Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[Samba] negative ldap filter on AD
112 views
Skip to first unread message
m...@electronico.nc
Oct 31, 2013, 10:40:01 PM10/31/13
to
Hi all,
Samba 4.1 as AD/DC
local postfix & dovecot hooked to AD via ldap queries (special user
created in AD for that purpose).
Everything works as expected, but :
I'd like inactive users in AD not to be able to read/send emails
(understandable I think).
User status seems (sorry I'm AD newbie) to be controlled by the
'userAccountControl' field in AD.
Created 2 test users in AD : test1 test2
user test1 has been disabled from WRAT:
> ldapsearch -LLL -H ldap://localhost:389 -b 'ou=users,dc=domain,dc=lan'
> -D 'DOMAIN\ldap' -w 'My_secret_1'
> '(&(objectcategory=person)(cn=*)(userAccountControl=66048))' mail
> userAccountControl
->
> mail: te...@domain.lan
> userAccountControl: 66048
test2 account is well set to 'disabled' and it returns 66048 value (for
a never-expire password)
> ldapsearch -LLL -H ldap://localhost:389 -b 'ou=users,dc=domain,dc=lan'
> -D 'DOMAIN\ldap' -w 'My_secret_1'
> '(&(objectcategory=person)(cn=*)(userAccountControl=66050))' mail
> userAccountControl
->
> mail: te...@domain.lan
> userAccountControl: 66050
test1 account is well set to 'enabled' and it returns 66050 value (for a
never-expire password)
I'd like to setup the LDAP filter in Dovecot to exclude (at least) 66048
value.
Original filter (query by ldapsearch too) is :
(&(objectClass=person)(cn=%n)(mail=*))
Tried many syntax (via ldapsearch) but I've been unable to apply a
negative condition like:
(&(objectClass=person)(cn=%n)(mail=*)(!userAccountControl=66050))
or
(&(objectClass=person)(cn=%n)(mail=*)(userAccountControl!=66050))
It always returns :
ldap_search_ext: Bad search filter (-7)
I've 'googled' and I don't understand why the negative (!) filter is not
understood by ldapsearch against AD.
Thanks in advance for your time & lights.
Nicolas
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Samba 4.1 as AD/DC
local postfix & dovecot hooked to AD via ldap queries (special user
created in AD for that purpose).
Everything works as expected, but :
I'd like inactive users in AD not to be able to read/send emails
(understandable I think).
User status seems (sorry I'm AD newbie) to be controlled by the
'userAccountControl' field in AD.
Created 2 test users in AD : test1 test2
user test1 has been disabled from WRAT:
> ldapsearch -LLL -H ldap://localhost:389 -b 'ou=users,dc=domain,dc=lan'
> -D 'DOMAIN\ldap' -w 'My_secret_1'
> '(&(objectcategory=person)(cn=*)(userAccountControl=66048))' mail
> userAccountControl
->
> mail: te...@domain.lan
> userAccountControl: 66048
test2 account is well set to 'disabled' and it returns 66048 value (for
a never-expire password)
> ldapsearch -LLL -H ldap://localhost:389 -b 'ou=users,dc=domain,dc=lan'
> -D 'DOMAIN\ldap' -w 'My_secret_1'
> '(&(objectcategory=person)(cn=*)(userAccountControl=66050))' mail
> userAccountControl
->
> mail: te...@domain.lan
> userAccountControl: 66050
test1 account is well set to 'enabled' and it returns 66050 value (for a
never-expire password)
I'd like to setup the LDAP filter in Dovecot to exclude (at least) 66048
value.
Original filter (query by ldapsearch too) is :
(&(objectClass=person)(cn=%n)(mail=*))
Tried many syntax (via ldapsearch) but I've been unable to apply a
negative condition like:
(&(objectClass=person)(cn=%n)(mail=*)(!userAccountControl=66050))
or
(&(objectClass=person)(cn=%n)(mail=*)(userAccountControl!=66050))
It always returns :
ldap_search_ext: Bad search filter (-7)
I've 'googled' and I don't understand why the negative (!) filter is not
understood by ldapsearch against AD.
Thanks in advance for your time & lights.
Nicolas
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Rowland Penny
Nov 1, 2013, 5:30:02 AM11/1/13
to
On 01/11/13 02:38, m...@electronico.nc wrote:
> Hi all,
>
> Samba 4.1 as AD/DC
> local postfix & dovecot hooked to AD via ldap queries (special user
> created in AD for that purpose).
