How do I disable a user account in DS using IDM (All versions)?
The purpose of this article is to provide information on disabling a user account in DS when the user is disabled in IDM. This article assumes you are using the LDAP connector.
Overview
The DS ds-pwp-account-disabled
attribute is used to determine if a user is active or not. This is an
operational attribute and the correct way to set this attribute is using the manage-account command in DS. For
example:
- DS 7.1 and later: $ ./manage-account set-account-is-disabled --hostname localhost --port 4444 --bindDN uid=admin --bindPassword password --operationValue true --targetDN uid=jdoe,ou=People,dc=example,dc=com --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePassword:file /path/to/ds/config/keystore.pin
- DS 7: $ ./manage-account set-account-is-disabled --hostname localhost --port 4444 --bindDN uid=admin --bindPassword password --operationValue true --targetDN uid=jdoe,ou=People,dc=example,dc=com --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePasswordFile /path/to/ds/config/keystore.pin
- Pre-DS 7: $ ./manage-account set-account-is-disabled --port 4444 --bindDN "cn=Directory Manager" --bindPassword password --operationValue true --targetDN uid=jdoe,ou=People,dc=example,dc=com --trustAll
Response:Account Is Disabled: true
However, it is possible to set it via the LDAP connector in IDM (as shown in this article) or you can set it via the REST API as detailed in: FAQ: REST API in IDM (Q. Can I lock and unlock a user's account in DS via the IDM REST API?).
LDAP connector
If you want to do this via the LDAP connector, you must:
- Add a new property to the managed.json file to store the account status in IDM. These
examples use a property called
accountDisabled
, but you can use any name you want. See Define the schema for further information. - Configure the LDAP connector to allow accounts to be disabled/enabled.
You can then disable/enable user accounts in IDM and observe the DS
ds-pwp-account-disabled
attribute being updated as a result.
Configuring the LDAP connector in IDM
You should configure IDM as follows to allow user accounts to be disabled/enabled in DS:
- Add a disabled property to your provisioner configuration file (for example,
provisioner.openicf-ldap.json), which is located in the /path/to/idm/conf directory.
This property should define the
ds-pwp-account-disabled
value as a string: "disabled" : { "type" : "string", "nativeName" : "ds-pwp-account-disabled", "nativeType" : "string", "required" : false } - Add a mapping to the sync.json file for the disabled attribute you created. This example shows a simple mapping that sets the value to either true or false when the managed object is updated directly with a true or false value: { "target" : "disabled", "source" : "accountDisabled" }
Disabling a user account
This example assumes you have implicit synchronization enabled to push changes to DS.
- Update one of your managed objects to change the
accountDisabled
value to true, for example:- IDM 7 and later: $ curl -X POST -H "X-OpenIDM-Username: openidm-admin" -H "X-OpenIDM-Password: password" -H "Accept-API-Version: resource=1.0" -H "Content-Type: application/json" -H "X-HTTP-Method-Override: PATCH" -d '[{ "operation":"replace", "field":"accountDisabled", "value":"true" }]' "http://localhost:8080/openidm/managed/user/5768a5aa-e370-479b-9c02-04681fbf22d6" Pre-IDM 7: $ curl -X POST -H "X-OpenIDM-Username: openidm-admin" -H "X-OpenIDM-Password: password" -H "Content-Type: application/json" -H "X-HTTP-Method-Override: PATCH" -d '[{ "operation":"replace", "field":"accountDisabled", "value":"true" }]' "http://localhost:8080/openidm/managed/user/5768a5aa-e370-479b-9c02-04681fbf22d6"
