我正在尝试在 LDAP 中创建一个用户,该用户使用带有 groupOfNames 的对象类 inetOrgPerson(所以我可以使用属性'member'),但无论我尝试哪种组合,它都不会让我这样做。使用“成员”属性的正确方法是什么?
这是我尝试通过 Apache Directory Studio 添加它时收到的错误消息。
Error while creating entry
- [LDAP: error code 65 - OBJECT_CLASS_VIOLATION: failed for MessageType : ADD_REQUES
java.lang.Exception: [LDAP: error code 65 - OBJECT_CLASS_VIOLATION: failed for MessageType : ADD_REQUEST
Message ID : 113
Add Request :
Entry
dn[n]: [email protected],o=test,ou=tenant,dc=test,dc=com
objectClass: groupOfNames
objectClass: organizationalPerson
objectClass: person
objectClass: top
objectClass: inetOrgPerson
uid: [email protected]
member: cn=user,ou=role,dc=test,dc=com
sn: sadsadsad
cn: sdsadsad
: ERR_61 Entry [email protected],o=test,ou=tenant,dc=test,dc=com contains more than one STRUCTURAL ObjectClass: [OBJECT_CLASS ( 2.5.6.9
NAME 'groupOfNames'
DESC RFC2256: a group of names (DNs)
SUP 'top'
STRUCTURAL
MUST ( 'cn' $ 'member' )
MAY ( 'businessCategory' $ 'seeAlso' $ 'owner' $ 'ou' $ 'o' $ 'description' )
)
, OBJECT_CLASS ( 2.16.840.1.113730.3.2.2
NAME 'inetOrgPerson'
DESC RFC2798: Internet Organizational Person
SUP 'organizationalPerson'
STRUCTURAL
MAY ( 'audio' $ 'businessCategory' $ 'carLicense' $ 'departmentNumber' $ 'displayName' $ 'employeeNumber' $ 'employeeType' $ 'givenName' $ 'homePhone' $ 'homePostalAddress' $ 'initials' $ 'jpegPhoto' $ 'labeledURI' $ 'mail' $ 'manager' $ 'mobile' $ 'o' $ 'pager' $ 'photo' $ 'roomNumber' $ 'secretary' $ 'uid' $ 'userCertificate' $ 'x500UniqueIdentifier' $ 'preferredLanguage' $ 'userSMIMECertificate' $ 'userPKCS12' )
)
]]
at org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.checkResponse(DirectoryApiConnectionWrapper.java:1280)
at org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.access$600(DirectoryApiConnectionWrapper.java:109)
at org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper$6.run(DirectoryApiConnectionWrapper.java:928)
at org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.runAndMonitor(DirectoryApiConnectionWrapper.java:1175)
at org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.checkConnectionAndRunAndMonitor(DirectoryApiConnectionWrapper.java:1109)
at org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.createEntry(DirectoryApiConnectionWrapper.java:950)
at org.apache.directory.studio.ldapbrowser.core.jobs.CreateEntryRunnable.createEntry(CreateEntryRunnable.java:224)
at org.apache.directory.studio.ldapbrowser.core.jobs.CreateEntryRunnable.run(CreateEntryRunnable.java:124)
at org.apache.directory.studio.connection.ui.RunnableContextRunner$1.run(RunnableContextRunner.java:112)
at org.eclipse.jface.operation.ModalContext$ModalContextThread.run(ModalContext.java:121)
[LDAP: error code 65 - OBJECT_CLASS_VIOLATION: failed for MessageType : ADD_REQUEST
Message ID : 113
Add Request :
Entry
dn[n]: [email protected],o=test,ou=tenant,dc=test,dc=com
objectClass: groupOfNames
objectClass: organizationalPerson
objectClass: person
objectClass: top
objectClass: inetOrgPerson
uid: [email protected]
member: cn=user,ou=role,dc=test,dc=com
sn: sadsadsad
cn: sdsadsad
: ERR_61 Entry [email protected],o=test,ou=tenant,dc=test,dc=com contains more than one STRUCTURAL ObjectClass: [OBJECT_CLASS ( 2.5.6.9
NAME 'groupOfNames'
DESC RFC2256: a group of names (DNs)
SUP 'top'
STRUCTURAL
MUST ( 'cn' $ 'member' )
MAY ( 'businessCategory' $ 'seeAlso' $ 'owner' $ 'ou' $ 'o' $ 'description' )
)
, OBJECT_CLASS ( 2.16.840.1.113730.3.2.2
NAME 'inetOrgPerson'
DESC RFC2798: Internet Organizational Person
SUP 'organizationalPerson'
STRUCTURAL
MAY ( 'audio' $ 'businessCategory' $ 'carLicense' $ 'departmentNumber' $ 'displayName' $ 'employeeNumber' $ 'employeeType' $ 'givenName' $ 'homePhone' $ 'homePostalAddress' $ 'initials' $ 'jpegPhoto' $ 'labeledURI' $ 'mail' $ 'manager' $ 'mobile' $ 'o' $ 'pager' $ 'photo' $ 'roomNumber' $ 'secretary' $ 'uid' $ 'userCertificate' $ 'x500UniqueIdentifier' $ 'preferredLanguage' $ 'userSMIMECertificate' $ 'userPKCS12' )
)
]]
技术原因是 the
groupOfNames和personobjectClass 是互斥的。它们都是结构类,但没有从属关系,使它们成为不同的 objectClass 链并根据RFC 4512:一个群有成员,但一个人不是群,不能像群一样有成员。
据我所知,您通常使一个人成为组的成员,并且 LDAP 服务器提供了一个内部函数来维护反向查找映射,以便轻松检索对象所属的组,如果您愿意,这是一个虚拟属性,通常是
memberOf属性。ApacheDS 可能不支持这个(还)。换句话说,LDAP 对象所属的组不是对象本身的属性,您可能甚至不希望尝试手动维护它。