[midPoint] Active Directory Administrative Status
Radovan Semancik
radovan.semancik at evolveum.com
Thu Sep 15 13:10:19 CEST 2016
Hi,
The AD/LDAP connector is indeed using the userAccountControl attribute
and maps the values to administrativeStatus. However userAccountControl
attribute is tricky. It is binary attribute, each bit corresponding to a
separate flag (that's Microsoft's idea of proper LDAP support).
Therefore supporting that well is not entirely straightforward. When I
was developing the AD/LDAP connector I have implemented just the very
minimal support that we needed at that time. I knew quite well that the
code that handles the userAccountControl will eventually need to be
rewritten anyway. So I haven't spent any more time that was absolutely
necessary. The priorities have changed since then .... and that means
that the support for properly reading and decoding userAccountControl is
still missing. I have just created Jira to finish it:
https://jira.evolveum.com/browse/MID-3400
However, because of our current priorities this will need a subscriber's
"vote" or an explicit sponsoring to get implemented. Or (as always)
connector code is on github and we will gladly accept contributions.
Yet, there is a workaround. If you set configuration property
rawUserAccountControlAttribute to true then the connector will do no
logic on the userAccountControl and you can do all the necessary logic
in midPoint mappings.
--
Radovan Semancik
Software Architect
evolveum.com
On 09/14/2016 09:38 PM, Florin. Stingaciu wrote:
> Hello,
>
> We are syncing all of our users from an Active Directory instance.
> When a user is disabled two things happen:
>
> 1. The Dn of the user changes from cn=username,ou=people to
> cn=username,ou=disabled_accounts
>
> 2. The userAccountControl changes from 512 to 514 indicating the user
> is disabled
>
> I use an import user accounts task daily to ensure any people who left
> the company are disabled, however I just noticed that for some users
> when they get disabled in active directory, midPoint won't disabled
> them even though they both have the userAccountControl entry set to
> 514 making me think that midPoint uses a different attribute to test
> the Account Status on the AD resource.
>
> Here's my activation setting:
>
> <activation>
> <administrativeStatus>
> <inbound/>
> </administrativeStatus>
> </activation>
>
> Any help would be greatly appreciated.
>
> Thanks,
> -F
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160915/45d2e078/attachment.htm>
More information about the midPoint
mailing list