Home > Mastercard/McAfee/SafeBoot/Intel, Programming > Bitmask searches in LDAP, or How to exclude disabled users..

Bitmask searches in LDAP, or How to exclude disabled users..

Following on from my post on Bindings and connector settings, I thought I’d expand on how to use bit-mask searches in the connector Object filter.

Bit-masks are not complex for those who know Boolean arithmetic, and there are a million resources on the web to teach you that, but how to use them in an Active Directory search is obtuse to say the least.

To do a boolean  “AND” search, you use the tag “1.2.840.113556.1.4.803”, to do “OR” the tag is “1.2.840.113556.1.4.804”.

Easy eh? I guess I should give you a practical example. The most likely reason you have to use bit-masks is to exclude disabled users from the connector search. By default, the connector will import them but set their EEM account status to “Disabled”, but you may want simply not to import them in the first place.

If you’re using the ObjectFilter mode of connector operation, you can use a special filter to exclude certain users, including disabled ones) from the results. You can’t though do this if you’re using Search Groups.

Active Directory stores the flag for enabled/disable status in the “userAccountControl” attribute – this is a numeric set of bits indicating things like what type of account it is, whether it’s enabled, whether a smart card is required etc. You can find the full list on Microsoft’s site. Bit 2 of this value indicates if the account is enabled or not.

Illogically perhaps 1 = disabled, 0 = enabled (shouldn’t the value default to disabled?).

so, to do an LDIF search for this bit, to return users who are disabled,  you can use a query like:


and of course, to return the users who are NOT disabled, we just add a not statement at the beginning:


Much more complex than it should be eh?

Pulling this all together, to make a proper object filter for the EEM AD connector we need to add in the default search which ensures the connector only gets to see “user” objects. We need to simply construct a query which means “tell me about users who are not disabled”:

(&(objectClass=organizationalPerson) _


  1. BM
    December 21, 2011 at 01:43

    Well that was obvious 😉
    Thanks for posting this page saved me a lot of time.

  2. February 4, 2016 at 07:35

    You might need to add an additional pair of parenthesis for the negation, so (!(userAccountControl:1.2.840.113556.1.4.803:=2))

  3. fany
    February 4, 2016 at 07:36

    Also, thanks for this posting!
    However, in order to make the search for enabled (= not disabled) users work, we hat to add aditional parenthesis: (!(useraccountcontrol:1.2.840.113556.1.4.803:=2)))
    (Without it, we got “LDAPInvalidFilterError: malformed filter” resepectively “ldap_search_ext: Bad search filter (-7)” from different libraries.)

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: