The LDAP adapter provides several ways to disable accounts on an LDAP resource. Use one of the following techniques to disable accounts.
To disable accounts by changing the password to an unknown value accounts, leave the LDAP Activation Method and LDAP Activation Parameter fields blank. This is the default method for disabling accounts. The account can be re-enabled by assigning a new password.
To use the nsmanageddisabledrole LDAP role to disable and enable accounts, configure the LDAP resource as follows:
On the Resource Parameters page, set the LDAP Activation Method field to nsmanageddisabledrole.
Set the LDAP Activation Parameter field to IDMAttribute=CN=nsmanageddisabledrole,baseContext. (IDMAttribute will be specified on the schema in the next step.)
On the Account Attributes page, add IDMAttribute as an Identity System User attribute. Set the Resource User attribute to nsroledn. The attribute must be of type string.
Create a group named nsAccountInactivationTmp on the LDAP resource and assign CN=nsdisabledrole,baseContext as a member.
LDAP accounts can now be disabled. To verify using the LDAP console, check the value of the nsaccountlock attribute. A value of true indicates the account is locked.
If the account is later re-enabled, the account is removed from the role.
To use the nsAccountLock attribute to disable and enable accounts, configure the LDAP resource as follows:
On the Resource Parameters page, set the LDAP Activation Method field to nsaccountlock.
Set the LDAP Activation Parameter field to IDMAttribute=true. (IDMAttribute will be specified on the schema in the next step.) For example, accountLockAttr=true.
On the Account Attributes page, add the value specified in the LDAP Activation Parameter field as an Identity System User attribute. Set the Resource User attribute to nsaccountlock. The attribute must be of type string.
Set the nsAccountLock LDAP attribute on the resource to true.
Waveset sets nsaccountlock to true when disabling an account. It also assumes that pre-existing LDAP users that have nsaccountlock set to true are disabled. If the nsaccountlock has any value other than true (including null), the system concludes the user is enabled.
If the nsmanageddisabledrole and nsAccountLock attributes are not available on your directory server, but the directory server has a similar method of disabling accounts, enter one of the following class names into the LDAP Activation Method field. The value to enter in the LDAP Activation Parameter field varies, depending on the class.
Class Name |
When to Use: |
---|---|
com.waveset.adapter.util.ActivationByAttributeEnableFalse |
The directory server enables an account by setting an attribute to false, and disables an account by setting the attribute to true. Add the attribute to the schema map. Then enter the Waveset name for the attribute (defined on the left side of the schema map) in the LDAP Activation Parameter field. |
com.waveset.adapter.util.ActivationByAttributeEnableTrue |
The directory server enables an account by setting an attribute to true, and disables an account by setting the attribute to false. Add the attribute to the schema map. Then enter the Waveset name for the attribute (defined on the left side of the schema map) in the LDAP Activation Parameter field. |
com.waveset.adapter.util.ActivationByAttributePullDisablePushEnable |
Waveset should disable accounts by pulling an attribute/value pair from LDAP and enable accounts by pushing an attribute/value pair to LDAP. Add the attribute to the schema map. Then enter the attribute/value pair in the LDAP Activation Parameter field. Use the Waveset name for the attribute, as defined on the left side of the schema map. |
com.waveset.adapter.util.ActivationByAttributePushDisablePullEnable |
Waveset should disable accounts by pushing an attribute/value pair to LDAP and enable accounts by pulling an attribute/value pair from LDAP. Add the attribute to the schema map. Then enter the attribute/value pair in the LDAP Activation Parameter field. Use the Waveset name for the attribute, as defined on the left side of the schema map. |
com.waveset.adapter.util.ActivationNsManagedDisabledRole |
The directory uses a specific role to determine the account status. If an account is assigned to this role, the account is disabled. Add the role name to the schema map. Then enter a value in the LDAP Activation Parameter field, using the following format: IDMAttribute=CN=roleName,baseContext IDMAttribute is the Waveset name for the role, as defined on the left side of the schema map. |