[OPENIDM-11664] use sAMAccountType filters Created: 08/Sep/18  Updated: 07/Feb/20  Resolved: 06/Feb/20

Status: Closed
Project: OpenIDM
Component/s: _Samples, UI
Affects Version/s: OpenIDM 6.0.0
Fix Version/s: 7.0.0

Type: Improvement Priority: Minor
Reporter: Mark Offutt [X] (Inactive) Assignee: Chris Drake
Resolution: Won't Fix Votes: 0
Labels: CLARK, Customer
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Relates
is related to OPENIDM-14307 AD LDAP: Deleted AD group provisioned... Closed
Target Version/s:
Verified Version/s:
Story Points: 1
Sprint: 2020.01 - IDM
Support Ticket IDs:

 Description   

When you use the Admin UI to create a provisioner file that uses the LDAP Connector against AD, The Admin UI creates the connector with the accountSearchFilter set to only find enabled accounts. The filter also uses objectClass type filters.

 

Instead it should be checking against sAMAccountType.

 

accountSearchFilter and accountSynchronizationFilter should be (sAMAccountType=805306368)

groupSearchFilter and groupSynchronizationFilter should be (sAMAccountType=268435456)

 

This is for two reasons.

 

1. Most people are using the LDAP Connector against AD to provison, deprovison, and re-enable AD accounts. So, only seeing active accounts does not work for the majority of users.

 

2. Using the sAMAccountType filters are more efficient in AD. Otherwise, a compound ldap filter is required which is less efficient. This is because computers in AD also have the objectClass user.

 

The following Microsoft website's Note 1 mentions that it is better to use the sAMAccountType filter to find users.

 

https://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx?Sort=MostRecent&PageIndex=1

 

Please have the defaults generated by the Admin UI generate the sAMAccountType ldap filters.



 Comments   
Comment by Rachel Louden [ 10/Sep/18 ]

FWIW, the group Domain Users has the group sAMAccountType mentioned above.

Comment by Tal Herman [ 26/Jul/19 ]

Dev will review this item again

Comment by Rachel Louden [ 26/Jul/19 ]

This Jira request is for the AD provisioner.openicf-adldap.json template file that the Admin UI uses to build a default connector against AD.

Regarding the account filter, the following two ldap filters return the same set of accounts.

(&(Unable to render embedded object: File (1.2.840.113556.1.4.803:=2))() not found.(objectClass=Computer)))
(&(!(userAccountControl:1.2.840.113556.1.4.803:=2))(sAMAccountType=805306368))

The sAMAccountType filter one is cleaner.

Comment by Tal Herman [ 26/Jul/19 ]

Thank you for the clarification Rachel. We will review this again

Comment by Chris Drake [ 06/Feb/20 ]

Marking as Won't Fix and rolled back the changes to the Search Filters as they prevent LiveSync from being able to detect AD account/group deletion.

See OPENIDM-14307.

Generated at Sun Jun 07 05:56:22 UTC 2020 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.