[ltb-dev] [LDAP Tool Box - Bug #346] DIsabled accounts

noreply at lsc-project.org noreply at lsc-project.org
Mon Nov 28 16:02:35 CET 2011

Issue #346 has been updated by Terry McMahon.


It turns out the method that I used to fileter disabled accounts was, well, rubbish. That method only excluded accounts that were disabled BUT with no other attribute set.  This means that an account that has "Password not required" and was also disabled could still be reset.  

The correct search filter is 

$ldap_filter = (&(objectClass=user)(sAMAccountName={login})(!(userAccountControl:1.2.840.113556.1.4.803:=2))); 

Which is a bit ugly and not really readable but it does work correctly by doing a bitwise compare.  It's all explained here http://support.microsoft.com/kb/26918 butto be honest, that page isn't very readable either.
Bug #346: DIsabled accounts

Author: Terry McMahon
Status: Closed
Priority: Normal
Assigned to: Clément OUDOT
Category: Self Service Password
Target version: self-service-password-0.7

If an account is disabled it can still have its password reset and it gives no warning to a user that the account still will not work.  This can be changed so that the user is given the same error as when an account is not found by changing the LDAP filter in config.inc.php to that shown below.

$ldap_filter = ”(&(objectClass=user)(sAMAccountName={login})(!(userAccountControl=514)))”; 

You have received this notification because you have either subscribed to it, or are involved in it.
To change your notification preferences, please click here: http://tools.lsc-project.org/my/account
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ltb-project.org/pipermail/ltb-dev/attachments/20111128/99352cfb/attachment.htm>

More information about the ltb-dev mailing list