AD ldap, filter to exclude various kinds of expired, disabled etc etc users

lists lists at merit.unu.edu
Tue Mar 19 11:23:09 EET 2019


Hi,

For the archives, the below user_filter works nicely:

user_filter = 
(&(objectclass=person)(sAMAccountName=%n)(userAccountControl=512))

But another option, taken from the samba mailinglist is:

user_filter = 
(&(objectclass=person)(sAMAccountName=%n)(userAccountControl=512))(!(userAccountControl:1.2.840.113556.1.4.803:=2)

This one excludes various kinds of disabled accounts, including 514. The 
second one might actually be better.

MJ


On 8-3-2019 13:39, mj via dovecot wrote:
> Hi,
> 
> I was revising our AD ldap user_filter and pass_filter to exclude more 
> types of expired / disabled accounts.
> 
> I started adding things like:
> 
>> (&(objectclass=person)(sAMAccountName=%n)(!useraccountcontrol=514)(!(useraccountcontrol=546))(!(useraccountcontrol=66050))(!(useraccountcontrol=8388608))) 
>>
> 
> but then I thought, why not simply do:
> 
>> (&(objectclass=person)(sAMAccountName=%n)(userAccountControl=512))
> 
> as 512 would your regular active user accounts only, excluding all other 
> account types.
> 
> Looking here 
> (https://support.microsoft.com/en-gb/help/305144/how-to-use-useraccountcontrol-to-manipulate-user-account-properties) 
> there are some many different userAccountControl to check, that it might 
> be smarter to only allow userAccountControl=512, or....?
> 
> Any ideas on this..?
> 
> (or examples of how you do it?)
> 
> MJ


More information about the dovecot mailing list