[Samba] negative ldap filter on AD

Rowland Penny rowlandpenny at googlemail.com
Fri Nov 1 03:21:25 MDT 2013 

On 01/11/13 02:38, me at electronico.nc wrote:
> Hi all,
>
> Samba 4.1 as AD/DC
> local postfix & dovecot hooked to AD via ldap queries (special user 
> created in AD for that purpose).
>
> Everything works as expected, but :
>
> I'd like inactive users in AD not to be able to read/send emails 
> (understandable I think).
> User status seems (sorry I'm AD newbie) to be controlled by the 
> 'userAccountControl' field in AD.
>
> Created 2 test users in AD : test1 test2
> user test1 has been disabled from WRAT:
>> ldapsearch -LLL -H ldap://localhost:389 -b 
>> 'ou=users,dc=domain,dc=lan' -D 'DOMAIN\ldap' -w 'My_secret_1' 
>> '(&(objectcategory=person)(cn=*)(userAccountControl=66048))' mail 
>> userAccountControl
> ->
>> mail: test2 at domain.lan
>> userAccountControl: 66048
> test2 account is well set to 'disabled' and it returns 66048 value 
> (for a never-expire password)
>

Problem is that 66048 = Enabled, password never expires

>> ldapsearch -LLL -H ldap://localhost:389 -b 
>> 'ou=users,dc=domain,dc=lan' -D 'DOMAIN\ldap' -w 'My_secret_1' 
>> '(&(objectcategory=person)(cn=*)(userAccountControl=66050))' mail 
>> userAccountControl
> ->
>> mail: test1 at domain.lan
>> userAccountControl: 66050
> test1 account is well set to 'enabled' and it returns 66050 value (for 
> a never-expire password)
>

Another problem, 66050 = Disabled, password never expires
> I'd like to setup the LDAP filter in Dovecot to exclude (at least) 
> 66048 value.
> Original filter (query by ldapsearch too) is :
> (&(objectClass=person)(cn=%n)(mail=*))
>
> Tried many syntax (via ldapsearch) but I've been unable to apply a 
> negative condition like:
> (&(objectClass=person)(cn=%n)(mail=*)(!userAccountControl=66050))
> or
> (&(objectClass=person)(cn=%n)(mail=*)(userAccountControl!=66050))
> It always returns :
> ldap_search_ext: Bad search filter (-7)
>
> I've 'googled' and I don't understand why the negative (!) filter is 
> not understood by ldapsearch against AD.
>
> Thanks in advance for your time & lights.
> Nicolas
Try this: (!(userAccountControl:1.2.840.113556.1.4.803:=2) instead of 
this: (userAccountControl!=66050) , this will not find any disabled 
users, that includes 514.

Rowland

More information about the samba mailing list