[Samba] negative ldap filter on AD
Dewayne Geraghty
dewayne.geraghty at heuristicsystems.com.au
Mon Nov 18 15:03:53 MST 2013
On 2/11/2013 7:48 AM, me at electronico.nc wrote:
> Le 01/11/2013 20:21, Rowland Penny a écrit :
>> On 01/11/13 02:38, me at electronico.nc wrote:
>>> Hi all,
>>>
>>> Samba 4.1 as AD/DC
>>> local postfix & dovecot hooked to AD via ldap queries (special user
>>> created in AD for that purpose).
>>>
>>> Everything works as expected, but :
>>>
>>> I'd like inactive users in AD not to be able to read/send emails
>>> (understandable I think).
>>> User status seems (sorry I'm AD newbie) to be controlled by the
>>> 'userAccountControl' field in AD.
>>>
>>> Created 2 test users in AD : test1 test2
>>> user test1 has been disabled from WRAT:
>>>> ldapsearch -LLL -H ldap://localhost:389 -b
>>>> 'ou=users,dc=domain,dc=lan' -D 'DOMAIN\ldap' -w 'My_secret_1'
>>>> '(&(objectcategory=person)(cn=*)(userAccountControl=66048))' mail
>>>> userAccountControl
>>> ->
>>>> mail: test2 at domain.lan
>>>> userAccountControl: 66048
>>> test2 account is well set to 'disabled' and it returns 66048 value
>>> (for a never-expire password)
>>>
>>
>> Problem is that 66048 = Enabled, password never expires
>>
>>>> ldapsearch -LLL -H ldap://localhost:389 -b
>>>> 'ou=users,dc=domain,dc=lan' -D 'DOMAIN\ldap' -w 'My_secret_1'
>>>> '(&(objectcategory=person)(cn=*)(userAccountControl=66050))' mail
>>>> userAccountControl
>>> ->
>>>> mail: test1 at domain.lan
>>>> userAccountControl: 66050
>>> test1 account is well set to 'enabled' and it returns 66050 value
>>> (for a never-expire password)
>>>
>>
>> Another problem, 66050 = Disabled, password never expires
>>> I'd like to setup the LDAP filter in Dovecot to exclude (at least)
>>> 66048 value.
>>> Original filter (query by ldapsearch too) is :
>>> (&(objectClass=person)(cn=%n)(mail=*))
>>>
>>> Tried many syntax (via ldapsearch) but I've been unable to apply a
>>> negative condition like:
>>> (&(objectClass=person)(cn=%n)(mail=*)(!userAccountControl=66050))
>>> or
>>> (&(objectClass=person)(cn=%n)(mail=*)(userAccountControl!=66050))
>>> It always returns :
>>> ldap_search_ext: Bad search filter (-7)
>>>
>>> I've 'googled' and I don't understand why the negative (!) filter is
>>> not understood by ldapsearch against AD.
>>>
>>> Thanks in advance for your time & lights.
>>> Nicolas
>> Try this: (!(userAccountControl:1.2.840.113556.1.4.803:=2) instead of
>> this: (userAccountControl!=66050) , this will not find any disabled
>> users, that includes 514.
>>
>> Rowland
>>
> Thanks Rowland !
> (Sorry for the mixup between 66050 and 66048)
> It works OK !
> Nicolas
>
+1 Useful and esoteric.
Further explanation can be found at:
Bit-wise filter: http://support.microsoft.com/?id=269181
Account properties: http://support.microsoft.com/kb/305144
Dewayne.
More information about the samba
mailing list