- Verify the user has been successfully updated in DS using a ldapsearch command such as the following (you
need to include
+
to return theds-pwp-account-disabled
value because it is an operational attribute):- DS 7.1 and later: $ ./ldapsearch --hostname localhost --port 1636 --useSsl --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePassword:file /path/to/ds/config/keystore.pin --bindDN uid=admin --bindPassword password --baseDN "uid=jdoe,ou=People,dc=example,dc=com" "objectClass=*" +
- DS 7: $ ./ldapsearch --hostname localhost --port 1636 --useSsl --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePasswordFile /path/to/ds/config/keystore.pin --bindDN uid=admin --bindPassword password --baseDN "uid=jdoe,ou=People,dc=example,dc=com" "objectClass=*" +
- Pre-DS 7: $ ./ldapsearch --hostname localhost --port 1389 --bindDN "cn=Directory Manager" --bindPassword password --baseDN "uid=jdoe,ou=People,dc=example,dc=com" "objectClass=*" +
Example response, which shows the ds-pwp-account-disabled
property set to true:
dn: uid=jdoe,ou=People,dc=example,dc=com ds-pwp-account-disabled: true entryUUID: 1ff2e78f-4c4c-300c-b8f7-c2ab160061e0 modifyTimestamp: 20210706104217Z modifiersName: uid=admin etag: 0000000041018991 structuralObjectClass: inetOrgPerson pwdPolicySubentry: cn=Default Password Policy,cn=Password Policies,cn=config isMemberOf: cn=openidm,ou=Groups,dc=example,dc=com numSubordinates: 0 hasSubordinates: false subschemaSubentry: cn=schema entryDN: uid=jdoe,ou=people,dc=example,dc=com
- Update the
accountDisabled
value again to set theds-pwp-account-disabled
attribute back to false:- IDM 7 and later: $ curl -X POST -H "X-OpenIDM-Username: openidm-admin" -H "X-OpenIDM-Password: password" -H "Accept-API-Version: resource=1.0" -H "Content-Type: application/json" -H "X-HTTP-Method-Override: PATCH" -d '[{ "operation":"replace", "field":"accountDisabled", "value":"false" }]' "http://localhost:8080/openidm/managed/user/5768a5aa-e370-479b-9c02-04681fbf22d6"
- Pre-IDM 7: $ curl -X POST -H "X-OpenIDM-Username: openidm-admin" -H "X-OpenIDM-Password: password" -H "Content-Type: application/json" -H "X-HTTP-Method-Override: PATCH" -d '[{ "operation":"replace", "field":"accountDisabled", "value":"false" }]' "http://localhost:8080/openidm/managed/user/5768a5aa-e370-479b-9c02-04681fbf22d6"
- Check the user has been updated successfully in DS:
- DS 7.1 and later: $ ./ldapsearch --hostname localhost --port 1636 --useSsl --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePassword:file /path/to/ds/config/keystore.pin --bindDN uid=admin --bindPassword password --baseDN "uid=jdoe,ou=People,dc=example,dc=com" "objectClass=*" +
- DS 7: $ ./ldapsearch --hostname localhost --port 1636 --useSsl --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePasswordFile /path/to/ds/config/keystore.pin --bindDN uid=admin --bindPassword password --baseDN "uid=jdoe,ou=People,dc=example,dc=com" "objectClass=*" +
- Pre-DS 7: $ ./ldapsearch --hostname localhost --port 1389 --bindDN "cn=Directory Manager" --bindPassword password --baseDN "uid=jdoe,ou=People,dc=example,dc=com" "objectClass=*" +
Example response, which shows the ds-pwp-account-disabled
property set back to
false:
dn: uid=jdoe,ou=People,dc=example,dc=com ds-pwp-account-disabled: false entryUUID: 1ff2e78f-4c4c-300c-b8f7-c2ab160061e0 modifyTimestamp: 20210706104723Z modifiersName: uid=admin etag: 00000000bdf589de structuralObjectClass: inetOrgPerson pwdPolicySubentry: cn=Default Password Policy,cn=Password Policies,cn=config isMemberOf: cn=openidm,ou=Groups,dc=example,dc=com numSubordinates: 0 hasSubordinates: false subschemaSubentry: cn=schema entryDN: uid=jdoe,ou=people,dc=example,dc=com
See Also
Related Training
N/A
Related Issue Tracker IDs
N/A