How a User Becomes Unresolvable

Changes made to user data in an LDAP directory can affect authentication and administration of the user when the change in the directory modifies the user’s distinguished name (DN), the user’s User ID, or both. If a user’s DN or User ID is changed, AM can no longer find the user in the LDAP directory that was designated as his or her identity source. A user (or a user group) in this state is known as “unresolvable.” RSA recommends removing references to unresolvable users and user groups because unresolvable users count against the license user limit if they have assigned authenticators.

A user becomes unresolvable for any of the following reasons:

• The user is deleted from the LDAP directory.

• The user is moved outside the scope of the base DN of the identity source.

• The user is moved outside the scope of all identity sources.

• The scope of the identity source is narrowed so that it no longer includes the user.

• The Search Filter of the identity source is modified so that it no longer contains the user.

• The user is moved to an identity source in the same physical directory using the delete and add method, and the Unique Identifier is configured to use the default value.

• The user is moved to an identity source in a different physical directory.

Users who become unresolvable are reported as missing from the identity source.

After cleaning up users who have been moved to a different identity source, you re-establish these users in AM by enabling them for authentication, or assigning them administrative roles.

Some directory management tools move users by deleting and re-adding them to the directory. In these cases, AM cannot find the users after the move when the default Unique Identifier is used. Deleting and adding the user back to the directory creates a new value for ObjectGUID, the default Unique Identifier. To maintain the same value for your users, configure a customized attribute as the Unique Identifier.