Re: [lsc-users] userAccountControlSet

Clément OUDOT Fri, 02 May 2014 03:56:25 -0700

2014-05-02 8:32 GMT+02:00 Plumel Louis-Marie <[email protected]>:


>  Hi,
>
> I think that the answer is here :
> You need to provide a password for the account, else account is
> automatically disabled.
>
>  LDAPS is required on AD to update the password.
>
> Regards,
> LMP
>
>
>  On 01/05/14 23:15, Deividas haspo wrote:
>
>    Hi,
>  I'm trying to create openldap2ad synchronization. Everything works fine,
> but there is one simple thing and I can't figure out whats wrong.
>  I need that after sync all accounts would be normal (not disabled),
> password never expires, user can't change password and uncheck field in AD
> "User must change password at next login".
>
>  I've tried many things, but nothing. Now I got this:
>
>                 <dataset>
>                     <name>userAccountControl</name>
>                     <policy>KEEP</policy>
>                     <forceValues>
>                         <string>AD.userAccountControlSet( "0",
> [AD.UAC_SET_NORMAL_ACCOUNT, AD.UAC_SET_DONT_EXPIRE_PASSWORD]);
>                         AD.userAccountControlSet( "1",
> AD.UAC_SET_PASSWD_CANT_CHANGE])
>                         </string>
>                     </forceValues>
>                 </dataset>
>
>  p.s I tried to set all to "0".
>
>

Hi,

yes, LDAPS and a valid password are mandatory to be able to setup a normal
account on AD.

Here is the js code I use to lock/unlock account in AD by parsing the
ppolicy lock status in OpenLDAP:

       <dataset>
         <name>userAccountControl</name>
         <policy>FORCE</policy>
         <forceValues>
           <string>
           <![CDATA[rdjs:
             var lock =
srcBean.getDatasetFirstValueById("pwdAccountLockedTime");

             var dstUac = "0";
             try { dstUac =
dstBean.getDatasetFirstValueById("userAccountControl"); } catch(e) { }

             var uac = AD.userAccountControlSet( dstUac,
[AD.UAC_SET_NORMAL_ACCOUNT, AD.UAC_UNSET_ACCOUNTDISABLE]);

             if ( lock.length() ) {
               uac = AD.userAccountControlSet( dstUac,
[AD.UAC_SET_NORMAL_ACCOUNT, AD.UAC_SET_ACCOUNTDISABLE]);
             }

             uac;
           ]]>
           </string>
         </forceValues>
      </dataset>



Clément.










>
>  Thanks.
>
>
> _______________________________________________________________
> Ldap Synchronization Connector (LSC) - http://lsc-project.org
>
> lsc-users mailing 
> [email protected]http://lists.lsc-project.org/listinfo/lsc-users
>
>
>
> _______________________________________________________________
> Ldap Synchronization Connector (LSC) - http://lsc-project.org
>
> lsc-users mailing list
> [email protected]
> http://lists.lsc-project.org/listinfo/lsc-users
>
>

_______________________________________________________________
Ldap Synchronization Connector (LSC) - http://lsc-project.org

lsc-users mailing list
[email protected]
http://lists.lsc-project.org/listinfo/lsc-users

Re: [lsc-users] userAccountControlSet

Reply via email to