samba - Nov 2013 - negative ldap filter on AD

Hi all,

Samba 4.1 as AD/DC
local postfix & dovecot hooked to AD via ldap queries (special user 
created in AD for that purpose).

Everything works as expected, but :

I'd like inactive users in AD not to be able to read/send emails 
(understandable I think).
User status seems (sorry I'm AD newbie) to be controlled by the 
'userAccountControl' field in AD.

Created 2 test users in AD : test1 test2
user test1 has been disabled from WRAT:
> ldapsearch -LLL -H ldap://localhost:389 -b
'ou=users,dc=domain,dc=lan'
> -D 'DOMAIN\ldap' -w 'My_secret_1' 
> '(&(objectcategory=person)(cn=*)(userAccountControl=66048))'
mail
> userAccountControl
->
> mail: test2 at domain.lan
> userAccountControl: 66048
test2 account is well set to 'disabled' and it returns 66048 value (for 
a never-expire password)
> ldapsearch -LLL -H ldap://localhost:389 -b
'ou=users,dc=domain,dc=lan'
> -D 'DOMAIN\ldap' -w 'My_secret_1' 
> '(&(objectcategory=person)(cn=*)(userAccountControl=66050))'
mail
> userAccountControl
->
> mail: test1 at domain.lan
> userAccountControl: 66050
test1 account is well set to 'enabled' and it returns 66050 value (for a
never-expire password)

I'd like to setup the LDAP filter in Dovecot to exclude (at least) 66048 
value.
Original filter (query by ldapsearch too) is :
(&(objectClass=person)(cn=%n)(mail=*))

Tried many syntax (via ldapsearch) but I've been unable to apply a 
negative condition like:
(&(objectClass=person)(cn=%n)(mail=*)(!userAccountControl=66050))
or
(&(objectClass=person)(cn=%n)(mail=*)(userAccountControl!=66050))
It always returns :
ldap_search_ext: Bad search filter (-7)

I've 'googled' and I don't understand why the negative (!)
filter is not
understood by ldapsearch against AD.

Thanks in advance for your time & lights.
Nicolas

On 01/11/13 02:38, me at electronico.nc wrote:
> Hi all,
>
> Samba 4.1 as AD/DC
> local postfix & dovecot hooked to AD via ldap queries (special user 
> created in AD for that purpose).
>
> Everything works as expected, but :
>
> I'd like inactive users in AD not to be able to read/send emails 
> (understandable I think).
> User status seems (sorry I'm AD newbie) to be controlled by the 
> 'userAccountControl' field in AD.
>
> Created 2 test users in AD : test1 test2
> user test1 has been disabled from WRAT:
>> ldapsearch -LLL -H ldap://localhost:389 -b 
>> 'ou=users,dc=domain,dc=lan' -D 'DOMAIN\ldap' -w
'My_secret_1'
>>
'(&(objectcategory=person)(cn=*)(userAccountControl=66048))' mail
>> userAccountControl
> ->
>> mail: test2 at domain.lan
>> userAccountControl: 66048
> test2 account is well set to 'disabled' and it returns 66048 value 
> (for a never-expire password)
>
Problem is that 66048 = Enabled, password never expires
>> ldapsearch -LLL -H ldap://localhost:389 -b 
>> 'ou=users,dc=domain,dc=lan' -D 'DOMAIN\ldap' -w
'My_secret_1'
>>
'(&(objectcategory=person)(cn=*)(userAccountControl=66050))' mail
>> userAccountControl
> ->
>> mail: test1 at domain.lan
>> userAccountControl: 66050
> test1 account is well set to 'enabled' and it returns 66050 value
(for
> a never-expire password)
>
Another problem, 66050 = Disabled, password never
expires
> I'd like to setup the LDAP filter in Dovecot to exclude (at least) 
> 66048 value.
> Original filter (query by ldapsearch too) is :
> (&(objectClass=person)(cn=%n)(mail=*))
>
> Tried many syntax (via ldapsearch) but I've been unable to apply a 
> negative condition like:
> (&(objectClass=person)(cn=%n)(mail=*)(!userAccountControl=66050))
> or
> (&(objectClass=person)(cn=%n)(mail=*)(userAccountControl!=66050))
> It always returns :
> ldap_search_ext: Bad search filter (-7)
>
> I've 'googled' and I don't understand why the negative (!)
filter is
> not understood by ldapsearch against AD.
>
> Thanks in advance for your time & lights.
> Nicolas
Try this: (!(userAccountControl:1.2.840.113556.1.4.803:=2) instead of 
this: (userAccountControl!=66050) , this will not find any disabled 
users, that includes 514.

Rowland