====== Extended synchronization rules for Active Directory ======

The LSC has some built-in fonctions to interact with some specific attributes of an Active Directory.

===== UserAccountControl (account type and status) =====

This attribute is a set of bits to manage a user in an AD. You can access it in the normal way in LSC (//dstBean.getAttributeValueById('userAccountControl')//).

Here are some methods to simplify changing values of this attribute.

==== userAccountControlSet ====

You can set specific bits with the method //[[http://lsc-project.org/javadoc/1.2-SNAPSHOT/org/lsc/utils/directory/AD.html#userAccountControlSet(int, java.lang.String[])|AD.userAccountControlSet]]//.
This method takes 2 parameters :
  - The value (integer) of the userAccountControll
  - An array of constants that will tell LSC to set (or unset) a specific bit

For example:

<code java>lsc.syncoptions.user.userAccountControl.default_value = \
    AD.userAccountControlSet(\
        dstBean.getAttributeValueById('userAccountControl'), \
        [AD.UAC_UNSET_ACCOUNTDISABLE])
</code>

You can find a list of all the constants in the org.interldap.lsc.utils.directory.AD class. The constants are prefixed by UAC_SET and UAC_UNSET.

**Warning**: to create an entry in AD, you can set userAccountControl field but the flag //UAC_PASSWD_NOTREQD// is mandatory if no password is submitted. So you can have a //create_value// like this:

<code java>
lsc.syncoptions.user.userAccountControl.create_value = \
    AD.userAccountControlSet( "0", [ AD.UAC_SET_PASSWD_NOTREQD, \
        AD.UAC_SET_NORMAL_ACCOUNT ])
</code>

==== userAccountControlCheck ====

You can check if a specific bit is set with the method //[[http://lsc-project.org/javadoc/1.2-SNAPSHOT/org/lsc/utils/directory/AD.html#userAccountControlCheck(int, java.lang.String)|AD.userAccountControlCheck]]//.
This method takes 2 parameters :
  - The value (integer) of the userAccountControl
  - A constant that will tell LSC if a specific bit is set (or not)

For example :

<code java>AD.userAccountControlCheck(dstBean.getAttributeValueById('userAccountControl'), \
    AD.UAC_ACCOUNTDISABLE)</code>

You can find a list of all the constants in the org.interldap.lsc.utils.directory.AD class. The constants are prefixed by UAC_ (without SET or UNSET after).

==== userAccountControlToggle ====

You can toggle a specific bit with the method //[[http://lsc-project.org/javadoc/1.2-SNAPSHOT/org/lsc/utils/directory/AD.html#userAccountControlToggle(int, java.lang.String)|AD.userAccountControlToggle]]//.
This method takes 2 parameters :
  - The value (integer) of the userAccountControll
  - A constant that will tell LSC which bit to toggle

For example :

<code java>AD.userAccountControlToggle(dstBean.getAttributeValueById('userAccountControl'), \
    AD.UAC_ACCOUNTDISABLE)</code>

You can find a list of all the constants in the org.interldap.lsc.utils.directory.AD class. The constants are prefixed by UAC_ (without SET or UNSET after).

===== Managing password =====

LSC enables creating and changing passwords for users. Here are some methods to simplify changing values of this attribute.

==== getUnicodePwd ====

The [[http://lsc-project.org/javadoc/1.2-SNAPSHOT/org/lsc/utils/directory/AD.html#getUnicodePwd(java.lang.String)|getUnicodePwd]]  method encodes a string to fit the syntax of the unicodePwd attribute in AD, used to set the password.

So you can create a default password (e.g. "changeit") for created users by setting:

<code java>
lsc.syncoptions.user.unicodePwd.action = K
lsc.syncoptions.user.unicodePwd.create_value = AD.getUnicodePwd("changeit")
</code>

==== Warnings and various pitfalls ====

Active Directory is, er, a little peculiar in it's handling of password changes. Checkout some [[..:..:howtos:activedirectory|Active Directory synchronization hints]], to avoid being bitten by it's weird behaviour, like we have been :-)

===== Last logon =====

Active Directory stores the date and time of the last logon to a server, in different attributes:

  * **lastLogonTimestamp**: This attribute is replicated across all domain controllers in a domain, as of Windows Server 2003.
  *  **lastLogon**: This attribute is not replicated, it is local to each domain controller.

The format of these attributes is identical. It contains the timestamp of a user's last logon, with a variable precision. By default, this timestamp is only guaranteed to be updated every **2 weeks**, but this is configurable.

Beware when reading this value, and value that's less than 2 weeks old may just be due to the server imprecision.

==== getNumberOfWeeksSinceLastLogon ====

The [[http://lsc-project.org/javadoc/1.2-SNAPSHOT/org/lsc/utils/directory/AD.html#getNumberOfWeeksSinceLastLogon(java.lang.String)|getNumberOfWeeksSinceLastLogon]] method takes the String value read from **lastLogonTimestamp** or **lastLogon**, and returns the number of weeks since the date recorded.

This can be useful to detect unused accounts. For example:

<code>
# Delete any accounts that haven't been used for 3 months or more
lsc.tasks.MyTask.condition.delete = \
AD.getNumberOfWeeksSinceLastLogon(srcBean.getAttributeValueById("lastLogon") > 12)
</code>

===== Account expiry date =====

To set the Active Directory formatted value for an account expiry attribute, you can use the //[[http://lsc-project.org/javadoc/1.2-SNAPSHOT/org/lsc/utils/directory/AD.html#getAccountExpires(java.lang.String)|AD.getAccountExpires]]// methods.