Back on the market
Date Created: February 4, 2016  Date Modified: February 4, 2016

My contract at the Western Australian Museum ends today, so I guess its back to unemployment and poverty for me.

This rant was posted in Web on by .

Active Directory Search Controls for LDAP
Date Created: January 27, 2016  Date Modified: January 27, 2016

The following list shows many of the LDAP controls that Active Directory supports with relation to searching, as well as how to use the more common controls with AdFind:

LDAP_PAGED_RESULT_OID_STRING (1.2.840.113556.1.4.319)
Specifying this LDAP control instructs the domain controller that it can return more results than can fit in a single page. This is useful when searching for large result sets and should generally always be included in an Active Directory search.

LDAP_SERVER_DIRSYNC_OID (1.2.840.113556.1.4.841)
DirSync is an LDAP feature that allows you to ask Active Directory for all the objects in a given naming context that have changed since the last time the search was performed. Changes are tracked with a cookie that is returned by the server.

The DirSync control will only return modified attributes. If you want to return the full object when any attribute of that object has been modified, and you are running

Windows Server 2012 or later, use the LDAP_SERVER_DIRSYNC_EX_OID (1.2.840.113556.1.4.2090) version of this control instead.

Applications such as Microsoft Forefront Identity Manager (FIM) use the DirSync LDAP feature to track changes. For more information on this feature, refer to this link.

LDAP_SERVER_DOMAIN_SCOPE_OID (1.2.840.113556.1.4.1339)
To make sure that the domain controller does not return referrals to result sets that are stored on other servers, include this LDAP control in your request.

LDAP_SERVER_EXTENDED_DN_OID (1.2.840.113556.1.4.529)
When this LDAP control is enabled, Active Directory will return the SID and objectGUID of each result as prefixes to the object’s DN in the result set. For more information, refer to this link.

LDAP_SERVER_GET_STATS_OID (1.2.840.113556.1.4.970)
This extremely useful LDAP control instructs Active Directory to return statistics about how the query processor will perform the requested search, as well as per‐ formance statistics about the result. We’ll discuss this feature in more detail later in this chapter.

LDAP_SERVER_NOTIFICATION_OID (1.2.840.113556.1.4.528)
When this control is specified, Active Directory won’t return a result until the re‐ quested object is modified. This is useful for tracking changes to specific objects in the directory and responding to them. For more information, refer to this link.

LDAP_SERVER_RANGE_OPTION_OID (1.2.840.113556.1.4.802)
Similar to the paged results control mentioned earlier, this is typically a control you will always want to specify. The ranged results control is used when you need to retrieve values in a multivalued attribute in excess of the maximum number of values a DC will return by default. You can use the LDAP_SERVER_RANGE_RETRIEV AL_NOERR_OID (1.2.840.113556.1.4.1948) alternate implementation of this LDAP control to ensure that errors will not be returned if you request more values than are available.

LDAP_SERVER_SD_FLAGS_OID (1.2.840.113556.1.4.801)
Use this control to tell the domain controller which components of an object’s ntSecurityDescriptor (the ACL) to retrieve. Depending on the permissions of the user performing the query, not all of the components of the ACL may be read‐ able. For more information, refer to this link.

LDAP_SERVER_SEARCH_OPTIONS_OID (1.2.840.113556.1.4.1340)
This generic control’s most useful function is called phantom root. The phantom root feature enables you to perform a search across all of the naming contexts (application NCs excluded) hosted on a global catalog. If you have a multidomain

forest with disjointed namespaces, use this control to search across all of the do‐ mains at once. Use the -pr switch to enable this function in AdFind.

LDAP_SERVER_SHOW_DELETED_OID (1.2.840.113556.1.4.417)
This control instructs the domain controller to include deleted objects and tomb‐ stones in the result set. If you have enabled the Active Directory Recycle Bin, this will only include objects that are currently recoverable. To include objects that have transitioned out of the Recycle Bin, you must also include the LDAP_SERV ER_SHOW_RECYCLED_OID (1.2.840.113556.1.4.2064) control.

Active Directory treats deactivated linked values (links to objects that are in the Recycle Bin) differently. If you want to include deactivated links in your results, add the LDAP_SERVER_SHOW_DEACTIVATED_LINK_OID (1.2.840.113556.1.4.2065) con‐ trol.

To include deleted objects in AdFind, append the -showdel switch. If you also want to include objects that have transitioned out of the Recycle Bin, also append the -showrecycled switch. To include deactivated links, append -showdelobjlinks.

LDAP_SERVER_SORT_OID (1.2.840.113556.1.4.473)
This control instructs the server to sort the results based on one attribute before returning the result set. You can request search results to be sorted with AdFind by using the -sort and -rsort (reverse order) parameters. This document provides a great deal more information about sorting, especially with regard to the language- specific ordering of a result set and phonetic sort functionality on Japanese- language domain controllers.

Server-side sorting requires the use of a temporary table in the Active Directory database when the attribute being sorted on is not indexed. Temporary tables are limited in size. Consequently, server-side sorting of large result sets with unindexed attributes will likely fail due to the size constraints of the temporary table.

LDAP_CONTROL_VLVREQUEST (2.16.840.1.113730.3.4.9)
Virtual list view (VLV) searches are useful for large searches that will be paged through in a format similar to scrolling through an address book or phone directory. In fact, some versions of Microsoft Exchange use VLV for building the address books shown in email clients. For more information, refer to this link.

LDAP_SERVER_ASQ_OID (1.2.840.113556.1.4.1504)
Attribute scoped queries (ASQs) are useful when you want to perform a query based on a linked attribute’s value(s). For example, you might want to return all of the users who are members of a group called All Users. You can do this using AdFind with this syntax:

adfind -asq member -b "cn=All Users,ou=Groups,dc=cohovines,dc=com"
          -f "objectClass=user"
This rant was posted in Intranet, Microsoft, Work on by .

