[midPoint] Active Directory Administrative Status

Florin. Stingaciu fstingaciu at mirantis.com
Thu Sep 15 19:24:29 CEST 2016


Hey Radovan,

Thanks for the detailed response. However, something does bug me. For some
users that get disabled via the userAccountControl attribute (value 514),
the user will consequently be disabled in midPoint, however for some users
it does not even though the userAccountControl attribute has the same
value.

Do you have ideas why this could be the case?

Alternatively, are there any examples in your wiki or github on how I could
conditionally map a value from a particular attribute to administrativeStatus?
I haven't been able to find much.

Thanks,
-F

On Thu, Sep 15, 2016 at 4:10 AM, Radovan Semancik <
radovan.semancik at evolveum.com> wrote:

> Hi,
>
> The AD/LDAP connector is indeed using the userAccountControl attribute and
> maps the values to administrativeStatus. However userAccountControl
> attribute is tricky. It is binary attribute, each bit corresponding to a
> separate flag (that's Microsoft's idea of proper LDAP support). Therefore
> supporting that well is not entirely straightforward. When I was developing
> the AD/LDAP connector I have implemented just the very minimal support that
> we needed at that time. I knew quite well that the code that handles the
> userAccountControl will eventually need to be rewritten anyway. So I
> haven't spent any more time that was absolutely necessary. The priorities
> have changed since then .... and that means that the support for properly
> reading and decoding userAccountControl is still missing. I have just
> created Jira to finish it:
>
> https://jira.evolveum.com/browse/MID-3400
>
> However, because of our current priorities this will need a subscriber's
> "vote" or an explicit sponsoring to get implemented. Or (as always)
> connector code is on github and we will gladly accept contributions.
>
> Yet, there is a workaround. If you set configuration property
> rawUserAccountControlAttribute to true then the connector will do no logic
> on the userAccountControl and you can do all the necessary logic in
> midPoint mappings.
>
> --
> Radovan Semancik
> Software Architectevolveum.com
>
>
>
> On 09/14/2016 09:38 PM, Florin. Stingaciu wrote:
>
> Hello,
>
> We are syncing all of our users from an Active Directory instance. When a
> user is disabled two things happen:
>
> 1. The Dn of the user changes from cn=username,ou=people to
> cn=username,ou=disabled_accounts
>
> 2. The userAccountControl changes from 512 to 514 indicating the user is
> disabled
>
> I use an import user accounts task daily to ensure any people who left the
> company are disabled, however I just noticed that for some users when they
> get disabled in active directory, midPoint won't disabled them even though
> they both have the userAccountControl entry set to 514 making me think that
> midPoint uses a different attribute to test the Account Status on the AD
> resource.
>
> Here's my activation setting:
>
>          <activation>
>             <administrativeStatus>
>                <inbound/>
>             </administrativeStatus>
>          </activation>
>
> Any help would be greatly appreciated.
>
> Thanks,
> -F
>
>
> _______________________________________________
> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160915/2984a46f/attachment.htm>


More information about the midPoint mailing list