AD ldap, filter to exclude various kinds of expired, disabled etc etc users
mj
lists at merit.unu.edu
Fri Mar 8 14:39:23 EET 2019
Hi,
I was revising our AD ldap user_filter and pass_filter to exclude more
types of expired / disabled accounts.
I started adding things like:
> (&(objectclass=person)(sAMAccountName=%n)(!useraccountcontrol=514)(!(useraccountcontrol=546))(!(useraccountcontrol=66050))(!(useraccountcontrol=8388608)))
but then I thought, why not simply do:
> (&(objectclass=person)(sAMAccountName=%n)(userAccountControl=512))
as 512 would your regular active user accounts only, excluding all other
account types.
Looking here
(https://support.microsoft.com/en-gb/help/305144/how-to-use-useraccountcontrol-to-manipulate-user-account-properties)
there are some many different userAccountControl to check, that it might
be smarter to only allow userAccountControl=512, or....?
Any ideas on this..?
(or examples of how you do it?)
MJ
More information about the dovecot
mailing list