How To
ForgeRock Identity Platform
Does not apply to Identity Cloud

How do I use the LDAP Connector in IDM (All versions) to update the ENABLE property in Active Directory?

Last updated Apr 8, 2021

The purpose of this article is to provide information on using the LDAP Connector in IDM to update the ENABLE property in Active Directory® using the userAccountControl property. userAccountControl is an Active Directory attribute that provides information about a user's account status; the ENABLE property is used to enable or disable a user's account in Active Directory.

1 reader recommends this article

Background setup

The LDAP connector allows you to update the ENABLE property to enable or disable a user's account in Active Directory.

Before attempting to change the ENABLE property, you must ensure the following is true:

  • The LDAP connector is configured for SSL.
  • The provisioner configuration file (for example, provisioner.openicf-ldap.json located in the /path/to/idm/conf directory) contains the following attributes at a minimum: "account" : {   "$schema" : "",    "id" : "__ACCOUNT__",    "type" : "object",    "nativeType" : "__ACCOUNT__",    "properties" : {       "__ENABLE__" : {         "type" : "boolean",         "nativeName" : "__ENABLE__",         "nativeType" : "JAVA_TYPE_PRIMITIVE_BOOLEAN"       },       "dn" : {         "type" : "string",         "required" : true,         "nativeName" : "__NAME__",         "nativeType" : "string"       },       "cn" : {         "type" : "string",         "nativeName" : "cn",         "nativeType" : "string",         "flags" : [            "NOT_CREATABLE",            "NOT_UPDATEABLE"         ]       },       "sAMAccountName" : {         "type" : "string",         "nativeName" : "sAMAccountName",         "nativeType" : "string"       },       "userAccountControl" : {         "type" : "string",         "nativeName" : "userAccountControl",         "nativeType" : "string"      },      "password" : {        "type" : "string",        "nativeName" : "__PASSWORD__",        "nativeType" : "JAVA_TYPE_GUARDEDSTRING",        "flags" : [           "NOT_READABLE",           "NOT_RETURNED_BY_DEFAULT"        ],        "runAsUser" : true      },

Creating the Connector through the Admin UI

An easy way to create the connector is through the Admin UI as described in Connectors Guide › Creating Connector Configurations With the Admin UI. You can create the connector by selecting type "AD LDAP Configuration".

When you create the LDAP connector via the Admin UI, the following happens:

  • The following account search filter is created: "accountSearchFilter" : "(&(!(userAccountControl:1.2.840.113556.1.4.803:=2))(!(objectClass=Computer)))"This search filter means disabled users are not returned and are not available for REST calls. You must remove this search filter to allow users to be enabled and disabled through REST calls. It should be noted though that this will make disabled users available for all other REST calls as well, which may not be desirable. One way to work around this would be to create a separate connector for the same AD instance with this search filter removed and use that connector only for the purpose of enabling and disabling accounts.
  • The following entry may be created in the properties section of the provisioner configuration file:  "isActive" : {    "type" : "boolean",     "nativeName" : "__ENABLE__",     "nativeType" : "boolean",     "flags" : [         "NOT_CREATABLE",         "NOT_UPDATEABLE"     ] },Where the property name is "isActive" instead of "__ENABLE__" as shown in the sample above. If this entry is created, you must remove the "NOT_CREATABLE" and "NOT_UPDATABLE" flags to make it usable.

Changing the ENABLE property

You can change the ENABLE property using a PUT request such as the following (where the user's account is currently disabled but does not require a password):

$ PUT -H "If-Match: *" http://localhost:8080/openidm/system/AD/account/<GUID=f2e08a5c-473f-4798-a2d5-d5cc27c862a9> { "__ENABLE__": true }

You must pass the HTTP header "If-Match: *" in order to perform an update, otherwise it is interpreted as a create operation, which will fail if the entry already exists.

Example result returned (with irrelevant attributes removed):

{   "lastLogon": "0",    "__PASSWORD_NOTREQD__": true,    "__PASSWORD_EXPIRED__": true,    "pwdLastSet": "0",    "__LOCK_OUT__": false,    "__DONT_EXPIRE_PASSWORD__": false,    "userAccountControl": "544",    "__SMARTCARD_REQUIRED__": false,    "__ENABLE__": true, }

Important attributes to note are:

  • "__PASSWORD_NOTREQD__": true - confirms the password is not required.
  • "userAccountControl": "544" - indicates the user account is now enabled and the password is not required. The actual number may differ, but the flag with value 2 indicating that the account is disabled should not be set.
  • "__ENABLE__": true - confirms the account is now enabled.

See Also

Attribute value conflicts with the attribute's schema definition on operation UPDATE for system object

How do I configure the userAccountControl property in the LDAP and .NET Connectors in IDM (All versions)?

Connectors Guide › Using the Generic LDAP Connector With Active Directory

Related Training


Related Issue Tracker IDs


Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.