[Samba] negative ldap filter on AD
me at electronico.nc
me at electronico.nc
Thu Oct 31 20:38:57 MDT 2013
Hi all,
Samba 4.1 as AD/DC
local postfix & dovecot hooked to AD via ldap queries (special user
created in AD for that purpose).
Everything works as expected, but :
I'd like inactive users in AD not to be able to read/send emails
(understandable I think).
User status seems (sorry I'm AD newbie) to be controlled by the
'userAccountControl' field in AD.
Created 2 test users in AD : test1 test2
user test1 has been disabled from WRAT:
> ldapsearch -LLL -H ldap://localhost:389 -b 'ou=users,dc=domain,dc=lan'
> -D 'DOMAIN\ldap' -w 'My_secret_1'
> '(&(objectcategory=person)(cn=*)(userAccountControl=66048))' mail
> userAccountControl
->
> mail: test2 at domain.lan
> userAccountControl: 66048
test2 account is well set to 'disabled' and it returns 66048 value (for
a never-expire password)
> ldapsearch -LLL -H ldap://localhost:389 -b 'ou=users,dc=domain,dc=lan'
> -D 'DOMAIN\ldap' -w 'My_secret_1'
> '(&(objectcategory=person)(cn=*)(userAccountControl=66050))' mail
> userAccountControl
->
> mail: test1 at domain.lan
> userAccountControl: 66050
test1 account is well set to 'enabled' and it returns 66050 value (for a
never-expire password)
I'd like to setup the LDAP filter in Dovecot to exclude (at least) 66048
value.
Original filter (query by ldapsearch too) is :
(&(objectClass=person)(cn=%n)(mail=*))
Tried many syntax (via ldapsearch) but I've been unable to apply a
negative condition like:
(&(objectClass=person)(cn=%n)(mail=*)(!userAccountControl=66050))
or
(&(objectClass=person)(cn=%n)(mail=*)(userAccountControl!=66050))
It always returns :
ldap_search_ext: Bad search filter (-7)
I've 'googled' and I don't understand why the negative (!) filter is not
understood by ldapsearch against AD.
Thanks in advance for your time & lights.
Nicolas
More information about the samba
mailing list