How To
ForgeRock Identity Platform
Does not apply to Identity Cloud

How do I disable a user account in DS using IDM (All versions)?

Last updated Jan 19, 2023

The purpose of this article is to provide information on disabling a user account in DS when the user is disabled in IDM. This article assumes you are using the LDAP connector.

Overview

The DS ds-pwp-account-disabled attribute is used to determine if a user is active or not. This is an operational attribute and the correct way to set this attribute is using the manage-account command in DS. For example:

  • DS 7.1 and later: $ ./manage-account set-account-is-disabled --hostname localhost --port 4444 --bindDN uid=admin --bindPassword password --operationValue true --targetDN uid=jdoe,ou=People,dc=example,dc=com --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePassword:file /path/to/ds/config/keystore.pin
  • DS 7: $ ./manage-account set-account-is-disabled --hostname localhost --port 4444 --bindDN uid=admin --bindPassword password --operationValue true --targetDN uid=jdoe,ou=People,dc=example,dc=com --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePasswordFile /path/to/ds/config/keystore.pin
  • Pre-DS 7: $ ./manage-account set-account-is-disabled --port 4444 --bindDN "cn=Directory Manager" --bindPassword password --operationValue true --targetDN uid=jdoe,ou=People,dc=example,dc=com --trustAll

Response:Account Is Disabled: true

However, it is possible to set it via the LDAP connector in IDM (as shown in this article) or you can set it via the REST API as detailed in: FAQ: REST API in IDM (Q. Can I lock and unlock a user's account in DS via the IDM REST API?).

LDAP connector

If you want to do this via the LDAP connector, you must:

  1. Add a new property to the managed.json file to store the account status in IDM. These examples use a property called accountDisabled, but you can use any name you want. See Define the schema for further information.
  2. Configure the LDAP connector to allow accounts to be disabled/enabled.

You can then disable/enable user accounts in IDM and observe the DS ds-pwp-account-disabled attribute being updated as a result.

Configuring the LDAP connector in IDM

You should configure IDM as follows to allow user accounts to be disabled/enabled in DS:

  1. Add a disabled property to your provisioner configuration file (for example, provisioner.openicf-ldap.json), which is located in the /path/to/idm/conf directory. This property should define the ds-pwp-account-disabled value as a string: "disabled" : {      "type" : "string",       "nativeName" : "ds-pwp-account-disabled",       "nativeType" : "string",       "required" : false    }
  2. Add a mapping to the sync.json file for the disabled attribute you created. This example shows a simple mapping that sets the value to either true or false when the managed object is updated directly with a true or false value: {   "target" : "disabled",    "source" : "accountDisabled" }

Disabling a user account

This example assumes you have implicit synchronization enabled to push changes to DS.

  1. Update one of your managed objects to change the accountDisabled value to true, for example:
    • IDM 7 and later: $ curl -X POST -H "X-OpenIDM-Username: openidm-admin" -H "X-OpenIDM-Password: password" -H "Accept-API-Version: resource=1.0" -H "Content-Type: application/json" -H "X-HTTP-Method-Override: PATCH" -d '[{   "operation":"replace",   "field":"accountDisabled",   "value":"true" }]' "http://localhost:8080/openidm/managed/user/5768a5aa-e370-479b-9c02-04681fbf22d6" Pre-IDM 7: $ curl -X POST -H "X-OpenIDM-Username: openidm-admin" -H "X-OpenIDM-Password: password" -H "Content-Type: application/json" -H "X-HTTP-Method-Override: PATCH" -d '[{   "operation":"replace",   "field":"accountDisabled",   "value":"true" }]' "http://localhost:8080/openidm/managed/user/5768a5aa-e370-479b-9c02-04681fbf22d6"
  2. Verify the user has been successfully updated in DS using a ldapsearch command such as the following (you need to include + to return the ds-pwp-account-disabled value because it is an operational attribute):
    • DS 7.1 and later: $ ./ldapsearch --hostname localhost --port 1636 --useSsl --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePassword:file /path/to/ds/config/keystore.pin --bindDN uid=admin --bindPassword password --baseDN "uid=jdoe,ou=People,dc=example,dc=com" "objectClass=*" +
    • DS 7: $ ./ldapsearch --hostname localhost --port 1636 --useSsl --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePasswordFile /path/to/ds/config/keystore.pin --bindDN uid=admin --bindPassword password --baseDN "uid=jdoe,ou=People,dc=example,dc=com" "objectClass=*" +
    • Pre-DS 7: $ ./ldapsearch --hostname localhost --port 1389 --bindDN "cn=Directory Manager" --bindPassword password --baseDN "uid=jdoe,ou=People,dc=example,dc=com" "objectClass=*" +

