Ruby/ldap - available Active Directory attributes, negative filter

Hi,

I’m trying to get user information from Active directory via Ruby/LDAP
and I don’t see all attributes I’d like to use. I tried to look for
relevant information, RTFM, but unfortunately I didn’t find a solution
until this time. One of the attributes I’d like to use is accountExpires
and I see the following attributes are listed by the following code:


require ‘ldap’

$LDAP_HOST = 'my active directory server
$LDAP_PORT = LDAP::LDAP_PORT
$LDAP_USER = 'bin user DN
$LDAP_PW = 'bind pw

conn = LDAP::Conn.new($LDAP_HOST, 3268)
conn.bind($LDAP_USER, $LDAP_PW)

my_filter = "(&(objectCategory=person)(objectclass=user)
res = conn.search2(“dc=mydc,dc=com”, LDAP::LDAP_SCOPE_SUBTREE,
my_filter)
res[0].keys.each { |k| puts k }

conn.unbind

the results are (sorted):
cn
company
department
description
directReports
displayName
distinguishedName
dLMemDefault
dn
dSCorePropagationData
extensionAttribute1
extensionAttribute11
extensionAttribute15
extensionAttribute2
extensionAttribute3
extensionAttribute4
extensionAttribute5
extensionAttribute6
givenName
homeMDB
homeMTA
info
instanceType
lastLogonTimestamp
legacyExchangeDN
mail
mailNickname
managedObjects
manager
mAPIRecipient
mDBUseDefaults
memberOf
msExchADCGlobalNames
msExchHomeServerName
msExchMailboxGuid
msExchMailboxSecurityDescriptor
msExchMailboxTemplateLink
msExchMasterAccountSid
msExchMobileMailboxFlags
msExchPoliciesIncluded
msExchPreviousAccountSid
msExchRecipientDisplayType
msExchRecipientTypeDetails
msExchUserAccountControl
msExchVersion
name
objectCategory
objectClass
objectGUID
objectSid
otherTelephone
physicalDeliveryOfficeName
primaryGroupID
proxyAddresses
pwdLastSet
replicatedObjectVersion
replicationSignature
sAMAccountName
sAMAccountType
showInAddressBook
sn
telephoneNumber
textEncodedORAddress
title
userAccountControl
userCertificate
userPrincipalName
uSNChanged
uSNCreated
whenChanged
whenCreated

It’s interesting for me because adtool and ldapsearch on linux can get
the accountExpires attribute so it should be available via LDAP
interface.

My other problem is that negative filtering is not working eg.:
my_filter =
“(&(objectCategory=person)(objectclass=user)(!userAccountControl=514))”
this filter has no results (I’ve checked with a Visual Basic script that
there shall be results with the same filter syntax).

Thanks for any help,
Gabor