How to exclude RSA Authentication Manager 8.x from picking up disabled user account data from the Microsoft LDAP directory

3 years ago

Originally Published: 2018-06-21

Article Number

000060607

Applies To

RSA Product Set:  SecurID
RSA Product/Service Type:  Authentication Manager
RSA Version/Condition:  8.x

Issue

This article explains how to exclude RSA Authentication Manager from picking up disabled user accounts data from the Microsoft LDAP directory so that the clean-up of unresolvable users job will run correctly.

Resolution

Follow the steps below:

Login to the Operations Console of the primary Authentication Manager instance.
Click Deployment Configuration > Identity Sources > Manage Existing.
When prompted, enter the super admin user ID and password
Click the context arrow for the identity source in question and select Edit.

Click the Connection(s) tab or the Map tab to view the properties of the external identity source:

Scroll down to the Directory Configuration - Users section and modify the default search filter from (&(objectClass=User)(objectcategory=person)) to the string below:

(&(objectClass=User)(objectcategory=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))

Once done, click Save and Finish for the changes to take effect.
Login to the Security Console for the primary.
Verify that the disabled user accounts from the Microsoft LDAP Directory are filtered.

Notes

For steps on how to create a new identity source, please see article 000033238 - How to create an external LDAP identity source in RSA Authentication Manager 8.1.

Don't see what you're looking for?

Potential Impact from Salesforce Device Activation Change

Related Articles

Trending Articles