How to get pdm_ldap_import to NOT import a user/contact when that user has been 'disabled' in ActiveDirectory

Document ID : KB000053886
Last Modified Date : 14/02/2018
Show Technical Document Details


To avoid contacts being created in servicedesk when pdm_ldap_import runs.


  1. Create the ldap.mod file(to add the attribute for active users):

    OBJECT ldap LDAP {
    userAccountControl "!userAccountControl:1.2.840.113556.1.4.803:" INTEGER;

  2. create the cnt.mod file(to add the attribute to avoid a message during pdm_ldap_sync):

    OBJECT cnt PDM {
    ATTRIBUTES ca_contact{
    userAccountControl INTEGER;

  3. copy these two files into %NX_ROOT%/site/mods/majic folder

  4. Recycle the Services.

  5. use following command:

    pdm_ldap_import -l "userAccountControl=2"

Now an 'ldap-disabled' user will not be imported into servicedesk.

After you 'enabled' the user in ldap, you need to run the pdm_ldap_import again to add that user into Service Desk.

How does this work?

The change in the ldap.mod file helps servicedesk to use the filter provided in the argument.

The ldap.mod file maps the userAccountControl variable as "!userAccountControl:1.2.840.113556.1.4.803:".

So when we query ldap, the query string becomes !userAccountControl:1.2.840.113556.1.4.803:=2 which basically means a logical AND of userAccountControl and hex value 2 and finally a logical NOT.

A logical AND of userAccountControl (here the logical AND is performed by :1.2.840.113556.1.4.803: appended to userAccountControl) gives a value of 2 if the user account is disabled.
Since we are doing a logical NOT of the value, we get only the active accounts, and NOT the disabled ones.

In short, when querying ldap, ldap returns only active users if we use !userAccountControl:1.2.840.113556.1.4.803:=2 as argument. Thus all the inactive accounts are filtered out of the ldap results.