I would like to propose a change to the community regarding the LDAP query that FreePBX makes. Here is a diff of the Msad.php file with the proposed change:
@@ -504,7 +504,7 @@
//http://www.rlmueller.net/CharactersEscaped.htm
$group['distinguishedname'][0] = ldap_escape($group['distinguishedname'][0]);
$this->out("\tGetting users from ".$group['cn'][0]."...");
- $gs = ldap_search($this->ldap, $this->dn, "(&(objectCategory=Person)(sAMAccountName=*)(memberof=".$group['distinguishedname'][0]."))");
+ $gs = ldap_search($this->ldap, $this->dn, "(&(objectCategory=Person)(sAMAccountName=*)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(memberof=".$group['distinguishedname'][0]."))");
if($gs !== false) {
$users = ldap_get_entries($this->ldap, $gs);
$susers = serialize($users);
@@ -590,7 +590,7 @@
$this->out("Retrieving all users...",false);
- $sr = ldap_search($this->ldap, $this->dn, "(&(objectCategory=Person)(sAMAccountName=*))");
+ $sr = ldap_search($this->ldap, $this->dn, "(&(objectCategory=Person)(sAMAccountName=*)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))");
$users = ldap_get_entries($this->ldap, $sr);
$this->out("Got ".$users['count']. " users");
What this change does is prevents FreePBX from pulling in any disabled Active Directory users. Thoughts?