Extended synchronization rules for Active Directory

The LSC has some built-in fonctions to interact with some specific attributes of an Active Directory.

This attribute is a set of bits to manage a user in an AD. You can access it in the normal way in LSC (dstBean.getAttributeValueById('userAccountControl')).

Here are some methods to simplify changing values of this attribute.

You can set specific bits with the method AD.userAccountControlSet. This method takes 2 parameters :

1. The value (integer) of the userAccountControll
2. An array of constants that will tell LSC to set (or unset) a specific bit

For example:

lsc.syncoptions.user.userAccountControl.default_value = \
    AD.userAccountControlSet(\
        dstBean.getAttributeValueById('userAccountControl'), \
        [AD.UAC_UNSET_ACCOUNTDISABLE])

You can find a list of all the constants in the org.interldap.lsc.utils.directory.AD class. The constants are prefixed by UAC_SET and UAC_UNSET.

Warning: to create an entry in AD, you can set userAccountControl field but the flag UAC_PASSWD_NOTREQD is mandatory if no password is submitted. So you can have a create_value like this:

lsc.syncoptions.user.userAccountControl.create_value = \
    AD.userAccountControlSet( "0", [ AD.UAC_SET_PASSWD_NOTREQD, \
        AD.UAC_SET_NORMAL_ACCOUNT ])

You can check if a specific bit is set with the method AD.userAccountControlCheck. This method takes 2 parameters :

1. The value (integer) of the userAccountControl
2. A constant that will tell LSC if a specific bit is set (or not)

For example :

AD.userAccountControlCheck(dstBean.getAttributeValueById('userAccountControl'), \
    AD.UAC_ACCOUNTDISABLE)

You can find a list of all the constants in the org.interldap.lsc.utils.directory.AD class. The constants are prefixed by UAC_ (without SET or UNSET after).

You can toggle a specific bit with the method AD.userAccountControlToggle. This method takes 2 parameters :

1. The value (integer) of the userAccountControll
2. A constant that will tell LSC which bit to toggle

For example :

AD.userAccountControlToggle(dstBean.getAttributeValueById('userAccountControl'), \
    AD.UAC_ACCOUNTDISABLE)

You can find a list of all the constants in the org.interldap.lsc.utils.directory.AD class. The constants are prefixed by UAC_ (without SET or UNSET after).

LSC enables creating and changing passwords for users. Here are some methods to simplify changing values of this attribute.

The getUnicodePwd method encodes a string to fit the syntax of the unicodePwd attribute in AD, used to set the password.

So you can create a default password (e.g. “changeit”) for created users by setting:

lsc.syncoptions.user.unicodePwd.action = K
lsc.syncoptions.user.unicodePwd.create_value = AD.getUnicodePwd("changeit")

Active Directory is, er, a little peculiar in it's handling of password changes. Checkout some Active Directory synchronization hints, to avoid being bitten by it's weird behaviour, like we have been

Active Directory stores the date and time of the last logon to a server, in different attributes:

• lastLogonTimestamp: This attribute is replicated across all domain controllers in a domain, as of Windows Server 2003.
• lastLogon: This attribute is not replicated, it is local to each domain controller.

The format of these attributes is identical. It contains the timestamp of a user's last logon, with a variable precision. By default, this timestamp is only guaranteed to be updated every 2 weeks, but this is configurable.

Beware when reading this value, and value that's less than 2 weeks old may just be due to the server imprecision.

The getNumberOfWeeksSinceLastLogon method takes the String value read from lastLogonTimestamp or lastLogon, and returns the number of weeks since the date recorded.

This can be useful to detect unused accounts. For example:

# Delete any accounts that haven't been used for 3 months or more
lsc.tasks.MyTask.condition.delete = \
AD.getNumberOfWeeksSinceLastLogon(srcBean.getAttributeValueById("lastLogon") > 12)

To set the Active Directory formatted value for an account expiry attribute, you can use the AD.getAccountExpires methods.