Cl?ment OUDOT wrote:
>> Cl?ment OUDOT wrote:
>>>> It is only for AD as a destination directory.
>>>>
>>>> But it will not be hard to code some function to access specific
>>>> attributes of UserAccountControl in a source directory.
>>>
>>> Ok, I now really need some examples ;) Long life to LSC tutorials!
>> The userAccountControl attribute in Active Directory controls various
>> options for user accounts (objectclass=user). The most useful are
>> probably:
>> - "account disabled" (AD_VALUE_ACCOUNTDISABLE)
>> - "password never expires" (AD_VALUE_DONT_EXPIRE_PASSWORD)
>> - "password is expired" (AD_VALUE_PASSWORD_EXPIRED)
>>
>> This attribute is actually a field of bits, where each of the above
>> values is one bit. So, to modify one of these elements, you need to add
>> or subtract the bit value from the current value of userAccountControl,
>> thus R?my's example, slightly reworked:
>>
>> lsc.syncoptions.<taskname>.userAccountControl.default_value =
>> AD.set(dstBean.getAttributeById("userAccountControl"),
>> [AD.AD_VALUE_ACCOUNTDISABLE, AD_VALUE_PASSWORD_EXPIRED])
>>
>> On an existing account in AD (as a destination) this will disable the
>> account and mark the password as expired, stopping the user from logging
>> in or ever using his password again.
>>
>> For reading from AD as a source directory, it should be easy to add a
>> function to interpret an existing userAccountControl value. Something
>> like this, maybe:
>> isUserAccountControlValueSet(currentValue, AD.AD_VALUE_ACCOUNTDISABLE)
>> that returns a boolean. Then we could used this as a condition for
>> synchronization, or otherwise.
>
>
> Ok, I work a little with userAccountControl, so you confirm what I've
> learned. One important thing is you can only set this parameter inside a
> SSL connection. And setting SSL in AD is not evident...
R?my-Christophe and I tested this morning, and you can update
userAccountControl over a normal (non encrypted) connection.
Jon
