LDAPv3 User Verification for the Cloud Authentication Service

The identity router verifies the user’s identity source account by checking with the directory server. If the account is enabled, the identity router sends the Authenticate OTP to Cloud Authentication Service for verification. If your deployment uses an LDAPv3 identity source, SecurID checks the following user attributes to determine the user's disabled status.

Attribute Setting
ds-pwp-account-disabled true for disabled accounts.
nsaccountlock true for disabled accounts.
shadowExpire 0 for disabled accounts.

If your LDAPv3 server does not use these attributes to indicate disabled status, SecurID treats all users in the identity source as enabled.