Cl?ment OUDOT wrote:
> > It is only for AD as a destination directory.
> >
> > But it will not be hard to code some function to access specific
> > attributes of UserAccountControl in a source directory.
>
>
> Ok, I now really need some examples ;) Long life to LSC tutorials!
The userAccountControl attribute in Active Directory controls various
options for user accounts (objectclass=user). The most useful are probably:
- "account disabled" (AD_VALUE_ACCOUNTDISABLE)
- "password never expires" (AD_VALUE_DONT_EXPIRE_PASSWORD)
- "password is expired" (AD_VALUE_PASSWORD_EXPIRED)
This attribute is actually a field of bits, where each of the above
values is one bit. So, to modify one of these elements, you need to add
or subtract the bit value from the current value of userAccountControl,
thus R?my's example, slightly reworked:
lsc.syncoptions.<taskname>.userAccountControl.default_value =
AD.set(dstBean.getAttributeById("userAccountControl"),
[AD.AD_VALUE_ACCOUNTDISABLE, AD_VALUE_PASSWORD_EXPIRED])
On an existing account in AD (as a destination) this will disable the
account and mark the password as expired, stopping the user from logging
in or ever using his password again.
For reading from AD as a source directory, it should be easy to add a
function to interpret an existing userAccountControl value. Something
like this, maybe:
isUserAccountControlValueSet(currentValue, AD.AD_VALUE_ACCOUNTDISABLE)
that returns a boolean. Then we could used this as a condition for
synchronization, or otherwise.
Jon