Alfresco Cluster Properties (for Hazelcast)
Date Created: January 21, 2016  Date Modified: January 21, 2016

Property name Default value Description
alfresco.cluster.enabled true Enables clustering.
alfresco.cluster.interface Specifies a particular network interface to use for clustering. May be wildcarded, e.g. 10.256.*.* would mean attempt to bind to the interface having an IP address beginning “10.256.”.
alfresco.cluster.nodetype Repository Server Not normally used. Human-friendly description of the cluster member – as shown in JMX under “non-clustered servers”. This is useful to give a name to non-clustered servers such as a transformation server that it attached to the same database as the cluster, but not participating in it (e.g. alfresco.cluster.enabled=false)
alfresco.hazelcast.password alfrescocluster Password used by the cluster members to access/join the Hazelcast cluster.
alfresco.hazelcast.port 5701 Specifies the port to use for clustering.
alfresco.hazelcast.autoinc.port false If set to true, Hazelcast will try several times to find a free port starting at the value of alfresco.hazelcast.port. Not recommended.
alfresco.hazelcast.mancenter.enabled false If enabled, the server will push stats and other useful information to Hazelcast’s “mancenter” dashboard application.
alfresco.hazelcast.mancenter.url http://localhost:8080/mancenter The URL where the mancenter application may be found (alfresco.hazelcast.mancenter.enabled must be true for this to have any effect).

Alfresco User Attributes
Date Created: January 17, 2016  Date Modified: January 17, 2016

Alfresco User Attributes

Type Description
properties An associative array of user properties.
id The user identifier.
name The Principal name (most commonly, this will be the same as the user
ID).
fullName The user’s full name (for example, Joe Dwight Smith).
firstName The user’s first name (for example, Joe). Read/write.
middleName The user’s middle name (for example, Dwight). Read/write.
lastName The user’s last name (for example, Smith). Read/write.
email The user’s email address. Read/write.
organization The user’s organization. Read/write.
jobTitle The user’s job title. Read/write.
location The user’s location. Read/write.
biography The user’s biography. Read/write.
telephone The user’s telephone entry. Read/write.
mobilePhone The user’s mobile phone entry. Read/write.
skype The user’s Skype name. Read/write.
instantMsg The user’s instant messaging ID. Read/write.
googleUsername User name for Google account. REad/write.
companyPostcode The user’s company post code. Read/write.
companyTelephone The user’s company telephone entry. Read/write.
companyFax The user’s company fax entry. Read/write.
companyEmail The user’s company email address. Read/write.
companyAddress1 The user’s company address entry 1. Read/write.
companyAddress2 The user’s company address entry 2. Read/write.
companyAddress3 The user’s company address entry 3. Read/write.
isAdmin Returns a boolean. True if user is an administrator.
isGuest Returns a boolean. True if user is a guest.
nativeUser Returns the underlying user object for access to additional methods on custom user
objects.
capabilities Get a map of capabilities (boolean assertions) for the user.

That time of year
Date Created: December 23, 2015  Date Modified: December 23, 2015

I wish you all the best for 2016, unless planned otherwise.

Thanks
B.Levene

This rant was posted in Personal on by .

LDAP userAccountControl Values
Date Created: December 21, 2015  Date Modified: December 21, 2015

This LDAP attribute return values that have to be interpreted with the following table:

userAccountControl values Meaning
512 Enabled
514 ACCOUNTDISABLE
528 Enabled – LOCKOUT
530 ACCOUNTDISABLE – LOCKOUT
544 Enabled – PASSWD_NOTREQD
546 ACCOUNTDISABLE – PASSWD_NOTREQD
560 Enabled – PASSWD_NOTREQD – LOCKOUT
640 Enabled – ENCRYPTED_TEXT_PWD_ALLOWED
2048 INTERDOMAIN_TRUST_ACCOUNT
2080 INTERDOMAIN_TRUST_ACCOUNT – PASSWD_NOTREQD
4096 WORKSTATION_TRUST_ACCOUNT
8192 SERVER_TRUST_ACCOUNT
66048 Enabled – DONT_EXPIRE_PASSWORD
66050 ACCOUNTDISABLE – DONT_EXPIRE_PASSWORD
66064 Enabled – DONT_EXPIRE_PASSWORD – LOCKOUT
66066 ACCOUNTDISABLE – DONT_EXPIRE_PASSWORD – LOCKOUT
66080 Enabled – DONT_EXPIRE_PASSWORD – PASSWD_NOTREQD
66082 ACCOUNTDISABLE – DONT_EXPIRE_PASSWORD – PASSWD_NOTREQD
66176 Enabled – DONT_EXPIRE_PASSWORD – ENCRYPTED_TEXT_PWD_ALLOWED
131584 Enabled – MNS_LOGON_ACCOUNT
131586 ACCOUNTDISABLE – MNS_LOGON_ACCOUNT
131600 Enabled – MNS_LOGON_ACCOUNT – LOCKOUT
197120 Enabled – MNS_LOGON_ACCOUNT – DONT_EXPIRE_PASSWORD
532480 SERVER_TRUST_ACCOUNT – TRUSTED_FOR_DELEGATION (Domain Controller)
1049088 Enabled – NOT_DELEGATED
1049090 ACCOUNTDISABLE – NOT_DELEGATED
2097664 Enabled – USE_DES_KEY_ONLY
2687488 Enabled – DONT_EXPIRE_PASSWORD – TRUSTED_FOR_DELEGATION – USE_DES_KEY_ONLY
4194816 Enabled – DONT_REQ_PREAUTH