[midPoint] AD computer & userAccountControl if adminStatus = disabled
Yakov Revyakin
yrevyakin at gmail.com
Tue Apr 23 14:25:29 CEST 2024
Hi All,
Debugging AdLdapConnector I've found the cause of the problem.
AdLdapConnector.java class in v.3.7 gets some more specific processing of
UAC. It applies UAC logic (including enable/disable) only if the current AD
object class is "user".
The following line in udateDelta() makes it impossible to get UAC
processing for "computer" class in the same way as for "user". So, the
connector can't enable/disable "computer" in the same way as it can do with
"user".
boolean isUserObjectClass = getSchemaTranslator().*isUserObjectClass*
(ldapObjectClass.getName());
boolean hasUacPatch =
!getConfiguration().isRawUserAccountControlAttribute() &&
*isUserObjectClass* && hasUacDelta(deltas);
*isUserObjectClass**()* simply checks if objectClass is equal to the string
"user".
I know that there is a possibility to work with UAC in raw mode but it is a
bit uncomfortable.
What is the best way to solve the problem? Can the connector configuration
be improved to support a list of user objects (user, computer) instead of a
single value (user)?
Thanks,
Yakov
On Fri, 1 Mar 2024 at 14:49, Yakov Revyakin <yrevyakin at gmail.com> wrote:
> I've migrated to MP v.4.8.2 with LDAP connector v3.7
> I have AD user & computer objectTypes. I manage AD 'computer' status in
> the same way as 'user' using MP administrative status.
> I can see that disabling 'user' works as expected. But disabling
> 'computer' throws the error:
>
> com.evolveum.midpoint.util.exception.SchemaException: Error modifying LDAP
> entry CN=WS164,OU=Computers,OU=...........,DC=local: [
> *replace:userAccountControl=FALSE,*]: invalid
> AttributeSyntax: 00000057: LdapErr: DSID-0C091284, comment: Error in
> attribute conversion operation, data 0, v4563? (21)
>
> It looks like MP tries to update userAccountControl with boolean
> value when integer is expected.
>
> Do you have any ideas on how to solve this?
> Yakov
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20240423/400a99c5/attachment.htm>
More information about the midPoint
mailing list