Subject: UserAccountControl VS NsAccountLock
Author: eLDAP
Posted on: 12/28/2006 08:11:58 PM
When accessing a user account for authentication or authorization, a special attribute is often checked first to determine the current status of the account: disabled or enabled. Such an attribute is either NsAccountLock used in Netscape iPlanet world or UserAccountControl used in Microsoft Active Directory (AD) world.
While NsAccountLock bears value of TRUE or FALSE, UserAccountControl has a variety of values made of flags, among which the two most commonly used flags are ACCOUNTDISABLE (0x0002 or 2) and NORMAL_ACCOUNT (0x0200 or 512). For a disabled account, the UserAccountControl normally bears the value of 514 or 0x0202 (0x0200 + 0x0002)
Take SunOne and AD for example, a typical normal account may look like
(SunOne)
dn: cn=John Smith,cn=users,dc=mydomain,dc=com
cn: John Smith
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
nsAccountLock: false
description: Active account - authentication and authorization may proceed.
sn: Smith
givenName: John
(AD)
dn: cn=John Smith,cn=users,dc=mydomain,dc=com
cn: John Smith
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
userAccountControl: 512
description: Active account - authentication and authorization may proceed.
sn: Smith
givenName: John
and a typical
disabled account may look like
(SunOne)
dn: cn=John Smith,cn=users,dc=mydomain,dc=com
cn: John Smith
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
nsAccountLock: true
description: Inactive account - authentication or authorization may not proceed.
sn: Smith
givenName: John
(AD)
dn: cn=John Smith,cn=users,dc=mydomain,dc=com
cn: John Smith
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
userAccountControl: 514
description: Inactive account - authentication or authorization may not proceed.
sn: Smith
givenName: John
Replies:
References:
