Hi, I have just added two utility methods to the AD package :
- userAccountControlCheck : it allows you to check if a specific bit is check (or not) - userAccountControlToggle : It allows you to toggle a specific bit You can see the full doc here : http://lsc-project.org/wiki/documentation/howtos Cheers, Rcs 2008/11/19 Cl?ment OUDOT <coudot at linagora.com> > > Cl?ment OUDOT wrote: > >>> Cl?ment OUDOT wrote: > >>>>> It is only for AD as a destination directory. > >>>>> > >>>>> But it will not be hard to code some function to access specific > >>>>> attributes of UserAccountControl in a source directory. > >>>> > >>>> Ok, I now really need some examples ;) Long life to LSC tutorials! > >>> The userAccountControl attribute in Active Directory controls various > >>> options for user accounts (objectclass=user). The most useful are > >>> probably: > >>> - "account disabled" (AD_VALUE_ACCOUNTDISABLE) > >>> - "password never expires" (AD_VALUE_DONT_EXPIRE_PASSWORD) > >>> - "password is expired" (AD_VALUE_PASSWORD_EXPIRED) > >>> > >>> This attribute is actually a field of bits, where each of the above > >>> values is one bit. So, to modify one of these elements, you need to add > >>> or subtract the bit value from the current value of userAccountControl, > >>> thus R?my's example, slightly reworked: > >>> > >>> lsc.syncoptions.<taskname>.userAccountControl.default_value = > >>> AD.set(dstBean.getAttributeById("userAccountControl"), > >>> [AD.AD_VALUE_ACCOUNTDISABLE, AD_VALUE_PASSWORD_EXPIRED]) > >>> > >>> On an existing account in AD (as a destination) this will disable the > >>> account and mark the password as expired, stopping the user from > >>> logging > >>> in or ever using his password again. > >>> > >>> For reading from AD as a source directory, it should be easy to add a > >>> function to interpret an existing userAccountControl value. Something > >>> like this, maybe: > >>> isUserAccountControlValueSet(currentValue, AD.AD_VALUE_ACCOUNTDISABLE) > >>> that returns a boolean. Then we could used this as a condition for > >>> synchronization, or otherwise. > >> > >> > >> Ok, I work a little with userAccountControl, so you confirm what I've > >> learned. One important thing is you can only set this parameter inside a > >> SSL connection. And setting SSL in AD is not evident... > > > > R?my-Christophe and I tested this morning, and you can update > > userAccountControl over a normal (non encrypted) connection. > > Have you test values to enable a previoulsy disabled account? My test > shown that you van only set disabled accounts over a non-SSL connection. > > Cl?ment. > > _______________________________________________ > lsc-dev mailing list > lsc-dev at lists.lsc-project.org > http://lists.lsc-project.org/listinfo/lsc-dev > -- "In a world without walls and fences, who needs windows and gates ?" -- Tosca : A 2.0 bugtracker : http://www.tosca-project.net -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.lsc-project.org/pipermail/lsc-dev/attachments/20081120/356adb9e/attachment.htm
