Skip to main content
A
Aaron Chantrill
Participant
January 14, 2011
Question

CFLDAP Problem with Active Directory and bitwise filter on UserAccountControl

  • January 14, 2011
  • 1 reply
  • 2476 views

I am having a problem with CFLDAP on my production server (Coldfusion Standard Edition Version 8,0,1,195765 running on Windows 2003 using Sun Microsystems Java version                  1.6.0_04) and my test server (Coldfusion Standard Edition Version 9,0,1,274733 running on Windows 2008 using Sun Microsystems Java version 1.6.0_17).

CFLDAP does not appear to be respecting the bitwise filter on the UserAccountControl field used to determine whether or not an account is enabled in Active Directory.

For instance, the following two queries should return identical results:

<cfldap action="query"
        server="#server#"
        name="CFLDAPResults"
        start="DC=mycompany,DC=com"
        filter="(&(objectclass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))"
        username="#ADUsername#"
        password="#ADPassword#"
        sort="displayName"
        attributes="displayName,givenName,sn,cn,SamAccountname,mail">


<cfquery
    name="SQLResults"
    datasource="ADSI"
>
    select * from openquery([ADSI],'<LDAP://dc=mycompany,dc=com>;(&(objectclass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2)));displayName,givenName,sn,cn,SamAccountname,mail')adsi order by displayName
</cfquery>

However, the first one returns all users regardless of whether or not the account is disabled. The second returns only those users whose accounts are not disabled (which is what I want). The first query uses CFLDAP to query the Active Directory server directly, while the second uses a linked server in SQL Server to perform the query.

Is anyone else having problems with this? I have searched around some and haven't found any mention of this issue, but the fact that it is occuring on both a Coldfusion 8 server and a Coldfusion 9 server leads me to believe it is not just a misconfiguration on my end.

Thanks,

Aaron

    This topic has been closed for replies.

    1 reply

    12Robots
    12Robots
    Participating Frequently
    January 14, 2011

    This query is working fine for me. I did have to correct a typo in your email that was resulting in me getting 0 records. You have a space between in this section(1.4. 803:=2) that does not belong.


    I am using ColdFusion 9 (9,0,1,274733) developer. When I run the query with and without the negation qualifier (!) I get two different lists. 

    When I run it without the negation qualifier I get a list of only disabled accounts (confirmed by random sampling)

    When I run it with the negation qualifier I get a list of enabled accounts (Confirmed by random sampling AND verifying that no one from my first test was in my second test).

    Hope this helps,

    A
    Aaron ChantrillAuthor
    Participant
    January 14, 2011

    Interesting. The extra space is not in the original query, it must have snuck in from the forum editor. Like I said, I haven't seen any mention of this issue elsewhere and I have seen examples where exactly this filter was applied in CFLDAP, so it seemed like someone would have noticed if it had really been a problem in both Coldfusion 8 and 9. I won't file a bug report then, and I guess I'll assume it's something strange about our active directory LDAP server. Usually when I am querying against active directory I am joining SQL Server tables anyway, so it's not normally an issue, but I had one webpage which listed employees from active directory that someone noticed was still listing several employees who had left. I tried the query both ways, re-wrote it several times, and checked all other pages that used cfldap and consistently the useraccountcontrol filter was ignored in the CFLDAP queries.

    Thanks,

    Aaron

    B
    bal_logicmanager
    Participant
    March 5, 2013

    Did you ever get an answer for this, I have this same problem and it is driving me crazy!!

    Bernie

    Terms & ConditionsAccessibility statement
    Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices