[Samba] negative ldap filter on AD

me at electronico.nc me at electronico.nc
Fri Nov 1 14:48:10 MDT 2013 

Le 01/11/2013 20:21, Rowland Penny a écrit :
> On 01/11/13 02:38, me at electronico.nc wrote:
>> Hi all,
>>
>> Samba 4.1 as AD/DC
>> local postfix & dovecot hooked to AD via ldap queries (special user 
>> created in AD for that purpose).
>>
>> Everything works as expected, but :
>>
>> I'd like inactive users in AD not to be able to read/send emails 
>> (understandable I think).
>> User status seems (sorry I'm AD newbie) to be controlled by the 
>> 'userAccountControl' field in AD.
>>
>> Created 2 test users in AD : test1 test2
>> user test1 has been disabled from WRAT:
>>> ldapsearch -LLL -H ldap://localhost:389 -b 
>>> 'ou=users,dc=domain,dc=lan' -D 'DOMAIN\ldap' -w 'My_secret_1' 
>>> '(&(objectcategory=person)(cn=*)(userAccountControl=66048))' mail 
>>> userAccountControl
>> ->
>>> mail: test2 at domain.lan
>>> userAccountControl: 66048
>> test2 account is well set to 'disabled' and it returns 66048 value 
>> (for a never-expire password)
>>
>
> Problem is that 66048 = Enabled, password never expires
>
>>> ldapsearch -LLL -H ldap://localhost:389 -b 
>>> 'ou=users,dc=domain,dc=lan' -D 'DOMAIN\ldap' -w 'My_secret_1' 
>>> '(&(objectcategory=person)(cn=*)(userAccountControl=66050))' mail 
>>> userAccountControl
>> ->
>>> mail: test1 at domain.lan
>>> userAccountControl: 66050
>> test1 account is well set to 'enabled' and it returns 66050 value 
>> (for a never-expire password)
>>
>
> Another problem, 66050 = Disabled, password never expires
>> I'd like to setup the LDAP filter in Dovecot to exclude (at least) 
>> 66048 value.
>> Original filter (query by ldapsearch too) is :
>> (&(objectClass=person)(cn=%n)(mail=*))
>>
>> Tried many syntax (via ldapsearch) but I've been unable to apply a 
>> negative condition like:
>> (&(objectClass=person)(cn=%n)(mail=*)(!userAccountControl=66050))
>> or
>> (&(objectClass=person)(cn=%n)(mail=*)(userAccountControl!=66050))
>> It always returns :
>> ldap_search_ext: Bad search filter (-7)
>>
>> I've 'googled' and I don't understand why the negative (!) filter is 
>> not understood by ldapsearch against AD.
>>
>> Thanks in advance for your time & lights.
>> Nicolas
> Try this: (!(userAccountControl:1.2.840.113556.1.4.803:=2) instead of 
> this: (userAccountControl!=66050) , this will not find any disabled 
> users, that includes 514.
>
> Rowland
>
Thanks Rowland !
(Sorry for the mixup between 66050 and 66048)
It works OK !
Nicolas

More information about the samba mailing list