How to exclude RSA Authentication Manager 8.x from picking up disabled user account data from the Microsoft LDAP directory
3 years ago
Originally Published: 2018-06-21
Article Number
000060607
Applies To
RSA Product Set:  SecurID
RSA Product/Service Type:  Authentication Manager
RSA Version/Condition:  8.x
Issue
This article explains how to exclude RSA Authentication Manager from picking up disabled user accounts data from the Microsoft LDAP directory so that the clean-up of unresolvable users job will run correctly.
Resolution
Follow the steps below:
  1. Login to the Operations Console of the primary Authentication Manager instance.
  2. Click Deployment Configuration > Identity Sources > Manage Existing.
  3. When prompted, enter the super admin user ID and password
  4. Click the context arrow for the identity source in question and select Edit.
User-added image
  1. Click the Connection(s) tab or the Map tab to view the properties of the external identity source:
User-added image
  1. Scroll down to the Directory Configuration - Users section and modify the default search filter from (&(objectClass=User)(objectcategory=person)) to the string below:
(&(objectClass=User)(objectcategory=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
User-added image
  1. Once done, click Save and Finish for the changes to take effect.
  2. Login to the Security Console for the primary.
  3. Verify that the disabled user accounts from the Microsoft LDAP Directory are filtered.
Notes
For steps on how to create a new identity source, please see article 000033238 - How to create an external LDAP identity source in RSA Authentication Manager 8.1.
Don't see what you're looking for?