This content has been marked as final. Show 4 replies
Battling on.. We have a process that can add users and filter on group, etc.
The main issue I am concerned with is the ability to disable the safeboot account when the edirectory account is disabled.
The attribute mapping for Account Control would appear to be the edirectory (ldap) attribute 'logindisabled'
The issue I am having is getting the LDAP connector to acknowledge that there is a change i.e. the attribute mapping for 'Change Attribute' I have tried an edir attribute named revision, but this appears to be somewhat 'hidden' for ldap queries and is replica server specific. I then thought I'd try 'logindisabled', as this is the only attribute we actually care about - again, no joy...
I've never found a reason to try and populate the Change Attribute here, Account Control is set to the default of loginDisabled which I confirmed matched our LDAP attribute through LDAP Browser. I have confirmed SB accounts are disabled when the eDirectory account is disabled as well, though the SB account isn't disabled until the next LDAP sync.
We use a filter under Search Settings, not the Search Group here. Search Groups seem to be a much better choice except performance is ridiculous compared to our search filter (which is effectively doing the same thing). I've also seen that the Search Groups incorrectly identify some users as "not a user" but I've been unable to determine a reason. If you go with the Search Settings make sure your Entry Limit is high enough to accommodate the number of records being returned.
Hmm, that's interesting, I was assuming you needed the change attribute for it to assess whether to read the other attributes...
Hey ho, as you've seen from the other post we went for the AD Connector route..
Thanks for posting
Yeah, AD sounds like the smart choice. That's currently not an option here but from your posts it appears performance is 20x better with AD. Using Search Groups with eDirectory I've found it takes over an hour for one sync of 1 group with 1K users. Not to mention the user enrollment issue I mentioned last post.