[OPENIDM-11664] use sAMAccountType filters Created: 08/Sep/18  Updated: 09/Aug/19

Status: Reopened
Project: OpenIDM
Component/s: _Samples, UI
Affects Version/s: OpenIDM 6.0.0
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Mark Offutt Assignee: Unassigned
Resolution: Unresolved Votes: 0
Labels: CLARK, Customer
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Target Version/s:
Support Ticket IDs:

 Description   

When you use the Admin UI to create a provisioner file that uses the LDAP Connector against AD, The Admin UI creates the connector with the accountSearchFilter set to only find enabled accounts. The filter also uses objectClass type filters.

 

Instead it should be checking against sAMAccountType.

 

accountSearchFilter and accountSynchronizationFilter should be (sAMAccountType=805306368)

groupSearchFilter and groupSynchronizationFilter should be (sAMAccountType=268435456)

 

This is for two reasons.

 

1. Most people are using the LDAP Connector against AD to provison, deprovison, and re-enable AD accounts. So, only seeing active accounts does not work for the majority of users.

 

2. Using the sAMAccountType filters are more efficient in AD. Otherwise, a compound ldap filter is required which is less efficient. This is because computers in AD also have the objectClass user.

 

The following Microsoft website's Note 1 mentions that it is better to use the sAMAccountType filter to find users.

 

https://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx?Sort=MostRecent&PageIndex=1

 

Please have the defaults generated by the Admin UI generate the sAMAccountType ldap filters.



 Comments   
Comment by Rachel Louden [ 10/Sep/18 ]

FWIW, the group Domain Users has the group sAMAccountType mentioned above.

Comment by Tal Herman [ 26/Jul/19 ]

Dev will review this item again

Comment by Rachel Louden [ 26/Jul/19 ]

This Jira request is for the AD provisioner.openicf-adldap.json template file that the Admin UI uses to build a default connector against AD.

Regarding the account filter, the following two ldap filters return the same set of accounts.

(&(Unable to render embedded object: File (1.2.840.113556.1.4.803:=2))() not found.(objectClass=Computer)))
(&(!(userAccountControl:1.2.840.113556.1.4.803:=2))(sAMAccountType=805306368))

The sAMAccountType filter one is cleaner.

Comment by Tal Herman [ 26/Jul/19 ]

Thank you for the clarification Rachel. We will review this again

Generated at Wed Oct 16 00:35:15 BST 2019 using Jira 7.13.8#713008-sha1:1606a5c1e7006e1ab135aac81f7a9566b2dbc3a6.