Go/Ldap获取用户的主要组

wko9yo5t  于 2022-12-07  发布在  Go
关注(0)|答案(2)|浏览(282)

我正在使用go/ldap查询我的Active Directory以获取特定用户的所有组,该函数可以工作,但不能返回主要组,如域用户。

代码示例

package main
import (
   "encoding/json"
   "errors"
   "fmt"
   "github.com/go-ldap/ldap/v3"
   "github.com/techoner/gophp"
   "handlers"
   "log"
   "reflect"
   "strconv"
   "strings"
)

func main(){
      conn, err := connect(bindServer,BindPort)
      if err != nil {
         log.Printf("Failed to connect to AD/LDAP with error: %s", err)
         return nil, fmt.Errorf("Failed to connect to AD/LDAP with error: %s", err)
      }
      errBind := conn.Bind(bindUser, bindPWD)
      if errBind != nil {
         if isLdapDebug {
            log.Printf("Failed to bind to AD/LDAP with error: %s", errBind)
         }
         return nil, fmt.Errorf("Failed to bind to AD/LDAP with error: %s", errBind)
      }

      searchRequest := ldap.NewSearchRequest(
         DC=domain,DC=local,
         ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false,
         fmt.Sprintf("(&(objectClass=user)(sAMAccountName=%s))", administrator),
         []string{"dn"},
         nil,
      )

      sr, err := conn.Search(searchRequest)

      if err != nil {
         return nil, err
      }

      if len(sr.Entries) != 1 {
         return nil, errors.New("User does not exist")
      }

      userdn := sr.Entries[0].DN
      log.Printf("USER DN IS =%s", userdn)
      searchRequest = ldap.NewSearchRequest(
         DC=domain,DC=local,
         ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false,
         fmt.Sprintf("(&(objectClass=group)(member=CN=Administrator,CN=Users,DC=domain,DC=local))"),
         []string{"cn"}, // can it be something else than "cn"?
         nil,
      )
      sr, err = conn.Search(searchRequest)
      if err != nil {
         return nil, err
      }
      
      groups := []string{}
      for _, entry := range sr.Entries {
         //fmt.Printf("%s", entry)
         groups = append(groups, entry.GetAttributeValue("cn"))
      }

      return groups, nil

}

输出

[Administrators Schema Admins Enterprise Admins Domain Admins Group Policy Creator Owners gteste1 gtest2]

已正确返回组,但缺少主组。
有没有办法返回特定用户的所有组(包括主要组)?

ki1q1bka

ki1q1bka1#

主组是不同的。您必须查看用户的primaryGroupId属性,然后搜索在其primaryGroupToken属性中具有该值的组。
在大多数情况下,primaryGroupId将为513,它对应于Domain Users组。
更详细一点在我写的一篇文章中:活动目录:什么使会员成为会员?

93ze6v8z

93ze6v8z2#

使用lib在go中查找主组

github.com/go-ldap/ldap/v3

我不得不使用以下代码示例:

userdn := sr.Entries[0].DN
groups := []string{}
searchRequest = ldap.NewSearchRequest(
   data.Record.LdapSuffix,
   ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, SearchTimelimit, false,
   fmt.Sprintf("(&(objectCategory=person)(objectClass=user)(primaryGroupID=513)(sAMAccountName=%s))", ldap.EscapeFilter(username)),
   []string{"primaryGroupID"}, 
   nil,
)
sr, err = conn.Search(searchRequest)
if err != nil {
   continue
}

if len(sr.Entries) > 0 {
   primaryGroup := sr.Entries[0].GetAttributeValue("primaryGroupID")
   if primaryGroup == "513" {
      if searchGroup == "Domain Users" {
         return true
      }
   }
}

相关问题