How do I use the LDAP connector in IDM (All versions) to update the ENABLE property in Active Directory?

Background setup

The LDAP connector allows you to update the ENABLE property to enable or disable a user's account in Active Directory.

Before attempting to change the ENABLE property, you must ensure the following is true:

• The LDAP connector is configured for SSL.
• The provisioner configuration file (for example, provisioner.openicf-ldap.json located in the /path/to/idm/conf directory) contains the following attributes at a minimum: "account" : { "$schema" : "http://json-schema.org/draft-03/schema", "id" : "__ACCOUNT__", "type" : "object", "nativeType" : "__ACCOUNT__", "properties" : { "__ENABLE__" : { "type" : "boolean", "nativeName" : "__ENABLE__", "nativeType" : "JAVA_TYPE_PRIMITIVE_BOOLEAN" }, "dn" : { "type" : "string", "required" : true, "nativeName" : "__NAME__", "nativeType" : "string" }, "cn" : { "type" : "string", "nativeName" : "cn", "nativeType" : "string", "flags" : [ "NOT_CREATABLE", "NOT_UPDATEABLE" ] }, "sAMAccountName" : { "type" : "string", "nativeName" : "sAMAccountName", "nativeType" : "string" }, "userAccountControl" : { "type" : "string", "nativeName" : "userAccountControl", "nativeType" : "string" }, "password" : { "type" : "string", "nativeName" : "__PASSWORD__", "nativeType" : "JAVA_TYPE_GUARDEDSTRING", "flags" : [ "NOT_READABLE", "NOT_RETURNED_BY_DEFAULT" ], "runAsUser" : true },

Creating the Connector through the Admin UI

An easy way to create the connector is through the Admin UI as described in Creating Connector Configurations With the Admin UI. You can create the connector by selecting type "AD LDAP Configuration".

When you create the LDAP connector via the Admin UI, the following happens:

• The following account search filter is created: "accountSearchFilter" : "(&(!(userAccountControl:1.2.840.113556.1.4.803:=2))(!(objectClass=Computer)))"This search filter means disabled users are not returned and are not available for REST calls. You must remove this search filter to allow users to be enabled and disabled through REST calls. It should be noted though that this will make disabled users available for all other REST calls as well, which may not be desirable. One way to work around this would be to create a separate connector for the same AD instance with this search filter removed and use that connector only for the purpose of enabling and disabling accounts.
• The following entry may be created in the properties section of the provisioner configuration file: "isActive" : { "type" : "boolean", "nativeName" : "__ENABLE__", "nativeType" : "boolean", "flags" : [ "NOT_CREATABLE", "NOT_UPDATEABLE" ] },Where the property name is "isActive" instead of "__ENABLE__" as shown in the sample above. If this entry is created, you must remove the "NOT_CREATABLE" and "NOT_UPDATABLE" flags to make it usable.

Changing the ENABLE property

You can change the ENABLE property using a PUT request such as the following (where the user's account is currently disabled but does not require a password):

Example result returned (with irrelevant attributes removed):

Important attributes to note are:

• "__PASSWORD_NOTREQD__": true - confirms the password is not required.
• "userAccountControl": "544" - indicates the user account is now enabled and the password is not required. The actual number may differ, but the flag with value 2 indicating that the account is disabled should not be set.
• "__ENABLE__": true - confirms the account is now enabled.

See Also

Attribute value conflicts with the attribute's schema definition on operation UPDATE for system object

How do I configure the userAccountControl property in the LDAP and .NET Connectors in IDM (All versions)?

Using the Generic LDAP connector With Active Directory

Related Training

N/A

Related Issue Tracker IDs

N/A