000036615 - How to Deactivate and Reactivate LDAP User Accounts in the LDAP configuration in RSA Archer

Document created by RSA Customer Support Employee on Sep 25, 2018Last modified by RSA Customer Support Employee on Sep 25, 2018
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000036615
Applies ToRSA Product Set: RSA Archer Suite
RSA Product/Service Type: RSA Archer (On-Premise)
RSA Version/Condition: 6.2.x, 6.3.x and 6.4.x
Platform: Windows
 
IssueThe purpose of this article is to explain the available features in Archer to activate and deactivate LDAP User Accounts within the LDAP configuration in Archer.
This Article covers:
  1. Deactivating LDAP User Accounts in the LDAP configuration of Archer
  2. Reactivating LDAP User Accounts in the LDAP configuration of Archer


Background


In Archer LDAP Configuration on the "Data Sync" tab under the "Deactivation" section, there are two options defined:

  1. Deactivate all user accounts that do not have matching LDAP user. If this option is selected, Archer checks the "Filter" and "Base DN" that are defined in the "Configuration" tab, if the LDAP User Account does not meet the criteria (the LDAP User Account does not qualify the Filter and Base DN) then the LDAP User Account will be deactivated. 
  2. Deactivate those user accounts where LDAP attributes meet the following criteria. This option can be used to define the "Deactivate Attribute" to deactivate the User Accounts".

An example of the second option would be to use the attribute "UserAccountControl" with the Values "514" and 66050". Once the LDAP User Account gets disabled in the Active Directory,  then Archer will deactivate the User account within Archer. This option is useful to ensure that the Archer user accounts remain in sync with the Active Directory accounts.


 


Sometime you may have a situation where you want to reactivate the LDAP User Account. Fortunately, Archer has a user account reactivation feature. In Archer LDAP "Configuration" on the "Data Sync" tab under the "Reactivation" section, there is an option "Reactivate those user accounts where the LDAP attribute meets the following criteria". 

An example of the Reactivate option would be to use the attribute "UserAccountControl" with the Value "512" and 66048". Once the LDAP User Account gets enabled in the Active Directory, Archer reactivates its' User account. This option is useful to ensure that the Archer user accounts remain in sync with the Active Directory accounts.

Notes
The userAccountControl values have the following meanings


ResolutionThe following steps provide a demonstration of how to deactivate and reactivate LDAP User Accounts in the LDAP configuration in Archer 6.4 P3
  1. Create 4 LDAP user accounts in Active Directory and populate the “Username, First name, Last Name and Email Address).

User-added image
 


  1. Configure the Filter field in the LDAP configuration in Archer.

User-added image
 


  1. Configure the option “Create/Update” to pull the Windows User accounts into Archer via LDAP. We can also set the option “Deactivation” to deactivate user accounts in Archer.

User-added image


  1. Run the LDAP Sync and 4 x User accounts are created in Archer.

User-added image

 

  1. Now, we are going to deactivate the LDAP user account “Jack Smith” in Active Directory.

User-added image


  1. If you run the LDAP Sync, you will notice the LDAP user account “Jack Smith” would be still active in Archer

User-added image

 

  1. Now, use the option “Deactivate those user accounts where LDAP attributes meet the following criteria”. This option can be used to define the "Deactivate Attribute" to deactivate the User Accounts. Use the attribute "UserAccountControl" with the Value "514" and 66050" so that once the User Account gets disabled in Active Directory, Archer will deactivate the LDAP User account.

User-added image

User-added image
 


  1. Note: By default, the attributes under the Deactivation and Reactivation sections may not load. In order to load the attribute "UserAccountControl’ under the Deactivate Attribute, you may need to load the attributes in the Configuration tab in the LDAP configuration. For more information on how to load the Deactivation and Reactivation attributed please refer to the Knowledge Base Article - RSA Archer - How to load the Deactivation and Reactivating Attributes in LDAP Configuration
 

  1. Run the LDAP Sync and will notice the LDAP user account “Jack Smith” gets deactivated in Archer.

User-added image



  1. Now if you want to reactivate the LDAP user account, go to the Active Directory and enable the LDAP user account “Jack Smith”.

User-added image


  1. Next, in the Archer LDAP Configuration on the "Data Sync" tab under the "Reactivation" section, select the “Reactivate those user accounts where the LDAP attribute meets the following criteria”. Set the attribute "UserAccountControl" with the Value "512" and 66048" once the LDAP User Account gets enabled in the Active Directory, Archer reactivates the LDAP User account.

User-added image


  1. Run the LDAP Syncqualifyand you will notice the LDAP user account “Jack Smith” gets activated in Archer.

User-added image
User-added image



 
NotesThe Archer Web Services and REST API can modify the user's account status. More information can be obtained from the following references:

Important:

Outcomes