Moving Users in an LDAP Directory

When a user is moved within an LDAP directory that is a linked identity source, Authentication Manager can detect the move and update the user when any of the following events occur:

  • A scheduled cleanup is run.
  • An administrator runs a manual cleanup of all identity sources or of the identity source containing the user.
  • An administrator modifies a user’s record in the Security Console.
  • The user attempts to authenticate.

Moving Users within an Identity Source

If a user is moved within an LDAP directory and remains within the same identity source, the user can still authenticate and be administered unless the user’s Unique Identifier changes. Some directory management tools change the Unique Identifier because the move is performed by deleting and re-adding the user to the directory.

In these cases, Authentication Manager cannot find the users after the move because deleting and adding the user back to the directory creates a new value for the attribute designated as the default Unique Identifier (ObjectGUID in Active Directory or nsUniqueID in Oracle Directory Server). To avoid this situation, configure a customized attribute as the Unique Identifier.

Moving Users Outside the Scope of the Original Identity Source

If a user is moved within an LDAP directory and is outside the scope of the original identity source, the user can still authenticate and be administered as long as the following criteria are met:

  • The user still resides in the same physical directory.

  • An identity source is configured in Authentication Manager that meets the following criteria:

    • The identity source exists in the same physical directory as the original identity source.

    • The identity source encompasses the user’s new DN.

    • Both identity sources use the same attribute for the User ID.

    • Both identity sources use the same attribute for the Unique Identifier.

    While you can configure the identity source after the user is moved, a user who attempts to authenticate before the identity source is configured is denied access for an hour after the authentication attempt.

  • The method used to move the user must not delete and re-add the user when the identity source is configured to use the default Unique Identifier.

If these criteria are not met, the move causes the user to become unresolvable. For information about how to manage an unresolvable user, see Manual Cleanup for Unresolvable Users.

Impact of Moving a User Within an LDAP Directory

Moving a user in the directory affects Authentication Manager Express in the following ways:

  • The user’s first authentication attempt might fail. This failed attempt does not count against the user lockout policy.

    To minimize the number of users who experience this initial authentication failure, schedule a periodic cleanup. For instructions, see Schedule a Cleanup Job.

  • When replication is out of sync, or a replica instance is unavailable, there can be a delay in updating the system with the user’s new identity source. In these cases, the user is denied access until replication is restored.

  • For users who authenticate with aliases, group associations are not retained when the user is moved to a different identity source.

    The user alias, shell, and any RADIUS profile assigned to the alias are retained from the old identity source.

    You must reassociate the alias, shell, and any RADIUS profile to a group in the new identity source. To do this, edit the alias in the user’s authentication settings, and select a group in the new identity source to associate the alias with the group.

    For more information on updating authentication settings, see Manage User Authentication Settings.

  • The ability to authenticate through restricted agents can be lost when the user is moved to a different identity source.

    If a user’s distinguished name (DN) changes on the Oracle Directory Server/Sun Java System Directory Server, the user is removed from all LDAP group memberships. If this user belonged to a group with permission to authenticate on a restricted agent, the user can no longer authenticate through the restricted agent.

    If the user is a member of a group in the new identity source with permission to authenticate on a restricted agent, you do not need to take any action. If the user is not a member of a group in the new identity source with permission to authenticate on a restricted agent, you must add the user to the group in the directory location that is specified as the new identity source, and associate the group with the restricted agent.

    When group membership is changed directly in an LDAP directory, Authentication Manager may not immediately recognize these changes because group membership is cached. As a result, Authentication Manager sees the user as a member of the group in the original identity source until the cached value expires, typically after 10 minutes.

    Users can authenticate through a restricted agent for a short time after they move, even though they are removed from all groups associated with the restricted agent. To ensure that the change in group membership is recognized immediately, flush the cache after making the changes in the directory. For more information, see Flush the Cache.

  • The user can be modified by a different administrator.

    If the original administrator does not have privileges on the new identity source, he or she will no longer have the ability to administer the user. However, an administrator with privileges on the new identity source is able to administer the user.

  • When a user is moved to a different identity source, the Security Console recognizes the user in the new identity source immediately.

    If administrators need to address any issues arising from the move, instruct them to search for the user in the new identity source, not the old identity source.