Ldap

為什麼我不能將 inetOrgPerson 與 groupOfNames 一起使用?

  • April 7, 2015

我正在嘗試在 LDAP 中創建一個使用者,該使用者使用帶有 groupOfNames 的對像類 inetOrgPerson(所以我可以使用屬性’member’),但無論我嘗試哪種組合,它都不會讓我這樣做。使用“成員”屬性的正確方法是什麼?

這是我嘗試通過 Apache Directory Studio 添加它時收到的錯誤消息。

Error while creating entry
- [LDAP: error code 65 - OBJECT_CLASS_VIOLATION: failed for MessageType : ADD_REQUES
 java.lang.Exception: [LDAP: error code 65 - OBJECT_CLASS_VIOLATION: failed for MessageType : ADD_REQUEST
Message ID : 113
   Add Request :
Entry
   dn[n]: uid=sadsadsadadad@test.com,o=test,ou=tenant,dc=test,dc=com
   objectClass: groupOfNames
   objectClass: organizationalPerson
   objectClass: person
   objectClass: top
   objectClass: inetOrgPerson
   uid: sadsadsadadad@test.com
   member: cn=user,ou=role,dc=test,dc=com
   sn: sadsadsad
   cn: sdsadsad
: ERR_61 Entry uid=sadsadsadadad@test.com,o=test,ou=tenant,dc=test,dc=com contains more than one STRUCTURAL ObjectClass: [OBJECT_CLASS ( 2.5.6.9
NAME 'groupOfNames'
DESC RFC2256: a group of names (DNs)
SUP 'top'
STRUCTURAL
MUST ( 'cn' $ 'member' )
MAY ( 'businessCategory' $ 'seeAlso' $ 'owner' $ 'ou' $ 'o' $ 'description' )
)
, OBJECT_CLASS ( 2.16.840.1.113730.3.2.2
NAME 'inetOrgPerson'
DESC RFC2798: Internet Organizational Person
SUP 'organizationalPerson'
STRUCTURAL
MAY ( 'audio' $ 'businessCategory' $ 'carLicense' $ 'departmentNumber' $ 'displayName' $ 'employeeNumber' $ 'employeeType' $ 'givenName' $ 'homePhone' $ 'homePostalAddress' $ 'initials' $ 'jpegPhoto' $ 'labeledURI' $ 'mail' $ 'manager' $ 'mobile' $ 'o' $ 'pager' $ 'photo' $ 'roomNumber' $ 'secretary' $ 'uid' $ 'userCertificate' $ 'x500UniqueIdentifier' $ 'preferredLanguage' $ 'userSMIMECertificate' $ 'userPKCS12' )
)
]]
   at org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.checkResponse(DirectoryApiConnectionWrapper.java:1280)
   at org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.access$600(DirectoryApiConnectionWrapper.java:109)
   at org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper$6.run(DirectoryApiConnectionWrapper.java:928)
   at org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.runAndMonitor(DirectoryApiConnectionWrapper.java:1175)
   at org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.checkConnectionAndRunAndMonitor(DirectoryApiConnectionWrapper.java:1109)
   at org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.createEntry(DirectoryApiConnectionWrapper.java:950)
   at org.apache.directory.studio.ldapbrowser.core.jobs.CreateEntryRunnable.createEntry(CreateEntryRunnable.java:224)
   at org.apache.directory.studio.ldapbrowser.core.jobs.CreateEntryRunnable.run(CreateEntryRunnable.java:124)
   at org.apache.directory.studio.connection.ui.RunnableContextRunner$1.run(RunnableContextRunner.java:112)
   at org.eclipse.jface.operation.ModalContext$ModalContextThread.run(ModalContext.java:121)

 [LDAP: error code 65 - OBJECT_CLASS_VIOLATION: failed for MessageType : ADD_REQUEST
Message ID : 113
   Add Request :
Entry
   dn[n]: uid=sadsadsadadad@test.com,o=test,ou=tenant,dc=test,dc=com
   objectClass: groupOfNames
   objectClass: organizationalPerson
   objectClass: person
   objectClass: top
   objectClass: inetOrgPerson
   uid: sadsadsadadad@test.com
   member: cn=user,ou=role,dc=test,dc=com
   sn: sadsadsad
   cn: sdsadsad
: ERR_61 Entry uid=sadsadsadadad@test.com,o=test,ou=tenant,dc=test,dc=com contains more than one STRUCTURAL ObjectClass: [OBJECT_CLASS ( 2.5.6.9
NAME 'groupOfNames'
DESC RFC2256: a group of names (DNs)
SUP 'top'
STRUCTURAL
MUST ( 'cn' $ 'member' )
MAY ( 'businessCategory' $ 'seeAlso' $ 'owner' $ 'ou' $ 'o' $ 'description' )
)
, OBJECT_CLASS ( 2.16.840.1.113730.3.2.2
NAME 'inetOrgPerson'
DESC RFC2798: Internet Organizational Person
SUP 'organizationalPerson'
STRUCTURAL
MAY ( 'audio' $ 'businessCategory' $ 'carLicense' $ 'departmentNumber' $ 'displayName' $ 'employeeNumber' $ 'employeeType' $ 'givenName' $ 'homePhone' $ 'homePostalAddress' $ 'initials' $ 'jpegPhoto' $ 'labeledURI' $ 'mail' $ 'manager' $ 'mobile' $ 'o' $ 'pager' $ 'photo' $ 'roomNumber' $ 'secretary' $ 'uid' $ 'userCertificate' $ 'x500UniqueIdentifier' $ 'preferredLanguage' $ 'userSMIMECertificate' $ 'userPKCS12' )
)
]]

技術原因是 thegroupOfNamespersonobjectClass 是互斥的。它們都是結構類,但沒有從屬關係,使它們成為不同的 objectClass 鏈並根據RFC 4512

對像或別名條目的特徵在於恰好有一個結構對像類超類鏈,該鏈具有單個結構對像類作為最從屬的對像類。

一個群有成員,但一個人不是群,不能像群一樣有成員。

據我所知,您通常使一個人成為組的成員,並且 LDAP 伺服器提供了一個內部函式來維護反向查找映射,以便輕鬆檢索對象所屬的組,如果您願意,這是一個虛擬屬性,通常是memberOf屬性。ApacheDS 可能不支持這個()。

換句話說,LDAP 對象所屬的組不是對象本身的屬性,您可能甚至不希望嘗試手動維護它。

引用自:https://serverfault.com/questions/680989

相關問答

Ldap

LDAP:服務條目?

  • May 21, 2019
檢視問答
Mysql

如何從 dcm4chee-arc 伺服器中刪除

  • March 20, 2018
檢視問答
Ldap

ApacheDS/LDAP 中的“條目”和“上下文條目”有什麼區別?

  • July 31, 2017
檢視問答
Ldap

Windows 可以針對 ApacheDS 進行身份驗證嗎?

  • July 16, 2016
檢視問答
Active-Directory

ObjectSID 是 Active Directory 的功能還是所有目錄的標準功能?

  • February 10, 2015
檢視問答
Centos

如何在 apacheDS 中啟用 nis 架構?

  • January 15, 2015
檢視問答