LDAP 検索フィルターの作成方法

このページの内容

お困りですか?

アトラシアン コミュニティをご利用ください。

コミュニティに質問

この記事はアトラシアンのサーバー製品にのみ適用されます。クラウドとサーバー製品の違いについてはこちらをご確認ください。

目的

This document outlines how to go about constructing a more sophisticated filter for the User Object Filter and Group Object Filter attributes in your LDAP configuration for Atlassian applications.

What is a filter

Filters can be used to restrict the numbers of users or groups that are permitted to access an application.  In essence, the filter limits what part of the LDAP tree the application syncs from.  

A filter can and should be written for both user and group membership.  This ensures that you are not flooding your application with users and groups that do not need access.

ソリューション

When constructing a filter it is best to pick a common attribute of the set of users you want to allow access to the application.  This is most often the attribute that denotes group membership or anobjectClasslike "Person"

tip/resting Created with Sketch.

The attribute used to denote membership in a group is not common to all flavors of LDAP.  Examples of this attribute can be "groupMembership" or "Member"


How do I match more than one attribute?

For example, if my users are distinguished by having two objectClass attributes (one equal to 'person' and another to 'user'), this is how I would match for it:

(&(objectClass=person)(objectClass=user))

Notice the ampersand symbol '&' symbol at the start. Translated this means: search for objectClass=person AND object=user.

Alternatively,

(|(objectClass=person)(objectClass=user))

Translated this means: search for objectClass=person OR object=user.

The pipe symbol '|' denotes 'OR'. As this is not a special XML character, it should not need escaping.

ワイルドカード

(&(objectClass=user)(cn=*Marketing*))

This means: search for all entries that have objectClass=user AND cn that contains the word 'Marketing'.

tip/resting Created with Sketch.

Wildcards are unable to be used infiltersusing ! (or NOT) logical operators.  See below


How do I match 3 attributes?

Just add an extra clause:

(&(objectClass=user)(objectClass=top)(objectClass=person))

Extra clauses can be added for more than three attributes too.

Matching Components of Distinguished Names 

tip/resting Created with Sketch.

 As Microsoft Active Directory does not implement extensible matching, the following examples won't work with it.


You may want to match part of a DN, for instance when you need to look for your groups in two subtrees of your server.

(&(objectClass=group)(|(ou:dn:=Chicago)(ou:dn:=Miami)))

will find groups with an OU component of their DN which is either 'Chicago' or 'Miami'. 

Using 'not'

To exclude entities which match an expression, use '!'.

So

(&(objectClass=group)(&(ou:dn:=Chicago)(!(ou:dn:=Wrigleyville))))

will find all Chicago groups except those with a Wrigleyville OU component.

Note the extra parentheses: (!(<expression>))

 Note that if using 'not' (ie. '!' to exclude objects) it must be represented as the entity '!' in your XML file if you are using Confluence 3.4 or below.

For Confluence 3.4 and below, once you have constructed your search filter using this document, you must escape the ampersand symbol and the exclamation mark symbol before adding to your XML file. So for example;

(&(objectClass=person)(!(objectClass=user)))
(&amp;(objectClass=person)(&#33;(objectClass=user)))

Refer to this external documentation on other XML characters that need escaping.becomes

Sample Filters

These filters are written for Active Directory. In order to use them for something suchasOpenLDAP the attributes will need to be changed.


This will only synchronise users in the 'CaptainPlanet' group - this should be applied to the User Object Filter:

(&(objectCategory=Person)(sAMAccountName=*)(memberOf=cn=CaptainPlanet,ou=users,dc=company,dc=com))

And this will search for users that are a member of this group, either directly or via nesting:

(&(objectCategory=Person)(sAMAccountName=*)(memberOf:1.2.840.113556.1.4.1941:=cn=CaptainPlanet,ou=users,dc=company,dc=com))

Important for Active Directory to have memberOf:1.2.840.113556.1.4.1941 if you want to find nested groups (do not replace the numeric string) inside CaptainPlanet group.


This will search for users who are a member of any or all the 4 groups (fire, wind,water,heart)

(&(objectCategory=Person)(sAMAccountName=*)(|(memberOf=cn=fire,ou=users,dc=company,dc=com)(memberOf=cn=wind,ou=users,dc=company,dc=com)(memberOf=cn=water,ou=users,dc=company,dc=com)(memberOf=cn=heart,ou=users,dc=company,dc=com)))
説明 This document outlines how to go about constructing a more sophisticated filter for the User Object Filter and Group Object Filter attributes in your LDAP configuration for Atlassian applications.
製品 Jira, Confluence, Bamboo, Bitbucket
プラットフォーム サーバー





最終更新日 2018 年 9 月 28 日

この内容はお役に立ちましたか?

はい
いいえ
この記事についてのフィードバックを送信する
Powered by Confluence and Scroll Viewport.