Can't get entry attribute SmartcardLogonRequired for Active Directory user

go-ldap / ldap

Basic LDAP v3 functionality for the GO programming language.

Other

2.25k stars 355 forks source link

Can't get entry attribute SmartcardLogonRequired for Active Directory user #445

Closed dpajkovic closed 1 year ago

dpajkovic commented 1 year ago

Hello,

I search for the object with no limitation on attributes ([]string{}), but I don't see the results for the attribute SmartcardLogonRequired when doing Print() on the entry nor if I do GetAttibuteValue("SmartcardLogonRequired"). The object has the value (True or False) when I check the same object with PowerShell.

I've also tried specifying the attribute in the search ([]string{"SmartcardLogonRequired"}) but the result entry only has the DN attribute present.

cpuschma commented 1 year ago

There's no such attribute SmartcardLogonRequired. In powershell this is only a flag to set the corresponding bit field in the userAccountControl attribute. See http://www.selfadsi.de/ads-attributes/user-userAccountControl.htm for more information. You basically need to check whether the bit is set in userAccountControl, e.g.:

i, _ := strconv.Atoi(Attribute value from search result here)
smartCardLoginRequired := (i & 262144) == 26144

dpajkovic commented 1 year ago

Thanks a million, I should have remembered that there are "calculated" attributes in AD.

On separate note, in your code example it should be (i & 262144) == 26144, it would never be 1.

cpuschma commented 1 year ago

Ah thanks for correcting me. I was at lunch and ate my sandwich and got carried away a bit :D. I updated the example.