security-and-privacy/gnupg
security-and-privacy/gnupg
1
0
Fork 0
mirror of git://git.gnupg.org/gnupg.git synced 2024-11-09 21:28:51 +01:00
Code Activity
60677e65fb
gnupg/doc/ad-query-hints.org
Werner Koch ee27ac18ea
doc: Add some hints for AD queries. 
--

This is repo only.
2023-08-24 11:28:12 +02:00

2.4 KiB
Raw Blame History

Examples

List the DNs of all users in our QAUsers group 

ad_query --subst  --attr=dn
     ^OU=QAUsers,$domain&sub&(&(objectcategory=person)(objectclass=user))

List the DN using the user's mail address 

ad_query --subst --attr=dn,userAccountControl
                  (&(objectcategory=person)(objectclass=user)
                    (|(userPrincipalName=dd9jn@w32demo.g10code.de)
                      (mail=dd9jn@w32demo.g10code.de)))

After that the userControlFlags should be checked - see below for the bit flags. For a non-disabled user use:

if ((userControlFlags & 0x0212) == 0x200))
  use_this_user()

Useful attributes

userAccountControl

These are bit flags. For details see https://learn.microsoft.com/en-us/windows/win32/api/iads/ne-iads-ads_user_flag_enum

0x00000002
ADS_UF_ACCOUNTDISABLE, the account is disabled.
0x00000010
ADS_UF_LOCKOUT, the account is temporarily locked out.
0x00000100
ADS_UF_TEMP_DUPLICATE_ACCOUNT, this is an account for a user whose primary account is in another domain.
0x00000200
ADS_UF_NORMAL_ACCOUNT, the default account type that represents a typical user.
0x00000800
ADS_UF_INTERDOMAIN_TRUST_ACCOUNT, the account for a domain-to-domain trust.
0x00001000
ADS_UF_WORKSTATION_ACCOUNT, the computer account for a computer that is a member of this domain.
0x00002000
ADS_UF_SERVER_TRUST_ACCOUNT, the computer account for a DC.
0x00010000
ADS_UF_DONT_EXPIRE_PASSWD, the password will not expire.
0x04000000
ADS_UF_PARTIAL_SECRETS_ACCOUNT, the computer account for an RODC.

For example to select only user accounts which are not disabled or are locked out could naivly be used:

 (userAccountControl:1.2.840.113556.1.4.803:=512)

1.2.840.113556.1.4.803 is bit wise AND, 1.2.840.113556.1.4.804 is bit wise OR. However, because a mask can't be specified, this is not really useful. Thus the above needs to be replaced by explicit checks; i.e.

 (&(userAccountControl:1.2.840.113556.1.4.804:=512)
   (!(userAccountControl:1.2.840.113556.1.4.804:=2))
   (!(userAccountControl:1.2.840.113556.1.4.804:=16)))

I'd suggest to also add explict checks on the returned data.

Resources