[midPoint] Active Directory Administrative Status

Radovan Semancik radovan.semancik at evolveum.com
Thu Sep 15 13:10:19 CEST 2016 

Hi,

The AD/LDAP connector is indeed using the userAccountControl attribute 
and maps the values to administrativeStatus. However userAccountControl 
attribute is tricky. It is binary attribute, each bit corresponding to a 
separate flag (that's Microsoft's idea of proper LDAP support). 
Therefore supporting that well is not entirely straightforward. When I 
was developing the AD/LDAP connector I have implemented just the very 
minimal support that we needed at that time. I knew quite well that the 
code that handles the userAccountControl will eventually need to be 
rewritten anyway. So I haven't spent any more time that was absolutely 
necessary. The priorities have changed since then .... and that means 
that the support for properly reading and decoding userAccountControl is 
still missing. I have just created Jira to finish it:

https://jira.evolveum.com/browse/MID-3400

However, because of our current priorities this will need a subscriber's 
"vote" or an explicit sponsoring to get implemented. Or (as always) 
connector code is on github and we will gladly accept contributions.

Yet, there is a workaround. If you set configuration property 
rawUserAccountControlAttribute to true then the connector will do no 
logic on the userAccountControl and you can do all the necessary logic 
in midPoint mappings.

-- 
Radovan Semancik
Software Architect
evolveum.com



On 09/14/2016 09:38 PM, Florin. Stingaciu wrote:
> Hello,
>
> We are syncing all of our users from an Active Directory instance. 
> When a user is disabled two things happen:
>
> 1. The Dn of the user changes from cn=username,ou=people to 
> cn=username,ou=disabled_accounts
>
> 2. The userAccountControl changes from 512 to 514 indicating the user 
> is disabled
>
> I use an import user accounts task daily to ensure any people who left 
> the company are disabled, however I just noticed that for some users 
> when they get disabled in active directory, midPoint won't disabled 
> them even though they both have the userAccountControl entry set to 
> 514 making me think that midPoint uses a different attribute to test 
> the Account Status on the AD resource.
>
> Here's my activation setting:
>
>          <activation>
>             <administrativeStatus>
>                <inbound/>
>             </administrativeStatus>
>          </activation>
>
> Any help would be greatly appreciated.
>
> Thanks,
> -F
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160915/45d2e078/attachment.htm>

More information about the midPoint mailing list