000031788 - How to apply for the userAccountControl attribute used in the LDAP Search Filter in RSA IMG 6.9.1

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000031788
Applies ToRSA Product Set: Identity Management and Governance (IMG)
RSA Product/Service Type: Enterprise Software
RSA Version/Condition: 6.9.1
IssueThe India and Oversea Account Collector doesn't work with the Account Search Filter.
If the filter with the userAccountControl attribute for India and Overseas Account collector is as shown below, then it will not work.
(&(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2)(|(employeeID=OS)(employeeID=ind*)))

However it does work with the filter below.
(&(objectCategory=person)(objectClass=user)(|(employeeID=OS)(employeeID=ind*)))

So this attribue of (!userAccountControl:1.2.840.113556.1.4.803:=2) does not work inside the Account Search filter. 
ResolutionThe LDAP search filter is allowed to use the (!userAccountControl:1.2.840.113556.1.4.803:=2) filter but users must surround it with an extra parenthesis, as shown below.
(!(userAccountControl:1.2.840.113556.1.4.803:=2))

Therefore, the filter with the userAccountControl attribute for India and Overseas Account collector should be as shown below.
(&(objectCategory=person)(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(|(employeeID=OS)(employeeID=ind*)))
NotesRefer to the article How to test access to Active Directory/LDAP from IMG server for more information on how to use the LDAP Search.

Attachments

    Outcomes