When a user’s User ID is changed in an LDAP directory, Authentication Manager automatically detects the change and updates the user when any of the following events occur:
- A scheduled cleanup is run.
- An administrator runs a manual cleanup of all identity sources or of the identity source containing the user.
- An administrator modifies a user’s record in the Security Console.
- The user attempts to authenticate using the old User ID.
Changing the User ID in the directory affects Authentication Manager in the following ways:
The first authentication attempt made by the user can fail.
If a user attempts to authenticate before another event has updated the User ID, he or she may experience an authentication failure. If users are denied access, instruct them to use the old User ID for the first authentication attempt after the change, and then use the new User ID for all subsequent authentication attempts.
If User ID is mapped to a user’s email, the initial authentication failure may not occur.
The Security Console recognizes the new User ID immediately.
If administrators need to deal with any issues arising from the User ID changing, instruct them to search for the user by the new User ID, not the old User ID.
The User ID is updated and the user can authenticate using the new User ID after an administrator manages the user, for example, the administrator views the user record.
The ability to authenticate through restricted authentication agents can be lost when default settings are used in Sun Java System Directory Server/Oracle Directory Server Enterprise Edition identity sources.
The default settings in Sun Java System Directory Server/Oracle Directory Server Enterprise Edition use the uid attribute as the Naming Attribute. The default settings in Authentication Manager map User ID to the uid attribute. With these settings configured for Sun Java System Directory Server/Oracle Directory Server Enterprise Edition identity sources, any modification to the User ID (uid) changes the user’s distinguished name, which removes all LDAP group memberships for the user.
If a user whose DN changed belonged to a group with permission to authenticate on a restricted agent, the user can no longer authenticate through the restricted agent. To enable this user to authenticate through the restricted agent, you must re-add the user to the group associated with the restricted agent.