Issue #346 has been updated by Terry McMahon.
Hi,
It turns out the method that I used to fileter disabled accounts was, well,
rubbish. That method only excluded accounts that were disabled BUT with no
other attribute set. This means that an account that has "Password not
required" and was also disabled could still be reset.
The correct search filter is
$ldap_filter =
(&(objectClass=user)(sAMAccountName={login})(!(userAccountControl:1.2.840.113556.1.4.803:=2)));
Which is a bit ugly and not really readable but it does work correctly by doing
a bitwise compare. It's all explained here
http://support.microsoft.com/kb/26918 butto be honest, that page isn't very
readable either.
----------------------------------------
Bug #346: DIsabled accounts
http://tools.lsc-project.org/issues/346
Author: Terry McMahon
Status: Closed
Priority: Normal
Assigned to: Clément OUDOT
Category: Self Service Password
Target version: self-service-password-0.7
If an account is disabled it can still have its password reset and it gives no
warning to a user that the account still will not work. This can be changed so
that the user is given the same error as when an account is not found by
changing the LDAP filter in config.inc.php to that shown below.
$ldap_filter =
”(&(objectClass=user)(sAMAccountName={login})(!(userAccountControl=514)))”;
--
You have received this notification because you have either subscribed to it,
or are involved in it.
To change your notification preferences, please click here:
http://tools.lsc-project.org/my/account
_______________________________________________
ltb-dev mailing list
[email protected]
http://lists.ltb-project.org/listinfo/ltb-dev
