如何使用Oracle dbms_ldap軟件包獲取LDAP組名稱？

Question

我用這個例子，併成功連接到LDAP服務器 - http://www.oracle-base.com/articles/9i/ldap-from-plsql-9i.php。

SET SERVEROUTPUT ON SIZE 1000000 
DECLARE 
    -- Adjust as necessary. 
    l_ldap_host VARCHAR2(256) := 'server01.tshcomputing.com'; 
    l_ldap_port VARCHAR2(256) := '389'; 
    l_ldap_user VARCHAR2(256) := 'cn=orcladmin'; 
    l_ldap_passwd VARCHAR2(256) := 'password'; 
    l_ldap_base VARCHAR2(256) := 'cn=Users,dc=tshcomputing,dc=com'; 

    l_retval  PLS_INTEGER; 
    l_session  DBMS_LDAP.session; 
    l_attrs  DBMS_LDAP.string_collection; 
    l_message  DBMS_LDAP.message; 
    l_entry  DBMS_LDAP.message; 
    l_attr_name VARCHAR2(256); 
    l_ber_element DBMS_LDAP.ber_element; 
    l_vals   DBMS_LDAP.string_collection; 

BEGIN 
    -- Choose to raise exceptions. 
    DBMS_LDAP.USE_EXCEPTION := TRUE; 

    -- Connect to the LDAP server. 
    l_session := DBMS_LDAP.init(hostname => l_ldap_host, 
           portnum => l_ldap_port); 

    l_retval := DBMS_LDAP.simple_bind_s(ld  => l_session, 
             dn  => l_ldap_user, 
             passwd => l_ldap_passwd); 

    -- Get all attributes 
    l_attrs(1) := '*'; -- retrieve all attributes 
    l_retval := DBMS_LDAP.search_s(ld  => l_session, 
           base  => l_ldap_base, 
           scope => DBMS_LDAP.SCOPE_SUBTREE, 
           filter => 'objectclass=*', 
           attrs => l_attrs, 
           attronly => 0, 
           res  => l_message); 

    IF DBMS_LDAP.count_entries(ld => l_session, msg => l_message) > 0 THEN 
    -- Get all the entries returned by our search. 
    l_entry := DBMS_LDAP.first_entry(ld => l_session, 
            msg => l_message); 

    <<entry_loop>> 
    WHILE l_entry IS NOT NULL LOOP 
     -- Get all the attributes for this entry. 
     DBMS_OUTPUT.PUT_LINE('---------------------------------------'); 
     l_attr_name := DBMS_LDAP.first_attribute(ld  => l_session, 
               ldapentry => l_entry, 
               ber_elem => l_ber_element); 
     <<attributes_loop>> 
     WHILE l_attr_name IS NOT NULL LOOP 
     -- Get all the values for this attribute. 
     l_vals := DBMS_LDAP.get_values (ld  => l_session, 
             ldapentry => l_entry, 
             attr  => l_attr_name); 
     <<values_loop>> 
     FOR i IN l_vals.FIRST .. l_vals.LAST LOOP 
      DBMS_OUTPUT.PUT_LINE('ATTIBUTE_NAME: ' || l_attr_name || ' = ' || SUBSTR(l_vals(i),1,200)); 
     END LOOP values_loop; 
     l_attr_name := DBMS_LDAP.next_attribute(ld  => l_session, 
               ldapentry => l_entry, 
               ber_elem => l_ber_element); 
     END LOOP attibutes_loop; 
     l_entry := DBMS_LDAP.next_entry(ld => l_session, 
             msg => l_entry); 
    END LOOP entry_loop; 
    END IF; 

    -- Disconnect from the LDAP server. 
    l_retval := DBMS_LDAP.unbind_s(ld => l_session); 
    DBMS_OUTPUT.PUT_LINE('L_RETVAL: ' || l_retval); 
END; 
/

我這這樣的結果：

實際上，用戶有3個組，但一組是Primary並存儲在primaryGroupID。我試圖爲組進行查詢，但是我找不到像ID這樣的屬性。我如何通過primaryGroupID獲得羣組信息（如值爲memberOf屬性）？

