How To
ForgeRock Identity Platform
Does not apply to Identity Cloud

How do I configure AM (All versions) to ensure user profile lookups work after changing the LDAP authentication attribute?

Last updated Jan 16, 2023

The purpose of this article is to provide a guide to configuring AM to allow seamless changes of the LDAP authentication attribute whilst protecting the LDAP search attribute. By default, user profile lookup will fail if the LDAP authentication attribute is changed without reauthenticating.

1 reader recommends this article

Configuring AM

In summary, you can achieve this configuration by separating out Authentication from the User Profile with separate LDAP and DataStore authentication modules.

The following process assumes:

  • You have created a separate DS User Data Store on localhost:1389. In this example, the sample data was populated with 200 users with domain suffix dc=example,dc=com
  • You are using uid as the Universal Id.
  • Mail is the element you wish to log in with and change.

To configure AM:

  1. Navigate to Realms > [Realm Name] > Authentication > Modules in the AM admin UI and click Add Module.
  2. Enter a name for the new module and select type LDAP.
  3. Configure the new LDAP module with the LDAP connection details and the following options:
    • Set the Attribute Used to Retrieve User Profile field to the Universal Id field (in this example uid).
    • Add the username/email attribute you wish to be changeable to the Attributes Used to Search for a User to be Authenticated field (in this example mail).
    • Deselect the Enabled option against the Return UserDN to DataStore field (this is enabled by default). This means that the text of the username is returned as the authentication principal rather than the whole dn (user.0 rather than cn=user.0,ou=people,dc=example,dc=com)
  1. Optionally, add the new LDAP module to the default authentication chain as the only or the first module by navigating to: Realms > [Realm Name] > Authentication > Chains > ldapService and replace the required DataStore module with your new LDAP module.
  2. Delete the embedded data store by navigating to: Realms > [Realm Name] > Data Stores, select embedded and click Delete.
  3. Add a new data store by navigating to Realms > [Realm Name] > Data Stores, click Add Data Store, enter a name and select the type; this must match the LDAP Server you are configuring against (for example, DS).
  4. ​Complete the following details for the new Data Store:
    • Configure the LDAP connection details and dn suffixes (Server Settings tab).
    • Set the LDAP Users Search Attribute field (User Configuration tab) to the Universal Id field (in this example uid).
    • Enable Load Schema or select the Load schema when saved option before saving your changes.
  1. Check the new data store is recognized by navigating to the Identities page and checking it contains the expected users from the new data store.
  2. Log into the realm as a user (in this example,
  3. Change the email address for this user (in this example, changed to and click Save.
  4. Log into the AM admin UI on your realm as, for example: will see the user's old email address still.
  5. Call the /users endpoint for this user, for example: will see the user attributes returned, including the new email address:{"username":"user.199","realm":"/test","uid":["user.199"],"mail":[""], ...

See Also

User has no profile in this organization message received when user authenticates in AM (All versions)

How do I understand what the user data store is used for in AM (All versions)?

How do I create a user data store in AM (All versions) using ssoadm?

LDAP authentication module

Identity stores

Related Training


Related Issue Tracker IDs


Copyright and Trademarks Copyright © 2023 ForgeRock, all rights reserved.