*************************************************** Extended synchronization rules for Active Directory *************************************************** The LSC has some built-in fonctions to interact with some specific attributes of an Active Directory. UserAccountControl (account type and status) ============================================ This attribute is a set of bits to manage a user in an AD. You can access it in the normal way in LSC (``dstBean.getAttributeValueById('userAccountControl')``). Here are some methods to simplify changing values of this attribute. userAccountControlSet --------------------- You can set specific bits with the method `AD.userAccountControlSet `__. This method takes 2 parameters : - The value (integer) of the userAccountControl - An array of constants that will tell LSC to set (or unset) a specific bit For example: .. code-block:: js lsc>tasks>task>syncoptions>attribute(userAccountControl)>defaultValue = \ AD.userAccountControlSet( dstBean.getDatasetFirstValueById('userAccountControl'), [AD.UAC_UNSET_ACCOUNTDISABLE]) You can find a list of all the constants in the *org.interldap.lsc.utils.directory.AD* class. The constants are prefixed by ``UAC_SET`` and ``UAC_UNSET``. **Warning**: to create an entry in AD, you can set userAccountControl field but the flag ``UAC_PASSWD_NOTREQD`` is mandatory if no password is submitted. So you can have a ``create_value`` like this: .. code-block:: js lsc>tasks>task>syncoptions>attribute(userAccountControl)>createValue = AD.userAccountControlSet( "0", [ AD.UAC_SET_PASSWD_NOTREQD, AD.UAC_SET_NORMAL_ACCOUNT ]) userAccountControlCheck ----------------------- You can check if a specific bit is set with the method `AD.userAccountControlCheck `__. This method takes 2 parameters: - The value (integer) of the userAccountControl - A constant that will tell LSC if a specific bit is set (or not) For example : .. code-block:: js AD.userAccountControlCheck(dstBean.getDatasetFirstValueById('userAccountControl'), \ AD.UAC_ACCOUNTDISABLE) You can find a list of all the constants in the *org.interldap.lsc.utils.directory.AD class*. The constants are prefixed by ``UAC_`` (without SET or UNSET after). userAccountControlToggle ------------------------ You can toggle a specific bit with the method `AD.userAccountControlToggle `__. This method takes 2 parameters : - The value (integer) of the userAccountControll - A constant that will tell LSC which bit to toggle For example : .. code-block:: js AD.userAccountControlToggle(dstBean.getDatasetFirstValueById('userAccountControl'), \ AD.UAC_ACCOUNTDISABLE) You can find a list of all the constants in the *org.interldap.lsc.utils.directory.AD class*. The constants are prefixed by ``UAC_`` (without SET or UNSET after). Managing password ================= LSC enables creating and changing passwords for users. Here are some methods to simplify changing values of this attribute. getUnicodePwd ------------- The `getUnicodePwd `__ method encodes a string to fit the syntax of the unicodePwd attribute in AD, used to set the password. So you can create a default password (e.g. "changeit") for created users by setting: .. code-block:: js lsc>tasks>task>syncoptions>attribute(unicodePwd)>policy = KEEP lsc>tasks>task>syncoptions>attribute(unicodePwd)>createValue = AD.getUnicodePwd("changeit") Warnings and various pitfalls ----------------------------- Active Directory is, er, a little peculiar in it's handling of password changes. Checkout some :doc:`Active Directory synchronization hints `, to avoid being bitten by it's weird behaviour, like we have been :-) Last logon ========== Active Directory stores the date and time of the last logon to a server, in different attributes: * **lastLogonTimestamp**: This attribute is replicated across all domain controllers in a domain, as of Windows Server 2003. * **lastLogon**: This attribute is not replicated, it is local to each domain controller. The format of these attributes is identical. It contains the timestamp of a user's last logon, with a variable precision. By default, this timestamp is only guaranteed to be updated every **2 weeks**, but this is configurable. Beware when reading this value, and value that's less than 2 weeks old may just be due to the server imprecision. getNumberOfWeeksSinceLastLogon ------------------------------ The `getNumberOfWeeksSinceLastLogon `__ method takes the String value read from **lastLogonTimestamp** or **lastLogon**, and returns the number of weeks since the date recorded. This can be useful to detect unused accounts. For example, delete any accounts that haven't been used for 3 months or more .. code-block:: js lsc>tasks>task>MyTask>syncOptions>conditions>delete = AD.getNumberOfWeeksSinceLastLogon(srcBean.getDatasetFirstValueById("lastLogon")) > 12 Account expiry date =================== To set the Active Directory formatted value for an account expiry attribute, you can use the `AD.getAccountExpires `__ methods. Date manipulation ================= Active Directory stores dates in number of 100-nanosecond ticks since 1 January 1601 00:00:00 UT. Unix usually stores dates as the number of seconds elapsed since the start of the epoch at 1 January 1970 00:00:00 UT (see `http://en.wikipedia.org/wiki/System_time `__). You can use the following methods to convert dates between UNIX and AD: * `AD.aDTimeToUnixTimestamp `__ * `AD.unixTimestampToADTime `__