Example response, which shows the ds-pwp-account-disabled property set to true:

dn: uid=jdoe,ou=People,dc=example,dc=com ds-pwp-account-disabled: true entryUUID: 1ff2e78f-4c4c-300c-b8f7-c2ab160061e0 modifyTimestamp: 20210706104217Z modifiersName: uid=admin etag: 0000000041018991 structuralObjectClass: inetOrgPerson pwdPolicySubentry: cn=Default Password Policy,cn=Password Policies,cn=config isMemberOf: cn=openidm,ou=Groups,dc=example,dc=com numSubordinates: 0 hasSubordinates: false subschemaSubentry: cn=schema entryDN: uid=jdoe,ou=people,dc=example,dc=com

  1. Update the accountDisabled value again to set the ds-pwp-account-disabled attribute back to false:
    • IDM 7 and later: $ curl -X POST -H "X-OpenIDM-Username: openidm-admin" -H "X-OpenIDM-Password: password" -H "Accept-API-Version: resource=1.0" -H "Content-Type: application/json" -H "X-HTTP-Method-Override: PATCH" -d '[{  "operation":"replace",   "field":"accountDisabled",   "value":"false" }]' "http://localhost:8080/openidm/managed/user/5768a5aa-e370-479b-9c02-04681fbf22d6"
    • Pre-IDM 7: $ curl -X POST -H "X-OpenIDM-Username: openidm-admin" -H "X-OpenIDM-Password: password" -H "Content-Type: application/json" -H "X-HTTP-Method-Override: PATCH" -d '[{  "operation":"replace",   "field":"accountDisabled",   "value":"false" }]' "http://localhost:8080/openidm/managed/user/5768a5aa-e370-479b-9c02-04681fbf22d6"
  2. Check the user has been updated successfully in DS:
    • DS 7.1 and later: $ ./ldapsearch --hostname localhost --port 1636 --useSsl --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePassword:file /path/to/ds/config/keystore.pin --bindDN uid=admin --bindPassword password --baseDN "uid=jdoe,ou=People,dc=example,dc=com" "objectClass=*" +
    • DS 7: $ ./ldapsearch --hostname localhost --port 1636 --useSsl --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePasswordFile /path/to/ds/config/keystore.pin --bindDN uid=admin --bindPassword password --baseDN "uid=jdoe,ou=People,dc=example,dc=com" "objectClass=*" +
    • Pre-DS 7: $ ./ldapsearch --hostname localhost --port 1389 --bindDN "cn=Directory Manager" --bindPassword password --baseDN "uid=jdoe,ou=People,dc=example,dc=com" "objectClass=*" +

Example response, which shows the ds-pwp-account-disabled property set back to false:

dn: uid=jdoe,ou=People,dc=example,dc=com ds-pwp-account-disabled: false entryUUID: 1ff2e78f-4c4c-300c-b8f7-c2ab160061e0 modifyTimestamp: 20210706104723Z modifiersName: uid=admin etag: 00000000bdf589de structuralObjectClass: inetOrgPerson pwdPolicySubentry: cn=Default Password Policy,cn=Password Policies,cn=config isMemberOf: cn=openidm,ou=Groups,dc=example,dc=com numSubordinates: 0 hasSubordinates: false subschemaSubentry: cn=schema entryDN: uid=jdoe,ou=people,dc=example,dc=com

See Also

LDAP connector

Synchronization types

Related Training

N/A

Related Issue Tracker IDs

N/A
Copyright and Trademarks Copyright © 2023 ForgeRock, all rights reserved.