Dieken opened a new pull request #45:
URL: https://github.com/apache/directory-server/pull/45
It's a pity LDAP doesn't have standard attribute to represent disabling
an user account, Redhat's Keycloak supports an AD mapper to read and write
attribute `userAccountControl`, and an AD LDS mapper to read and write
attribute `msDS-UserAccountDisabled`, both mappers support attribute
`pwdLastSet` too.
With this patch, these three attributes basically work like AD and AD LDS:
* AD: if (userAccountControl & 2L) != 0, then the user account is disabled
for binding.
* AD LDS: if msDS-UserAccountDisabled is TRUE, then the user account is
disabled for binding.
* Both AD and AD LDS:
* new user added: if pwdLastSet != 0, it's automatically set to current
time.
* user password modified: if new pwdLastSet != 0, it's automatically set
to current time.
* pwdLastSet changed: if new pwdLastSet != 0, it's automatically set to
current time.
* pwdLastSet deleted: pwdLastSet is automatically set to current time.
References:
*
https://docs.microsoft.com/en-us/windows/win32/adschema/a-useraccountcontrol
*
https://docs.microsoft.com/en-us/windows/win32/adschema/a-msds-useraccountdisabled
* https://docs.microsoft.com/en-us/windows/win32/adschema/a-pwdlastset
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
