Administrators are unable to manage LDAP users, including token assignments, as the users are in a disabled state, shown here:
The account that is being used to bind to the external identity source does not have full read permissions on the user accounts. As a result, Authentication Manager is unable to read the userAccountControl field from the external identity source. This setting flags whether the user account is disabled or not.
As Authentication Manager cannot determine if the account is enabled or not, for security reasons, it will interpret that the account is disabled.
To resolve this issue,
Update the service account with a user that has domain admin permission to bind to the identity source.
Ensure that the Directory User ID configured to bind to the LDAP directory in the Operations Console has read permissions for all user account controls in the LDAP branch that has been specified.
From the Operations Console,
Navigate to Deployment Configuration > Identity Sources > Manage Existing.
Click on the context arrow next to the external identity source in question and click Edit.
Update the Directory User ID field to a user that has appropriate domain permissions.