User Store :: Disable Flag : Behavior among AD and LDAP

Document ID : KB000049860
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

I am running Policy Server with Active Directory as User Store.

I would like to know:

  • Should the value of the disabled flag also be "0" in AD in order to have SiteMinder consider user as enabled?
  • Is there a difference in the way the user account is "read" by SiteMinder which could explain the successful attempt in LDAP and failure in AD?

Solution:

You need to keep in mind that the "disabled flag" attribute is a SiteMinder mechanism.

The directory server's own account status takes precedence over anything SiteMinder might configure. Therefore, if the user is disabled in Active Directory, no amount of SiteMinder configuration can fix that.

By design, SiteMinder must honor the user directory's position on the account disabled state before its own. Otherwise, SiteMinder would risk authenticating and authorizing a user that was disabled intentionally by the administrator and therefore cause a security breach.

When the user is disabled in Directory Server (both LDAP and AD), then irrespective of SM configuration user is not allowed to login. This is because SM "binds" to LDAP with the supplied credentials. This is same for AD & LDAP as well. For example, if a user is disabled in SunOne LDAP (right click user in SunOne console and make inactive), "bind" would fail - which means SM can't authenticate that user anymore.