Usually, the filter for syncing LDAP users into IBM Connections using the Tivoli Directory Integrator (TDI) looks something like this:

(&(uid=*)(objectclass=inetOrgPerson))

If you are using Microsofts Active Directory (AD), this also syncs users that are "disabled" in AD, which is usually not what you want.
Fortunately, there is a Microsoft Knowledgebase entry called "How to query Active Directory by using a bitwise filter" that sheds some light on this:
An example is when you want to query Active Directory for user class objects that are disabled. The attribute that holds this information is the userAccountControl attribute. This attribute is composed of a combination of different flags. The flag for setting the object that you want to disable is UF_ACCOUNTDISABLE, which has a value of 0x02 (2 decimal). The bitwise comparison filter that specifies userAccountControl with the UF_ACCOUNTDISABLED bit set would resemble this:
(UserAccountControl:1.2.840.113556.1.4.803:=2)

So all we habe to do is to incorporate this attribute into our filter statement (of course negated), to only sync "active" users:
    (& 
      (uid=*)
      (objectclass=inetOrgPerson)
      (!
          (UserAccountControl:1.2.840.113556.1.4.803:=2)
      )
  )

Comments [0]

No Comments Found


Discussion for this entry is now closed.

This is the Blog of Martin Leyrer, currently employed as an Senior Lab Services Consultant at HCL Digital Solutions.

The postings on this site are my own and do not represent the positions, strategies or opinions of any former, current or future employer of mine.