I configured an AD LDS instance on a Windows Server 2008 R2. I created users and one admin user "tadmin" which was added to Administrators members. I also made sure to setmsDS-UserAccountDisabled property to FALSE.
I have a problem with userAccountControl property in a ldap_search.
When it is used as filter, I get no entries:
=============
ldap_search_s(ld, "CN=wl,DC=at,DC=com", 1, "(&(&(cn=tadmin)(objectclass=user))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))", attrList, 0, &msg)
Getting 0 entries:
=============
Without the userAccountControl filter, it works:
=============
ldap_search_s(ld, "CN=wl,DC=at,DC=com", 1, "(&(cn=tadmin)(objectclass=user))", attrList, 0, &msg)
Getting 1 entries:
Dn: CN=tadmin,CN=wl,DC=at,DC=com
=============
Here http://msdn.microsoft.com/en-us/library/windows/desktop/aa772124(v=vs.85).aspx it says that the userAccountControl attribute is not supported on AD LDS and it lists the flags that control its value. As you can see,!(userAccountControl:1.2.840.113556.1.4.803:=2) means "non disabled accounts" and as I said my msDS-UserAccountDisabled property is set to FALSE.
Here are the other "msDS" attributes I have for my user:
mS-DS-ConsistencyChildCount: <not set>
mS-DS-ConsistencyGuid: <not set>
msDS-LastKnownRDN: <not set>
msDS-UserAccountDisabled: FALSE
msDS-UserDontExpirePassword: TRUE
ms-DS-UserEncryptedTextPasswordAllowed: <not set>
ms-DS-UserPasswordNotRequired: <not set>
My question is: what am I doing wrong? What values do I need for the above flags to get an entry in the first ldap_search? I toyed around with different values for the flags but I had no luck. My problem is that the filter that uses !(userAccountControl:1.2.840.113556.1.4.803:=2) is sent by an external application on which I have no control and
I need to get it working properly.
Thanks.
I have a problem with userAccountControl property in a ldap_search.
When it is used as filter, I get no entries:
=============
ldap_search_s(ld, "CN=wl,DC=at,DC=com", 1, "(&(&(cn=tadmin)(objectclass=user))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))", attrList, 0, &msg)
Getting 0 entries:
=============
Without the userAccountControl filter, it works:
=============
ldap_search_s(ld, "CN=wl,DC=at,DC=com", 1, "(&(cn=tadmin)(objectclass=user))", attrList, 0, &msg)
Getting 1 entries:
Dn: CN=tadmin,CN=wl,DC=at,DC=com
=============
Here http://msdn.microsoft.com/en-us/library/windows/desktop/aa772124(v=vs.85).aspx it says that the userAccountControl attribute is not supported on AD LDS and it lists the flags that control its value. As you can see,!(userAccountControl:1.2.840.113556.1.4.803:=2) means "non disabled accounts" and as I said my msDS-UserAccountDisabled property is set to FALSE.
Here are the other "msDS" attributes I have for my user:
mS-DS-ConsistencyChildCount: <not set>
mS-DS-ConsistencyGuid: <not set>
msDS-LastKnownRDN: <not set>
msDS-UserAccountDisabled: FALSE
msDS-UserDontExpirePassword: TRUE
ms-DS-UserEncryptedTextPasswordAllowed: <not set>
ms-DS-UserPasswordNotRequired: <not set>
My question is: what am I doing wrong? What values do I need for the above flags to get an entry in the first ldap_search? I toyed around with different values for the flags but I had no luck. My problem is that the filter that uses !(userAccountControl:1.2.840.113556.1.4.803:=2) is sent by an external application on which I have no control and
I need to get it working properly.
Thanks.