<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Hi,<br>
<br>
The AD/LDAP connector is indeed using the userAccountControl
attribute and maps the values to administrativeStatus. However
userAccountControl attribute is tricky. It is binary attribute, each
bit corresponding to a separate flag (that's Microsoft's idea of
proper LDAP support). Therefore supporting that well is not entirely
straightforward. When I was developing the AD/LDAP connector I have
implemented just the very minimal support that we needed at that
time. I knew quite well that the code that handles the
userAccountControl will eventually need to be rewritten anyway. So I
haven't spent any more time that was absolutely necessary. The
priorities have changed since then .... and that means that the
support for properly reading and decoding userAccountControl is
still missing. I have just created Jira to finish it:<br>
<br>
<a class="moz-txt-link-freetext" href="https://jira.evolveum.com/browse/MID-3400">https://jira.evolveum.com/browse/MID-3400</a><br>
<br>
However, because of our current priorities this will need a
subscriber's "vote" or an explicit sponsoring to get implemented. Or
(as always) connector code is on github and we will gladly accept
contributions.<br>
<br>
Yet, there is a workaround. If you set configuration property
rawUserAccountControlAttribute to true then the connector will do no
logic on the userAccountControl and you can do all the necessary
logic in midPoint mappings.<br>
<br>
<pre class="moz-signature" cols="72">--
Radovan Semancik
Software Architect
evolveum.com
</pre>
<br>
<br>
<div class="moz-cite-prefix">On 09/14/2016 09:38 PM, Florin.
Stingaciu wrote:<br>
</div>
<blockquote
cite="mid:CAMQHPY2C+8CoZOacxyp6msAUB8e8sjQAQgTLu5KTPMPPZSerqQ@mail.gmail.com"
type="cite">
<div dir="ltr">Hello,
<div><br>
</div>
<div>We are syncing all of our users from an Active Directory
instance. When a user is disabled two things happen:</div>
<div><br>
</div>
<div>1. The Dn of the user changes from cn=username,ou=people to
cn=username,ou=disabled_accounts </div>
<div><br>
</div>
<div>2. The userAccountControl changes from 512 to 514
indicating the user is disabled</div>
<div><br>
</div>
<div>I use an import user accounts task daily to ensure any
people who left the company are disabled, however I just
noticed that for some users when they get disabled in active
directory, midPoint won't disabled them even though they both
have the userAccountControl entry set to 514 making me think
that midPoint uses a different attribute to test the Account
Status on the AD resource. </div>
<div><br>
</div>
<div>Here's my activation setting:</div>
<div><br>
</div>
<div>
<div> <activation></div>
<div> <administrativeStatus></div>
<div> <inbound/></div>
<div> </administrativeStatus></div>
<div> </activation></div>
</div>
<div><br>
</div>
<div>Any help would be greatly appreciated. </div>
<div><br>
</div>
<div>Thanks, </div>
<div>-F </div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
</body>
</html>