Problem: Disabled Student Accounts Are Still Synced to Apple School Manager

Knowledge Base Community
, ,
1

Problem

At the beginning of the school year, multiple schools report that disabled student accounts are still being synchronized to Apple School Manager (ASM). This behavior leads to inactive or blocked users appearing in ASM, even though they are disabled in the directory service.

Root Cause

The synchronization to Apple School Manager does not automatically exclude disabled users.
By default, the LDAP filters used for the ASM integration do not consistently filter out accounts that are marked as disabled.

Solution

In other environments, the issue was resolved by adjusting the LDAP filters used for ASM synchronization via UCR variables. The recommended approach is to filter users based on the sambaAcctFlags attribute.

Recommended UCR Variables

Set the following UCR variables:

asm/ldap_filter/staff/*: <empty>
asm/ldap_filter/staff: (!(sambaAcctFlags=[UD         ]))
asm/ldap_filter/students/*: <empty>
asm/ldap_filter/students: (!(sambaAcctFlags=[UD         ]))

These filters ensure that user accounts marked as disabled are excluded from the ASM export.

Deployment Options

You can apply these UCR variables in one of the following ways:

  • Manually set the variables for each individual school
  • Distribute the variables centrally using a policy-based configuration

Further details on policy-based configuration of UCR variables can be found here:
https://docs.software-univention.de/manual/latest/de/computers/ucr.html#policy-based-configuration-of-ucr-variables

Explanation of the Whitespace in sambaAcctFlags

The spaces inside the filter are intentional and correct.

  • The sambaAcctFlags field has a fixed length.
  • Only specific positions contain letters that describe the account status.
  • All other positions are filled with spaces.
  • U stands for “User”
  • D stands for “Disabled”
  • All remaining characters are placeholders and must remain as spaces

Why Not Use shadowExpire?

Using shadowExpire as a filter is not recommended.

While it can detect certain types of account lockouts, it does not cover all deactivation cases. For example, accounts that expire on a specific date may not be reliably filtered out. This can still result in unwanted users being exported to Apple School Manager.

In contrast, sambaAcctFlags is automatically and consistently updated in UCS whenever a user account is disabled. For this reason, filtering based on sambaAcctFlags is the more reliable and recommended solution.

2

This topic was automatically closed after 24 hours. New replies are no longer allowed.