directory-server icon indicating copy to clipboard operation
directory-server copied to clipboard
verified publisher icon apache

[NOT MERGE] support AD attributes userAccountControl, msDS-UserAccountDisabled and pwdLastSet

Open Dieken opened this issue 5 years ago • 2 comments

It's a pity LDAP doesn't have standard attribute to represent disabling an user account, Redhat's Keycloak supports an AD mapper to read and write attribute userAccountControl, and an AD LDS mapper to read and write attribute msDS-UserAccountDisabled, both mappers support attribute pwdLastSet too.

With this patch, these three attributes basically work like AD and AD LDS:

  • AD: if (userAccountControl & 2L) != 0, then the user account is disabled for binding.
  • AD LDS: if msDS-UserAccountDisabled is TRUE, then the user account is disabled for binding.
  • Both AD and AD LDS:
    • new user added: if pwdLastSet != 0, it's automatically set to current time.
    • user password modified: if new pwdLastSet != 0, it's automatically set to current time.
    • pwdLastSet changed: if new pwdLastSet != 0, it's automatically set to current time.
    • pwdLastSet deleted: pwdLastSet is automatically set to current time.

References:

  • https://docs.microsoft.com/en-us/windows/win32/adschema/a-useraccountcontrol
  • https://docs.microsoft.com/en-us/windows/win32/adschema/a-msds-useraccountdisabled
  • https://docs.microsoft.com/en-us/windows/win32/adschema/a-pwdlastset

Dieken avatar Dec 29 '20 15:12 Dieken

This PR is just for your reference, it's a rude hack, so I suggest not merging.

It's better the code is separated into a new authentication interceptor, but:

(1) There is no gap between ads-interceptororder in config.ldif, it's better use 10, 20, 30, ... instead of 1, 2, 3, ... for ads-interceptororder

(2) service-builder/src/main/java/org/apache/directory/server/config/builder/ServiceBuilder.java gives ppolicyContainer only to the concrete class AuthenticationInterceptor, but my new interceptor also need this object, actually my new interceptor depends on some code in AuthenticationInterceptor, those common code should be refactored into a new class, and the ppolicyContainer should be injected to some AbstractAuthenticationInterceptor, or better use dependency injection to provide it to any interceptor.

(3) the msad.ldif shouldn't be at ldif-partition/src/main/resources/, it's just committed into the source tree for the record, not worth committing to package api-ldap-schema-data.

Dieken avatar Dec 29 '20 16:12 Dieken

I'm ok if you close this PR, it's just for the record, maybe somebody is interested in this patch.

Although the patch is not pefect, it serves me well, I don't have to maintain a complex real Active Directory service 😄️

Thanks for your work on ApacheDS!

Dieken avatar Dec 29 '20 16:12 Dieken