> Cl?ment OUDOT wrote:
>>> Cl?ment OUDOT wrote:
>>>>> It is only for AD as a destination directory.
>>>>>
>>>>> But it will not be hard to code some function to access specific
>>>>> attributes of UserAccountControl in a source directory.
>>>>
>>>> Ok, I now really need some examples ;) Long life to LSC tutorials!
>>> The userAccountControl attribute in Active Directory controls various
>>> options for user accounts (objectclass=user). The most useful are
>>> probably:
>>> - "account disabled" (AD_VALUE_ACCOUNTDISABLE)
>>> - "password never expires" (AD_VALUE_DONT_EXPIRE_PASSWORD)
>>> - "password is expired" (AD_VALUE_PASSWORD_EXPIRED)
>>>
>>> This attribute is actually a field of bits, where each of the above
>>> values is one bit. So, to modify one of these elements, you need to add
>>> or subtract the bit value from the current value of userAccountControl,
>>> thus R?my's example, slightly reworked:
>>>
>>> lsc.syncoptions.<taskname>.userAccountControl.default_value =
>>> AD.set(dstBean.getAttributeById("userAccountControl"),
>>> [AD.AD_VALUE_ACCOUNTDISABLE, AD_VALUE_PASSWORD_EXPIRED])
>>>
>>> On an existing account in AD (as a destination) this will disable the
>>> account and mark the password as expired, stopping the user from
>>> logging
>>> in or ever using his password again.
>>>
>>> For reading from AD as a source directory, it should be easy to add a
>>> function to interpret an existing userAccountControl value. Something
>>> like this, maybe:
>>> isUserAccountControlValueSet(currentValue, AD.AD_VALUE_ACCOUNTDISABLE)
>>> that returns a boolean. Then we could used this as a condition for
>>> synchronization, or otherwise.
>>
>>
>> Ok, I work a little with userAccountControl, so you confirm what I've
>> learned. One important thing is you can only set this parameter inside a
>> SSL connection. And setting SSL in AD is not evident...
>
> R?my-Christophe and I tested this morning, and you can update
> userAccountControl over a normal (non encrypted) connection.
Have you test values to enable a previoulsy disabled account? My test
shown that you van only set disabled accounts over a non-SSL connection.
Cl?ment.
