0

I have a working LdapConnection object that I can use to bind and search with, but I am quite new to UnboundID LDAP SDK and was wondering if there is a way for me to find information about the users account from an LDAP search:

I currently use LdapConnection to search for usernames like this:

SearchResult searchResult = ldapConnection.search(configuration.sBase, scope, filter)

Is there a way I can use this connection to find expired/disabled accounts?

So it looks like expired users are found with this:

(&(objectCategory=Person)(objectClass=User)(!accountExpires=0)(!accountExpires=9223372036854775807))

can I make a filter with this string to search ldap and return all users with the LdapConnection object from unboundID Ldap?

Thanks

Jack_Frost
  • 169
  • 2
  • 8
  • It depends on the user schema. What LDAP server and user schema are you using? – user207421 Nov 02 '20 at 23:02
  • Sorry I'm still new to Ldap - users should be able to connect from different Ldap servers but we are using active directory if that is what you are asking, and what do you mean by user schema? how can I find that information? – Jack_Frost Nov 02 '20 at 23:05
  • I mean the object class of the LDAP object that represents a user. If you're using AD that answers the question. You need to look up what attribute and what value AD uses to indicate an expired user. This is in the AD documentation. Then you just need to query for that attribute and value. – user207421 Nov 02 '20 at 23:08
  • Adding an edit in the original question with some code - thanks. Also, when you say attribute and value, in this case would this be the documentation for it? https://ldapwiki.com/wiki/AccountExpires I see the value is either 0 or a very large number, and the attribute is AccountExpires? – Jack_Frost Nov 03 '20 at 03:31
  • No. There must be another attribute that states the account *has* expired, been locked, etc. Keep looking. – user207421 Nov 03 '20 at 08:31
  • Let's say I did know what the attribute was, how can I query with unbound ldap to figure out if a certain user account has fit this attribute? – Jack_Frost Nov 06 '20 at 03:22

1 Answers1

0

In Active directory you can you use the attribute: UserStatus, its a boolean, if true the account is enabled, and otherwise its disabled, you can also set AccountExpires attributes while creating new users, by default its 0 so the account never expires, you can change that if you want temporary accounts.

Hamza Tahiri
  • 488
  • 3
  • 13
  • How can I search the active directory with unboundid ldap to see if what value a certain user has for UserStatus? – Jack_Frost Nov 06 '20 at 03:22
  • would be somethign like this: ldapConnection.search(configuration.sBase, scope, filter,'+') or ldapConnection.search(configuration.sBase, scope, filter,'cn',''userstatus'') – Hamza Tahiri Nov 06 '20 at 10:25