Novell Home

"Account is Disabled" Attribute

Novell Cool Solutions: Trench

Digg This - Slashdot This

Posted: 24 Mar 2004
 

Simon Gadsby sent this update to a tip we posted last summer.

Part of the information below states:
"If you want more granular control, then you have to query for the current value of userAccountControl and then add or subtract hexadecimal values as needed."

Unfortunately this is not the case. The v2.0a AD driver is hard-coded to only allow modification of the Login Disabled attribute in AD. The documentation for the new version indicates a lot more control is possible over this attribute with the 3.0 driver.

Recently we posted this Q&A, and Kelvin Dam sent another suggestion. Enjoy. And if you have additional ideas for this, please send them our way.

Question: TJ wrote: How can I control the account options in AD (Active Directory) from DirXML? I want to manage the "Account is Disabled" attribute in AD.

Answer: You must map Login Disabled to userAccountControl; simply mapping userAccountControl to a Boolean attribute is not sufficient. In addition, you must send your true/false value in lower case (eDirectory default). Standard AD Boolean attributes should be transformed from eDirectory's lower case to upper case. The good news is it will synchronize the change in either direction. If you want more granular control, then you have to query for the current value of userAccountControl and then add or subtract hexadecimal values as needed.

Suggestions

Kelvin Dam

This answer is partially true, but here's another workaround:

SOLUTION: Map Login Disabled to userAccountControl. The trace then gives some errors because it cannot use the <remove-value> to anything.

Now, use this stylesheet on the subscriber and the "useless" information is removed, and only the vital information is used.

Can also be made, using intruder lockout mapped to Account Disabled.

EXAMPLE

 
<?xml version="1.0" encoding="UTF-8"?.>
<xsl:stylesheet version="1.0" 
xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
 <xsl:strip-space elements="*"/>
 <xsl:output indent="yes" method="xml"/>
 <xsl:template match="@*|node()">
  <xsl:copy>
  <xsl:apply-templates select="node()|@*"/>
  </xsl:copy>
 </xsl:template>
 <xsl:template match="modify">
  <xsl:choose>
   <xsl:when test="modify-attr
   [@attr-name='Login Disabled'][//remove-value/value]">
    <modify class-name="{@class-name}" 
	event-id="{@event-id}" src-dn="{@src-dn}" 
	src-entry-id="{@src-entry-id}" timestamp="{@timestamp}">
     <xsl:for-each select="association/text()">
      <association state="associated">
       <xsl:copy/>
      </association>
     </xsl:for-each>
     <modify-attr attr-name="Login Disabled">
      <add-value>
       <value timestamp="{@timestamp}" type="state">
        <xsl:copy-of select="//add-value/value/text()"/>
       </value>
      </add-value>
     </modify-attr>
    </modify>
   </xsl:when>
   <xsl:otherwise>
    <xsl:copy-of select="."/>
   </xsl:otherwise>
  </xsl:choose>
  <!-- </xsl:copy>  -->
 </xsl:template>
</xsl:stylesheet>


Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com

© 2014 Novell