LEYON - All Things HCL Digital Solutions (the product family formerly known as Lotus)

Hello, Anonymous

 

Syncing only active MS Active Directory users into IBM Connections

Martin Leyrer  February 26 2019 19:54:08

tags ic6  connections  ldap  ic  performance  ad  filter  active directory 

 Usually, the filter for syncing LDAP users into IBM Connections using the Tivoli Directory Integrator (TDI) looks something like this: 

(&(uid=*)(objectclass=inetOrgPerson))

If you are using Microsofts Active Directory (AD), this also syncs users that are "disabled" in AD, which is usually not what you want.
Fortunately, there is a Microsoft Knowledgebase entry called "How to query Active Directory by using a bitwise filter" that sheds some light on this:
An example is when you want to query Active Directory for user class objects that are disabled. The attribute that holds this information is the userAccountControl attribute. This attribute is composed of a combination of different flags. The flag for setting the object that you want to disable is UF_ACCOUNTDISABLE, which has a value of 0x02 (2 decimal). The bitwise comparison filter that specifies userAccountControl with the UF_ACCOUNTDISABLED bit set would resemble this: 
(UserAccountControl:1.2.840.113556.1.4.803:=2)

So all we habe to do is to incorporate this attribute into our filter statement (of course negated), to only sync "active" users: 
    (& 
        (uid=*) 
        (objectclass=inetOrgPerson) 
        (! 
            (UserAccountControl:1.2.840.113556.1.4.803:=2) 
        ) 
    )

Comments [0]

No Comments Found

Discussion for this entry is now closed.

This is the Blog of Martin Leyrer, currently employed as an Senior Lab Services Consultant at HCL Digital Solutions.

The postings on this site are my own and do not represent the positions, strategies or opinions of any former, current or future employer of mine.