I'm using the NT Syncronization Service and plugin with
Netscape Directory Server 4.1. Because of various problems
that are probably not germane, I'm only synching from the
directory to the PDC, NOT the other way round.
I'm trying to figure out how I can make use of the
ntUserFlags attribute to make changes on the PDC. Is anyone
doing this, or does anyone know the details of what kind of
values that attribute requires?
I've searched high and low for information on what this
attribute is supposed to contain, and all I can find is this
from the "Iplanet Meta-Directory Configuration and
Administration Guide" (this is as-is from the manual,
including grammatical and apparent numerical mistakes):
,----
| Provides flags for several purposes. The values are in
| decimal and is read-only. Possible values are:
|
| * 0x0002: Account disabled
|
| * 0x0010: Account currently locked
|
| * 0x0020: Password not required
|
| * 0x0040: User cannot change password
|
| * 0x10000: Password should never expire
|
| The following values are not changeable by the connector:
|
| * 0x0100: Account to access this domain, but not any other
| domain it trusts
|
| * 0x0200: Default account type for the user
|
| * 0x0800: 'Permit to trust' account for a domain that trusts
| other domains
|
| * 0x1000: Computer account for an NT workstation or server
| that is a member of this domain
|
| * 0x2000: Computer account for the BDC that is a member of
| this domain
`----
Now, that all makes a certain amount of sense to me. The
value is in decimal and made up of those flags, which are
represented in the documentation in hexadecimal.
So, if I want to set "User cannot change password" (0x0040)
and "Account disabled" (0x0002) flags, I'd add those two
flags to come up with 0x0042, convert that to decimal, which
is 66, and set that:
,----
| dn: uid=test,ou=people,o=org
| changetype: modify
| replace: ntUserFlags
| ntUserFlags: 66
`----
... only that doesn't work. The change does get accepted in
the Directory, however when looking at the user on the PDC,
the flags in question are not set.
Now, to make matters more confusing, I do have some users
who exist from the olden days when we actually tried
synching both ways between the Directory and the PDC. So, I
have some users who have ntUserFlags set with some value
from the PDC -> Directory sync. However, this value doesn't
make any sense to me in terms of the above documentation.
Firstly, the existing ntUserFlags values are base64 encoded
in the directory, which implies that they are non-ASCII
data, which they indeed are. Of all the values in the
directory, there are 5 distinct values and they are (after
base64 decoding):
^A^B^@^@
^A^B^A^@
A^B^@^@
A^B^A^@
C^B^@^@
Note that all of the characters preceded up there by ^ are
actually control characters in real life. They seem to boil
down to 5 characters: null, A, C, control A, control B.
Now, this seems like progress to me because those seem to be
four byte values, and the documentation separates the flags
out into four bytes.
But, I can't for the life of me figure out how to interpret
what's there nor how to make meaningful changes.
Does anyone have any experience with this? If not, maybe
you're better at math than me: can you figure out what the
existing values represent?
Thanks in advance for any insight into this.
--
Chris Brierley <[EMAIL PROTECTED]>
