Issue | The purpose of this article is to explain the available features in Archer to activate and deactivate LDAP User Accounts within the LDAP configuration in Archer. This Article covers:
- Deactivating LDAP User Accounts in the LDAP configuration of Archer
- Reactivating LDAP User Accounts in the LDAP configuration of Archer
Background
In Archer LDAP Configuration on the "Data Sync" tab under the "Deactivation" section, there are two options defined:
- Deactivate all user accounts that do not have matching LDAP user. If this option is selected, Archer checks the "Filter" and "Base DN" that are defined in the "Configuration" tab, if the LDAP User Account does not meet the criteria (the LDAP User Account does not qualify the Filter and Base DN) then the LDAP User Account will be deactivated.
- Deactivate those user accounts where LDAP attributes meet the following criteria. This option can be used to define the "Deactivate Attribute" to deactivate the User Accounts".
An example of the second option would be to use the attribute "UserAccountControl" with the Values "514" and 66050". Once the LDAP User Account gets disabled in the Active Directory, then Archer will deactivate the User account within Archer. This option is useful to ensure that the Archer user accounts remain in sync with the Active Directory accounts.
Sometime you may have a situation where you want to reactivate the LDAP User Account. Fortunately, Archer has a user account reactivation feature. In Archer LDAP "Configuration" on the "Data Sync" tab under the "Reactivation" section, there is an option "Reactivate those user accounts where the LDAP attribute meets the following criteria".
An example of the Reactivate option would be to use the attribute "UserAccountControl" with the Value "512" and 66048". Once the LDAP User Account gets enabled in the Active Directory, Archer reactivates its' User account. This option is useful to ensure that the Archer user accounts remain in sync with the Active Directory accounts.
Notes The userAccountControl values have the following meanings
|
Resolution | The following steps provide a demonstration of how to deactivate and reactivate LDAP User Accounts in the LDAP configuration in Archer 6.4 P3
- Create 4 LDAP user accounts in Active Directory and populate the “Username, First name, Last Name and Email Address).
- Configure the Filter field in the LDAP configuration in Archer.
- Configure the option “Create/Update” to pull the Windows User accounts into Archer via LDAP. We can also set the option “Deactivation” to deactivate user accounts in Archer.
- Run the LDAP Sync and 4 x User accounts are created in Archer.
- Now, we are going to deactivate the LDAP user account “Jack Smith” in Active Directory.
- If you run the LDAP Sync, you will notice the LDAP user account “Jack Smith” would be still active in Archer
- Now, use the option “Deactivate those user accounts where LDAP attributes meet the following criteria”. This option can be used to define the "Deactivate Attribute" to deactivate the User Accounts. Use the attribute "UserAccountControl" with the Value "514" and 66050" so that once the User Account gets disabled in Active Directory, Archer will deactivate the LDAP User account.
- Note: By default, the attributes under the Deactivation and Reactivation sections may not load. In order to load the attribute "UserAccountControl’ under the Deactivate Attribute, you may need to load the attributes in the Configuration tab in the LDAP configuration. For more information on how to load the Deactivation and Reactivation attributed please refer to the Knowledge Base Article - RSA Archer - How to load the Deactivation and Reactivating Attributes in LDAP Configuration
- Run the LDAP Sync and will notice the LDAP user account “Jack Smith” gets deactivated in Archer.
- Now if you want to reactivate the LDAP user account, go to the Active Directory and enable the LDAP user account “Jack Smith”.
- Next, in the Archer LDAP Configuration on the "Data Sync" tab under the "Reactivation" section, select the “Reactivate those user accounts where the LDAP attribute meets the following criteria”. Set the attribute "UserAccountControl" with the Value "512" and 66048" once the LDAP User Account gets enabled in the Active Directory, Archer reactivates the LDAP User account.
- Run the LDAP Syncqualifyand you will notice the LDAP user account “Jack Smith” gets activated in Archer.
|