Search for “Enabled” users in net-ldap for Ruby

前端 未结 3 920
后悔当初
后悔当初 2021-01-06 08:21

I am using the net-ldap gem to search active directory.
I can search for users by using filter:

filter = Net::LDAP::Filter.eq(\"sAMAccountName\", \"neil*         


        
相关标签:
3条回答
  • 2021-01-06 08:55

    Daro's answer about using !(userAccountControl:1.2.840.113556.1.4.803:=2) is completely correct, but I could not make it work with ruby net/ldap using the Net::LDAP::Filter.join method.

    I did however manage to implement it with Net::LDAP::Filter.construct, eg

    filter = Net::LDAP::Filter.construct("(&(objectClass=User)(memberOf=CN=mygroup,OU=Groups,DC=myplace)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))")

    0 讨论(0)
  • 2021-01-06 09:06

    There is a better way to solve your problem.

    1. By default, all machine account names end with a $, e.g. svn$@DOMAIN.COM.
    2. You have the wonderful atttribute sAMAccountType. It will tell you what type of account that is. Use the AD-builtin binary flag syntax.
    3. Enabled accounts? I have already answered this here.
    0 讨论(0)
  • 2021-01-06 09:07

    You can use the ruleOID LDAP_MATCHING_RULE_BIT_AND rule to check UserAccountControl.

    I use this filter to find users that are enabled:

    (&(objectCategory=organizationalPerson)(objectClass=User)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
    

    userAccountControl:1.2.840.113556.1.4.803 will have Bit 2 set if the account is disabled.

    The value of ruleOID can be one of the following:

    •1.2.840.113556.1.4.803 - This is the LDAP_MATCHING_RULE_BIT_AND rule. The matching rule is true only if all bits from the property match the value. This rule is like the bitwise AND operator.

    •1.2.840.113556.1.4.804 - This is the LDAP_MATCHING_RULE_BIT_OR rule. The matching rule is true if any bits from the property match the value. This rule is like the bitwise OR operator.

    An example is when you want to query Active Directory for user class objects that are disabled. The attribute that holds this information is the userAccountControl attribute. This attribute is composed of a combination of different flags. The flag for setting the object that you want to disable is UF_ACCOUNTDISABLE, which has a value of 0x02 (2 decimal). The bitwise comparison filter that specifies userAccountControl with the UF_ACCOUNTDISABLED bit set would resemble this: (UserAccountControl:1.2.840.113556.1.4.803:=2)

    0 讨论(0)
提交回复
热议问题