test

Sun Identity Manager 8.1 Resources Reference

Disabling and Enabling Accounts

The LDAP adapter provides several ways to disable accounts on an LDAP resource. Use one of the following techniques to disable accounts.

Change the Password to an Unknown Value

To disable accounts by changing the password to an unknown value accounts, leave the LDAP Activation Method and LDAP Activation Parameter fields blank. This is the default method for disabling accounts. The account can be re-enabled by assigning a new password.

Assign the nsmanageddisabledrole Role

To use the nsmanageddisabledrole LDAP role to disable and enable accounts, configure the LDAP resource as follows:

ProcedureConfiguring the LDAP Resource to Use the nsmanageddisabledrole LDAP Role

  1. On the Resource Parameters page, set the LDAP Activation Method field to nsmanageddisabledrole.

  2. Set the LDAP Activation Parameter field to IDMAttribute=CN=nsmanageddisabledrole,baseContext. (IDMAttribute will be specified on the schema in the next step.)

  3. On the Account Attributes page, add IDMAttribute as an Identity System User attribute. Set the Resource User attribute to nsroledn. The attribute must be of type string.

  4. Create a group named nsAccountInactivationTmp on the LDAP resource and assign CN=nsdisabledrole,baseContext as a member.

    LDAP accounts can now be disabled. To verify using the LDAP console, check the value of the nsaccountlock attribute. A value of true indicates the account is locked.

    If the account is later re-enabled, the account is removed from the role.

Set the nsAccountLock Attribute

To use the nsAccountLock attribute to disable and enable accounts, configure the LDAP resource as follows:

ProcedureConfiguring the LDAP Resource to Use the nsAccountLock Attribute

  1. On the Resource Parameters page, set the LDAP Activation Method field to nsaccountlock.

  2. Set the LDAP Activation Parameter field to IDMAttribute=true. (IDMAttribute will be specified on the schema in the next step.) For example, accountLockAttr=true.

  3. On the Account Attributes page, add the value specified in the LDAP Activation Parameter field as an Identity System User attribute. Set the Resource User attribute to nsaccountlock. The attribute must be of type string.

  4. Set the nsAccountLock LDAP attribute on the resource to true.

    Identity Manager sets nsaccountlock to true when disabling an account. It also assumes that pre-existing LDAP users that have nsaccountlock set to true are disabled. If the nsaccountlock has any value other than true (including null), the system concludes the user is enabled.

Disable Accounts without the nsmanageddisabledrole and nsAccountLock Attributes

If the nsmanageddisabledrole and nsAccountLock attributes are not available on your directory server, but the directory server has a similar method of disabling accounts, enter one of the following class names into the LDAP Activation Method field. The value to enter in the LDAP Activation Parameter field varies, depending on the class.

Class Name  

When to Use:  

com.waveset.adapter.util.ActivationByAttributeEnableFalse

The directory server enables an account by setting an attribute to false, and disables an account by setting the attribute to true. 

Add the attribute to the schema map. Then enter the Identity Manager name for the attribute (defined on the left side of the schema map) in the LDAP Activation Parameter field.

com.waveset.adapter.util.ActivationByAttributeEnableTrue

The directory server enables an account by setting an attribute to true, and disables an account by setting the attribute to false. 

Add the attribute to the schema map. Then enter the Identity Manager name for the attribute (defined on the left side of the schema map) in the LDAP Activation Parameter field.

com.waveset.adapter.util.ActivationByAttributePullDisablePushEnable

Identity Manager should disable accounts by pulling an attribute/value pair from LDAP and enable accounts by pushing an attribute/value pair to LDAP. 

Add the attribute to the schema map. Then enter the attribute/value pair in the LDAP Activation Parameter field. Use the Identity Manager name for the attribute, as defined on the left side of the schema map.

com.waveset.adapter.util.ActivationByAttributePushDisablePullEnable

Identity Manager should disable accounts by pushing an attribute/value pair to LDAP and enable accounts by pulling an attribute/value pair from LDAP. 

Add the attribute to the schema map. Then enter the attribute/value pair in the LDAP Activation Parameter field. Use the Identity Manager name for the attribute, as defined on the left side of the schema map.

com.waveset.adapter.util.ActivationNsManagedDisabledRole

The directory uses a specific role to determine the account status. If an account is assigned to this role, the account is disabled. 

Add the role name to the schema map. Then enter a value in the LDAP Activation Parameter field, using the following format:

IDMAttribute=CN=roleName,baseContext

IDMAttribute is the Identity Manager name for the role, as defined on the left side of the schema map.