Answer 1

我以爲有一個屬性在組上保存了這個值，但我沒有看到它。

經過第二次思考，我認爲它是基於SID的RID組件。您將不得不解析SID以獲取RID（相對ID）組件。

Answer 2

儘管它可能很煩人，但這必然是一個由兩部分組成的過程。 memberOf（和LDAP多值屬性）存儲所有組成員資格，除了 primaryGroup成員資格（存儲方式與您發現的完全不同）。關鍵是組對象的「primaryGroupToken」屬性，它與用戶的primaryGroupID相關。

我在做相反的，所以作爲一個服務於我自己，在我自己的功能，這將使primaryGroup ID值/「令牌」：

--Special from of group membership not appearing in the memberof attribute. 
    --Function accepts (flexibly) a SID or a group name and return the token that 
    --would be stored in the attribute "primaryGroupID" of a user object. 
FUNCTION get_primaryGroupToken(p_sid_samid IN VARCHAR2) RETURN VARCHAR2 IS 
    l_retval PLS_INTEGER; 
    l_attrs dbms_ldap.string_collection; 
    l_message dbms_ldap.message; 
    l_entry dbms_ldap.message; 
    l_attr_name VARCHAR2(256); 
    l_ber_element dbms_ldap.ber_element; 
    l_vals dbms_ldap.string_collection; 
    l_primaryGroupToken VARCHAR2(256) := NULL; 
    l_filter   VARCHAR2(256); 
BEGIN 
    IF SUBSTR(p_sid_samid, 2, 1) = '-' THEN 
    dbms_output.put_line('group spec Is sid'); 
    l_filter := '(objectSid=' || p_sid_samid || ')'; 
    ELSE 
    dbms_output.put_line('group spec Is samid'); 
    -- You could probably also use CN here instead of sAMAccountName 
    l_filter := '(&(sAMAccountName=' || p_sid_samid || ')(objectClass=group))'; 
    END IF; 
    l_retval := get_ldap_session(); 
    l_attrs(1) := 'primaryGroupToken'; 
    l_retval := DBMS_LDAP.search_s(ld => g_session, 
        base => g_ldap_auth_base, 
        scope => DBMS_LDAP.SCOPE_SUBTREE, 
        filter => l_filter, 
        attrs => l_attrs, 
        attronly => 0, 
        res => l_message); 
    IF DBMS_LDAP.count_entries(ld => g_session, msg => l_message) > 0 THEN 
    --Get all the entries returned by our search. 
    l_entry := DBMS_LDAP.first_entry(ld => g_session,msg => l_message); 
    <<entry_loop>> 
    WHILE l_entry IS NOT NULL 
    LOOP 
     -- Get all the attributes for this entry. 
     l_attr_name   := DBMS_LDAP.first_attribute(ld => g_session,ldapentry => l_entry, ber_elem => l_ber_element); 
     IF lower(l_attr_name) <> 'primarygrouptoken' THEN 
     DBMS_OUTPUT.PUT_LINE('ATTIBUTE_NAME unexpected : ' || l_attr_name); 
     ELSE 
     l_vals := DBMS_LDAP.get_values (ld => g_session, ldapentry => l_entry, attr => l_attr_name); 
     END IF; 
     <<values_loop>> 
     FOR i IN l_vals.FIRST .. l_vals.LAST 
     LOOP 
     l_primaryGroupToken := l_vals(i); 
     END LOOP values_loop; 
     IF l_primaryGroupToken IS NULL THEN 
     l_attr_name   := DBMS_LDAP.next_attribute(ld => g_session, ldapentry => l_entry, ber_elem => l_ber_element); 
     l_entry    := DBMS_LDAP.next_entry(ld => g_session,msg => l_entry); 
     ELSE 
     EXIT; 
     END IF; 
    END LOOP entry_loop; 
    END IF; 
    -- Disconnect from the LDAP server. 
    l_retval := DBMS_LDAP.unbind_s(ld => g_session); 
    RETURN l_primaryGroupToken; 
END get_primaryGroupToken; 

注意，此功能是一個包， 「g_」變量是包全局變量。當然，消除發展的唯一DBMS_OUTPUT調用等

然後，我只是做的memberOf 過濾的搜索，一個在primaryGroupID和一個拿到組的所有成員。

就你的情況而言，只需要相反，有自己的函數首先評估所有memberOf值，然後分別使用具有該primaryGroupToken的組的LDAP搜索來處理primaryGroupToken。