How To
ForgeRock Identity Platform
Does not apply to Identity Cloud

How do I configure AM (All versions) to ensure user profile lookups work after changing the LDAP authentication attribute?

Last updated Feb 24, 2021

The purpose of this article is to provide a guide to configuring AM to allow seamless changes of the LDAP authentication attribute whilst protecting the LDAP search attribute. By default, user profile lookup will fail if the LDAP authentication attribute is changed without reauthenticating.

1 reader recommends this article

Configuring AM

In summary, you can achieve this configuration by separating out Authentication from the User Profile with separate LDAP and DataStore authentication modules.

The following process assumes:

  • You have created a separate DS User Data Store on localhost:1389. In this example, the sample data was populated with 200 users with domain suffix dc=example,dc=com
  • You are using uid as the Universal Id.
  • Mail is the element you wish to log in with and change.

To configure AM:

  1. Navigate to Realms > [Realm Name] > Authentication > Modules in the console and click Add Module.
  2. Enter a name for the new module and select type LDAP.
  3. Configure the new LDAP module with the LDAP connection details and the following options:
    • Set the Attribute Used to Retrieve User Profile field to the Universal Id field (in this example uid).
    • Add the username/email attribute you wish to be changeable to the Attributes Used to Search for a User to be Authenticated field (in this example mail).
    • Deselect the Enabled option against the Return UserDN to DataStore field (this is enabled by default). This means that the text of the username is returned as the authentication principal rather than the whole dn (user.0 rather than cn=user.0,ou=people,dc=example,dc=com)
  1. Optionally, add the new LDAP module to the default authentication chain as the only or the first module by navigating to: Realms > [Realm Name] > Authentication > Chains > ldapService and replace the required DataStore module with your new LDAP module.
  2. Delete the embedded data store by navigating to: Realms > [Realm Name] > Data Stores, select embedded and click Delete.
  3. Add a new data store with a type that matches the LDAP Server you are configuring against (for example, DS):
    • AM 6 and later console: navigate to: Realms > [Realm Name] > Data Stores, click Add Data Store, enter a name and select the type.
    • Pre-AM 6 console: navigate to: Realms > [Realm Name] > Data Stores, click New, enter a name and select the type.
  4. ​Complete the following details for the new Data Store:
    • Configure the LDAP connection details and dn suffixes (Server Settings tab in AM 6 and later).
    • Set the LDAP Users Search Attribute field (User Configuration tab in AM 6 and later) to the Universal Id field (in this example uid).
    • Enable Load Schema or select the Load schema when saved option before saving your changes.
  1. Check the new data store is recognized by navigating to the Identities page (Subjects tab) and checking it contains the expected users from the new data store.
  2. Log into the realm as a user (in this example,
  3. Change the email address for this user (in this example, changed to and click Save.
  4. Log into the console on your realm as, for example: You will see the user's old email address still.
  5. Call the /users endpoint for this user, for example: You will see the user attributes returned, including the new email address:{"username":"user.199","realm":"/test","uid":["user.199"],"mail":[""], ...

See Also

User has no profile in this organization message received when user authenticates in AM (All versions)

How do I understand what the user data store is used for in AM (All versions)?

How do I create a user data store in AM (All versions) using ssoadm?

Authentication and Single Sign-On Guide › LDAP Authentication Module

Setup Guide › Identity Stores

Related Training


Related Issue Tracker IDs


Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.