Bitmask searches in LDAP, or How to exclude disabled users..
Following on from my post on Bindings and connector settings, I thought I’d expand on how to use bit-mask searches in the connector Object filter.
Bit-masks are not complex for those who know Boolean arithmetic, and there are a million resources on the web to teach you that, but how to use them in an Active Directory search is obtuse to say the least.
To do a boolean “AND” search, you use the tag “1.2.840.113556.1.4.803”, to do “OR” the tag is “1.2.840.113556.1.4.804”.
Easy eh? I guess I should give you a practical example. The most likely reason you have to use bit-masks is to exclude disabled users from the connector search. By default, the connector will import them but set their EEM account status to “Disabled”, but you may want simply not to import them in the first place.
If you’re using the ObjectFilter mode of connector operation, you can use a special filter to exclude certain users, including disabled ones) from the results. You can’t though do this if you’re using Search Groups.
Active Directory stores the flag for enabled/disable status in the “userAccountControl” attribute – this is a numeric set of bits indicating things like what type of account it is, whether it’s enabled, whether a smart card is required etc. You can find the full list on Microsoft’s site. Bit 2 of this value indicates if the account is enabled or not.
Illogically perhaps 1 = disabled, 0 = enabled (shouldn’t the value default to disabled?).
so, to do an LDIF search for this bit, to return users who are disabled, you can use a query like:
(userAccountControl:1.2.840.113556.1.4.803:=2)
and of course, to return the users who are NOT disabled, we just add a not statement at the beginning:
(!userAccountControl:1.2.840.113556.1.4.803:=2)
Much more complex than it should be eh?
Pulling this all together, to make a proper object filter for the EEM AD connector we need to add in the default search which ensures the connector only gets to see “user” objects. We need to simply construct a query which means “tell me about users who are not disabled”:
(&(objectClass=organizationalPerson) _ (!useraccountcontrol:1.2.840.113556.1.4.803:=2))
Voila!
Leave a comment
Who?
 | EVP Cyber Product Innovation for Mastercard. Formally the Chief Technology Officer for Intel Secure Home Gateways, CTO for McAfee Enterprise Endpoint, CTO McAfee Innovation team, and Founder/CTO SafeBoot Corp. |
Comments
 | Christopher Burgess on How not to implement smarthome… |
 | Mike on Is Encryption enough? Why just… |
 | Simon Hunt on Is Encryption enough? Why just… |
| Mike on Is Encryption enough? Why just… |
 | Stéphane Pautrel on New S.M.A.R.T Monitor Tool for… |
Simon Says - Musings of a Technology CTO 
Well that was obvious 😉
Thanks for posting this page saved me a lot of time.
You might need to add an additional pair of parenthesis for the negation, so (!(userAccountControl:1.2.840.113556.1.4.803:=2))
Also, thanks for this posting!
However, in order to make the search for enabled (= not disabled) users work, we hat to add aditional parenthesis: (!(useraccountcontrol:1.2.840.113556.1.4.803:=2)))
(Without it, we got “LDAPInvalidFilterError: malformed filter” resepectively “ldap_search_ext: Bad search filter (-7)” from different libraries.)