Modifying a User in an LDAP Directory
When a user’s User ID is changed in an LDAP directory, AM automatically detects the change and updates the user when any of the following events occur:
- A scheduled cleanup is run.
- An administrator runs a manual cleanup of all identity sources or of the identity source containing the user.
- An administrator modifies a user’s record in the Security Console.
- The user attempts to authenticate using the old User ID.
Changing the User ID in the directory affects AM in the following ways:
The first authentication attempt made by the user can fail.
If a user attempts to authenticate before another event has updated the User ID, he or she may experience an authentication failure. If users are denied access, instruct them to use the old User ID for the first authentication attempt after the change, and then use the new User ID for all subsequent authentication attempts.
If User ID is mapped to a user’s email, the initial authentication failure may not occur.
The Security Console recognizes the new User ID immediately.
If administrators need to deal with any issues arising from the User ID changing, instruct them to search for the user by the new User ID, not the old User ID.
The User ID is updated and the user can authenticate using the new User ID after an administrator manages the user, for example, the administrator views the user record.
The ability to authenticate through restricted authentication agents can be lost when default settings are used in Sun Java System Directory Server/Oracle Directory Server Enterprise Edition identity sources.
The default settings in Sun Java System Directory Server/Oracle Directory Server Enterprise Edition use the uid attribute as the Naming Attribute. The default settings in AM map User ID to the uid attribute. With these settings configured for Sun Java System Directory Server/Oracle Directory Server Enterprise Edition identity sources, any modification to the User ID (uid) changes the user’s distinguished name, which removes all LDAP group memberships for the user.
If a user whose DN changed belonged to a group with permission to authenticate on a restricted agent, the user can no longer authenticate through the restricted agent. To enable this user to authenticate through the restricted agent, you must re-add the user to the group associated with the restricted agent.
Related Articles
Moving Users in an LDAP Directory Number of Views Modifying Group Membership in an LDAP Directory Number of Views IDR SSO - Step 5: Connect LDAP Directory Number of Views How to Include or Exclude an Active Directory OU from the Microsoft LDAP directory on RSA Authentication Manager 8.x Number of Views Resetting Password for LDAP Directory Server User in the Cloud Console Fails With Error “Unable to reset password! Please … Number of Views
Trending Articles
Passwordless Authentication in Windows MFA Agent for Active Directory – Quick Setup Guide RSA Authentication Manager 8.9 Release Notes (January 2026) RSA Authentication Manager Upgrade Process RSA Authentication Manager 8.7 SP2 Setup and Configuration Guide An example of SSO using SAML and ADFS with RSA Identity Management and Governance 6.9.x
