<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Ah, yes. You are right.<br>
<br>
I had another look at the code. There is actually a support for
reading the administrative status. The account will be considered
enabled if if ((userAccountControl &
AdConstants.USER_ACCOUNT_CONTROL_DISABLED) == 0) and disabled
otherwise, where USER_ACCOUNT_CONTROL_DISABLED = 0x0002;<br>
<br>
I completely forgot that I have ever written this code :-) ... but
if I haven't completely lost my last sense of binary maths then the
account should be seen as disabled for value 514(dec). So it should
work for you and I have no idea why it does not work.<br>
<br>
Please feel free to experiment with the connector code. This code is
in AdSchemaTranslator.extendConnectorObject(...) starting at line
147. Maybe if you add some logging there then you can figure out
what's going on.<br>
<br>
<pre class="moz-signature" cols="72">--
Radovan Semancik
Software Architect
evolveum.com
</pre>
<br>
<br>
<div class="moz-cite-prefix">On 09/15/2016 07:24 PM, Florin.
Stingaciu wrote:<br>
</div>
<blockquote
cite="mid:CAMQHPY2gK9jMb5udYXE+PcfiGem3k33pJDd2kWrJk5Fgs7izKQ@mail.gmail.com"
type="cite">
<div dir="ltr">Hey Radovan,
<div><br>
</div>
<div>Thanks for the detailed response. However, something does
bug me. For some users that get disabled via the
userAccountControl attribute (value 514), the user will
consequently be disabled in midPoint, however for some users
it does not even though the userAccountControl attribute has
the same value. </div>
<div><br>
</div>
<div>Do you have ideas why this could be the case? </div>
<div><br>
</div>
<div>Alternatively, are there any examples in your wiki or
github on how I could conditionally map a value from a
particular attribute to <span style="font-size:12.8px">administrativeStatus?
I haven't been able to find much.</span></div>
<div><span style="font-size:12.8px"><br>
</span></div>
<div><span style="font-size:12.8px">Thanks, </span></div>
<div><span style="font-size:12.8px">-F </span></div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Thu, Sep 15, 2016 at 4:10 AM,
Radovan Semancik <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:radovan.semancik@evolveum.com"
target="_blank">radovan.semancik@evolveum.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> Hi,<br>
<br>
The AD/LDAP connector is indeed using the
userAccountControl attribute and maps the values to
administrativeStatus. However userAccountControl attribute
is tricky. It is binary attribute, each bit corresponding
to a separate flag (that's Microsoft's idea of proper LDAP
support). Therefore supporting that well is not entirely
straightforward. When I was developing the AD/LDAP
connector I have implemented just the very minimal support
that we needed at that time. I knew quite well that the
code that handles the userAccountControl will eventually
need to be rewritten anyway. So I haven't spent any more
time that was absolutely necessary. The priorities have
changed since then .... and that means that the support
for properly reading and decoding userAccountControl is
still missing. I have just created Jira to finish it:<br>
<br>
<a moz-do-not-send="true"
href="https://jira.evolveum.com/browse/MID-3400"
target="_blank">https://jira.evolveum.com/<wbr>browse/MID-3400</a><br>
<br>
However, because of our current priorities this will need
a subscriber's "vote" or an explicit sponsoring to get
implemented. Or (as always) connector code is on github
and we will gladly accept contributions.<br>
<br>
Yet, there is a workaround. If you set configuration
property rawUserAccountControlAttribute to true then the
connector will do no logic on the userAccountControl and
you can do all the necessary logic in midPoint mappings.<br>
<br>
<pre cols="72">--
Radovan Semancik
Software Architect
<a moz-do-not-send="true" href="http://evolveum.com" target="_blank">evolveum.com</a>
</pre>
<div>
<div class="h5"> <br>
<br>
<div>On 09/14/2016 09:38 PM, Florin. Stingaciu wrote:<br>
</div>
</div>
</div>
<blockquote type="cite">
<div>
<div class="h5">
<div dir="ltr">Hello,
<div><br>
</div>
<div>We are syncing all of our users from an
Active Directory instance. When a user is
disabled two things happen:</div>
<div><br>
</div>
<div>1. The Dn of the user changes from
cn=username,ou=people to
cn=username,ou=disabled_<wbr>accounts </div>
<div><br>
</div>
<div>2. The userAccountControl changes from 512 to
514 indicating the user is disabled</div>
<div><br>
</div>
<div>I use an import user accounts task daily to
ensure any people who left the company are
disabled, however I just noticed that for some
users when they get disabled in active
directory, midPoint won't disabled them even
though they both have the userAccountControl
entry set to 514 making me think that midPoint
uses a different attribute to test the Account
Status on the AD resource. </div>
<div><br>
</div>
<div>Here's my activation setting:</div>
<div><br>
</div>
<div>
<div> <activation></div>
<div> <administrativeStatus></div>
<div> <inbound/></div>
<div> </administrativeStatus></div>
<div> </activation></div>
</div>
<div><br>
</div>
<div>Any help would be greatly appreciated. </div>
<div><br>
</div>
<div>Thanks, </div>
<div>-F </div>
</div>
<br>
<fieldset></fieldset>
<br>
</div>
</div>
<pre>______________________________<wbr>_________________
midPoint mailing list
<a moz-do-not-send="true" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a moz-do-not-send="true" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/<wbr>mailman/listinfo/midpoint</a>
</pre>
</blockquote>
</div>
______________________________<wbr>_________________
midPoint mailing list
<a moz-do-not-send="true" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a moz-do-not-send="true" href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/<wbr>mailman/listinfo/midpoint</a>
</blockquote></div>
</div>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
</body></html>