>
> Everything works as expected, but :
>
> I'd like inactive users in AD not to be able to read/send emails
> (understandable I think).
> User status seems (sorry I'm AD newbie) to be controlled by the
> 'userAccountControl' field in AD.
>
> Created 2 test users in AD : test1 test2
> user test1 has been disabled from WRAT:
>> ldapsearch -LLL -H ldap://localhost:389 -b
>> 'ou=users,dc=domain,dc=lan' -D 'DOMAIN\ldap' -w 'My_secret_1'
>> '(&(objectcategory=person)(cn=*)(userAccountControl=66048))' mail
>> userAccountControl
> ->
>> mail: te...@domain.lan
>> userAccountControl: 66048
> test2 account is well set to 'disabled' and it returns 66048 value
> (for a never-expire password)
>
Problem is that 66048 = Enabled, password never expires
> Hi all,
>
> Samba 4.1 as AD/DC
> local postfix & dovecot hooked to AD via ldap queries (special user
> created in AD for that purpose).
>
> Everything works as expected, but :
>
> I'd like inactive users in AD not to be able to read/send emails
> (understandable I think).
> User status seems (sorry I'm AD newbie) to be controlled by the
> 'userAccountControl' field in AD.
>
> Created 2 test users in AD : test1 test2
> user test1 has been disabled from WRAT:
>> ldapsearch -LLL -H ldap://localhost:389 -b
>> 'ou=users,dc=domain,dc=lan' -D 'DOMAIN\ldap' -w 'My_secret_1'
>> '(&(objectcategory=person)(cn=*)(userAccountControl=66048))' mail
>> userAccountControl
> ->
>> mail: te...@domain.lan
>> userAccountControl: 66048
> test2 account is well set to 'disabled' and it returns 66048 value
> (for a never-expire password)
>
>> ldapsearch -LLL -H ldap://localhost:389 -b
>> 'ou=users,dc=domain,dc=lan' -D 'DOMAIN\ldap' -w 'My_secret_1'
>> '(&(objectcategory=person)(cn=*)(userAccountControl=66050))' mail
>> userAccountControl
> ->
>> mail: te...@domain.lan
>> userAccountControl: 66050
> test1 account is well set to 'enabled' and it returns 66050 value (for
> a never-expire password)
>
> I'd like to setup the LDAP filter in Dovecot to exclude (at least)
> 66048 value.
> Original filter (query by ldapsearch too) is :
> (&(objectClass=person)(cn=%n)(mail=*))
>
> Tried many syntax (via ldapsearch) but I've been unable to apply a
> negative condition like:
> (&(objectClass=person)(cn=%n)(mail=*)(!userAccountControl=66050))
> or
> (&(objectClass=person)(cn=%n)(mail=*)(userAccountControl!=66050))
> It always returns :
> ldap_search_ext: Bad search filter (-7)
>
> I've 'googled' and I don't understand why the negative (!) filter is
> not understood by ldapsearch against AD.
>
> Thanks in advance for your time & lights.
> Nicolas
Try this: (!(userAccountControl:1.2.840.113556.1.4.803:=2) instead of
> 66048 value.
> Original filter (query by ldapsearch too) is :
> (&(objectClass=person)(cn=%n)(mail=*))
>
> Tried many syntax (via ldapsearch) but I've been unable to apply a
> negative condition like:
> (&(objectClass=person)(cn=%n)(mail=*)(!userAccountControl=66050))
> or
> (&(objectClass=person)(cn=%n)(mail=*)(userAccountControl!=66050))
> It always returns :
> ldap_search_ext: Bad search filter (-7)
>
> I've 'googled' and I don't understand why the negative (!) filter is
> not understood by ldapsearch against AD.
>
> Thanks in advance for your time & lights.
> Nicolas
this: (userAccountControl!=66050) , this will not find any disabled
users, that includes 514.
Rowland
m...@electronico.nc
Nov 1, 2013, 4:50:02 PM11/1/13
to
(Sorry for the mixup between 66050 and 66048)
It works OK !
Nicolas
Dewayne Geraghty
Nov 18, 2013, 6:40:02 PM11/18/13
to
Further explanation can be found at:
Bit-wise filter: http://support.microsoft.com/?id=269181
Account properties: http://support.microsoft.com/kb/305144
Dewayne.
0 new messages