindPWD)
      if errBind != nil {
         if isLdapDebug {
            log.Printf("绑定到AD/LDAP失败,错误:%s", errBind)
         }
         return nil, fmt.Errorf("绑定到AD/LDAP失败,错误:%s", errBind)
      }


      searchRequest := ldap.NewSearchRequest(
         "DC=domain,DC=local",
         ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false,
         fmt.Sprintf("(&(objectClass=user)(sAMAccountName=%s))", administrator),
         []string{"dn"},
         nil,
      )

      sr, err := conn.Search(searchRequest)

      if err != nil {
         return nil, err
      }

      if len(sr.Entries) != 1 {
         return nil, errors.New("用户不存在")
      }

      userdn := sr.Entries[0].DN
      log.Printf("用户DN为:%s", userdn)
      searchRequest = ldap.NewSearchRequest(
         "DC=domain,DC=local",
         ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false,
         fmt.Sprintf("(&(objectClass=group)(member=CN=Administrator,CN=Users,DC=domain,DC=local))"),
         []string{"cn"}, // 可以是其他值吗?
         nil,
      )
      sr, err = conn.Search(searchRequest)
      if err != nil {
         return nil, err
      }
      
      groups := []string{}
      for _, entry := range sr.Entries {
         //fmt.Printf("%s", entry)
         groups = append(groups, entry.GetAttributeValue("cn"))
      }

      return groups, nil

}

输出

[Administrators Schema Admins Enterprise Admins Domain Admins Group Policy Creator Owners gteste1 gtest2]

组已正确返回,但缺少主要组。

有没有办法返回特定用户的所有组,包括主要组?

英文:

I'm using go/ldap to query my active directory to get all the groups of a specific user, the function is working but is not returning the Primary Groups, like Domain Users.

Code example

package main
import (
   "encoding/json"
   "errors"
   "fmt"
   "github.com/go-ldap/ldap/v3"
   "github.com/techoner/gophp"
   "handlers"
   "log"
   "reflect"
   "strconv"
   "strings"
)

func main(){
      conn, err := connect(bindServer,BindPort)
      if err != nil {
         log.Printf("Failed to connect to AD/LDAP with error: %s", err)
         return nil, fmt.Errorf("Failed to connect to AD/LDAP with error: %s", err)
      }
      errBind := conn.Bind(bindUser, bindPWD)
      if errBind != nil {
         if isLdapDebug {
            log.Printf("Failed to bind to AD/LDAP with error: %s", errBind)
         }
         return nil, fmt.Errorf("Failed to bind to AD/LDAP with error: %s", errBind)
      }


      searchRequest := ldap.NewSearchRequest(
         DC=domain,DC=local,
         ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false,
         fmt.Sprintf("(&(objectClass=user)(sAMAccountName=%s))", administrator),
         []string{"dn"},
         nil,
      )

      sr, err := conn.Search(searchRequest)

      if err != nil {
         return nil, err
      }

      if len(sr.Entries) != 1 {
         return nil, errors.New("User does not exist")
      }

      userdn := sr.Entries[0].DN
      log.Printf("USER DN IS =%s", userdn)
      searchRequest = ldap.NewSearchRequest(
         DC=domain,DC=local,
         ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false,
         fmt.Sprintf("(&(objectClass=group)(member=CN=Administrator,CN=Users,DC=domain,DC=local))"),
         []string{"cn"}, // can it be something else than "cn"?
         nil,
      )
      sr, err = conn.Search(searchRequest)
      if err != nil {
         return nil, err
      }
      
      groups := []string{}
      for _, entry := range sr.Entries {
         //fmt.Printf("%s", entry)
         groups = append(groups, entry.GetAttributeValue("cn"))
      }

      return groups, nil

}

Output

[Administrators Schema Admins Enterprise Admins Domain Admins Group Policy Creator Owners gteste1 gtest2]

The groups are correcly returned but is missing the primary groups.

Any way to return all groups of a specific user including Primary Groups?

答案1

得分: 2

主要组是不同的。您必须查看用户的primaryGroupId属性,然后搜索具有该值的组的primaryGroupToken属性。

在大多数情况下,primaryGroupId将是513,对应于域用户组。

我在一篇文章中详细介绍了这个问题:Active Directory:什么使成员成为成员?

英文:

The primary group is different. You have to look at the primaryGroupId attribute on the user, then search for the group that has that value in its primaryGroupToken attribute.

In most cases, the primaryGroupId will be 513, which corresponds to the Domain Users group.

A little more detail in an article I wrote on this: Active Directory: What makes a member a member?

答案2

得分: 0

使用go-ldap/ldap/v3库在Go中查找主要组,我需要使用以下代码示例:

userdn := sr.Entries[0].DN
groups := []string{}
searchRequest = ldap.NewSearchRequest(
   data.Record.LdapSuffix,
   ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, SearchTimelimit, false,
   fmt.Sprintf("(&(objectCategory=person)(objectClass=user)(primaryGroupID=513)(sAMAccountName=%s))", ldap.EscapeFilter(username)),
   []string{"primaryGroupID"}, 
   nil,
)
sr, err = conn.Search(searchRequest)
if err != nil {
   continue
}

if len(sr.Entries) > 0 {
   primaryGroup := sr.Entries[0].GetAttributeValue("primaryGroupID")
   if primaryGroup == "513" {
      if searchGroup == "Domain Users" {
         return true
      }
   }
}

以上是使用go-ldap/ldap/v3库在Go中查找主要组的代码示例。

英文:

To find the primary group in go using the lib

github.com/go-ldap/ldap/v3

I had to use this code sample:

userdn := sr.Entries[0].DN
groups := []string{}
searchRequest = ldap.NewSearchRequest(
   data.Record.LdapSuffix,
   ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, SearchTimelimit, false,
   fmt.Sprintf("(&(objectCategory=person)(objectClass=user)(primaryGroupID=513)(sAMAccountName=%s))", ldap.EscapeFilter(username)),
   []string{"primaryGroupID"}, 
   nil,
)
sr, err = conn.Search(searchRequest)
if err != nil {
   continue
}

if len(sr.Entries) > 0 {
   primaryGroup := sr.Entries[0].GetAttributeValue("primaryGroupID")
   if primaryGroup == "513" {
      if searchGroup == "Domain Users" {
         return true
      }
   }
}

huangapple
  • 本文由 发表于 2022年9月30日 08:38:56
  • 转载请务必保留本文链接:https://go.coder-hub.com/73902880.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定