Q&A: Which Users Are Accounted To Licenses?

Question

Which users are accounted to licences?

Answer

The selection is done in several steps and they are documented here as LDAP-search filters:

  • “root” will be excluded:
    (!(uidNumber=0))

  • All machine accounts ending with “$” excluded:
    (!(uid=*$))

  • For user account (take care of ordering here):
    (objectClass “posixAccount” AND “shadowAccount”) OR “sambaSamAccount”)):
    (|(&(objectClass=posixAccount)(objectClass=shadowAccount))(objectClass=sambaSamAccount))

  • Deactivated users are excluded, too:
    (!(&(shadowExpire=1)(krb5KDCFlags=254)(|(sambaAcctFlags=[UD ])(sambaAcctFlags=[ULD ]))))

A accounted user is the combination of all filters above:

root@example:~# univention-ldapsearch -LLL "(&(|(&(objectClass=posixAccount)(objectClass=shadowAccount))(objectClass=sambaSamAccount))(!(uidNumber=0))(!(uid=*$))(!(&(shadowExpire=1)(krb5KDCFlags=254)(|(sambaAcctFlags=[UD ])(sambaAcctFlags=[ULD ])))))" dn
dn: uid=Administrator,cn=users,dc=example,dc=net

dn: uid=join-backup,cn=users,dc=example,dc=net

dn: uid=join-slave,cn=users,dc=example,dc=net

dn: uid=ucs-sso,cn=users,dc=example,dc=net

dn: uid=mmustermann,cn=users,dc=example,dc=net