Question

Which users are accounted to licences?

Answer

The selection is done in several steps and they are documented here as LDAP-search filters:

• “root” will be excluded:
  (!(uidNumber=0))

• All machine accounts ending with “$” excluded:
  (!(uid=*$))

• For user account (take care of ordering here):
  (objectClass “posixAccount” AND “shadowAccount”) OR “sambaSamAccount”)):
  (|(&(objectClass=posixAccount)(objectClass=shadowAccount))(objectClass=sambaSamAccount))

• Deactivated users are excluded, too:
  (!(&(shadowExpire=1)(krb5KDCFlags=254)(|(sambaAcctFlags=[UD ])(sambaAcctFlags=[ULD ]))))

A accounted user is the combination of all filters above:

root@example:~# univention-ldapsearch -LLL "(&(|(&(objectClass=posixAccount)(objectClass=shadowAccount))(objectClass=sambaSamAccount))(!(uidNumber=0))(!(uid=*$))(!(&(shadowExpire=1)(krb5KDCFlags=254)(|(sambaAcctFlags=[UD       ])(sambaAcctFlags=[ULD       ])))))" dn
dn: uid=Administrator,cn=users,dc=example,dc=net

dn: uid=join-backup,cn=users,dc=example,dc=net

dn: uid=join-slave,cn=users,dc=example,dc=net

dn: uid=ucs-sso,cn=users,dc=example,dc=net

dn: uid=mmustermann,cn=users,dc=example,dc=net