AD ldap, filter to exclude various kinds of expired, disabled etc etc users
lists
lists at merit.unu.edu
Tue Mar 19 11:23:09 EET 2019
Hi,
For the archives, the below user_filter works nicely:
user_filter =
(&(objectclass=person)(sAMAccountName=%n)(userAccountControl=512))
But another option, taken from the samba mailinglist is:
user_filter =
(&(objectclass=person)(sAMAccountName=%n)(userAccountControl=512))(!(userAccountControl:1.2.840.113556.1.4.803:=2)
This one excludes various kinds of disabled accounts, including 514. The
second one might actually be better.
MJ
On 8-3-2019 13:39, mj via dovecot wrote:
> Hi,
>
> I was revising our AD ldap user_filter and pass_filter to exclude more
> types of expired / disabled accounts.
>
> I started adding things like:
>
>> (&(objectclass=person)(sAMAccountName=%n)(!useraccountcontrol=514)(!(useraccountcontrol=546))(!(useraccountcontrol=66050))(!(useraccountcontrol=8388608)))
>>
>
> but then I thought, why not simply do:
>
>> (&(objectclass=person)(sAMAccountName=%n)(userAccountControl=512))
>
> as 512 would your regular active user accounts only, excluding all other
> account types.
>
> Looking here
> (https://support.microsoft.com/en-gb/help/305144/how-to-use-useraccountcontrol-to-manipulate-user-account-properties)
> there are some many different userAccountControl to check, that it might
> be smarter to only allow userAccountControl=512, or....?
>
> Any ideas on this..?
>
> (or examples of how you do it?)
>
> MJ
More information about the dovecot
mailing list