The identity router verifies the user’s identity source account by checking with the directory server. If the account is enabled, the identity router sends the Authenticate Tokencode to Cloud Authentication Service for verification. If your deployment uses an LDAPv3 identity source, RSA SecurID Access checks the following user attributes to determine the user's disabled status.
|ds-pwp-account-disabled||true for disabled accounts.|
|nsaccountlock||true for disabled accounts.|
|shadowExpire||0 for disabled accounts.|
If your LDAPv3 server does not use these attributes to indicate disabled status, RSA SecurID Access treats all users in the identity source as enabled.