Okay, new to OpenLDAP, have managed to setup a meta backend/proxy to
multiple Active Directory systems that is doing everything I need with one
exception. I can't figure out a reliable way to filter out disabled
accounts on the AD side. I know how to query this directly against AD of
course (NOT UserAccountControl:1.2.840.113556.1.4.803:=2), but after a lot
of searching and head scratching I'm not sure how to implement this in my
slapd.conf - or even just allow the filter (if specified by a client) to
pass through:
My original filter:
"(&(objectclass=inetOrgPerson)(!(objectclass=Computer))(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))"
From slapd debug output, after passing through the parser:
"(objectClass=user)(!(!(objectClass=*)))(?=error)"
As you can see, objectClass inetOrgPerson is mapped to User (and I've got
some work to do on the Computer objectClass too) but the UserAccountControl
bitwise flag is the part I'm hung up on right now.