Suggested Active Directory LDAP search filter change

FreePBX Development
1

I would like to propose a change to the community regarding the LDAP query that FreePBX makes. Here is a diff of the Msad.php file with the proposed change:

@@ -504,7 +504,7 @@
                                    //http://www.rlmueller.net/CharactersEscaped.htm
                                    $group['distinguishedname'][0] = ldap_escape($group['distinguishedname'][0]);
                                    $this->out("\tGetting users from ".$group['cn'][0]."...");
-                                   $gs = ldap_search($this->ldap, $this->dn, "(&(objectCategory=Person)(sAMAccountName=*)(memberof=".$group['distinguishedname'][0]."))");
+                                   $gs = ldap_search($this->ldap, $this->dn, "(&(objectCategory=Person)(sAMAccountName=*)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(memberof=".$group['distinguishedname'][0]."))");
                                    if($gs !== false) {
                                            $users = ldap_get_entries($this->ldap, $gs);
                                            $susers = serialize($users);
@@ -590,7 +590,7 @@

            $this->out("Retrieving all users...",false);

-           $sr = ldap_search($this->ldap, $this->dn, "(&(objectCategory=Person)(sAMAccountName=*))");
+           $sr = ldap_search($this->ldap, $this->dn, "(&(objectCategory=Person)(sAMAccountName=*)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))");
            $users = ldap_get_entries($this->ldap, $sr);

            $this->out("Got ".$users['count']. " users");

What this change does is prevents FreePBX from pulling in any disabled Active Directory users. Thoughts?

1 Like
2

Now that I think about it, it would be better to have the search filter be a fillable field in the user manager, but this would be a good stopgap until that feature can be added to the roadmap

1 Like
3

Yes. Customizable LDAP filters are desperately needed, and improved defaults would be a huge help.

A fairly obvious (to me, anyway) default option would be to filter for users that have the IP Phone attribute set. Groups are tougher because stock AD doesn’t have any user-defined attributes, but looking for FreePBX in the notes field would be helpful.