Modifying a User in an LDAP Directory
When a user’s User ID is changed in an LDAP directory, AM automatically detects the change and updates the user when any of the following events occur:
- A scheduled cleanup is run.
- An administrator runs a manual cleanup of all identity sources or of the identity source containing the user.
- An administrator modifies a user’s record in the Security Console.
- The user attempts to authenticate using the old User ID.
Changing the User ID in the directory affects AM in the following ways:
The first authentication attempt made by the user can fail.
If a user attempts to authenticate before another event has updated the User ID, he or she may experience an authentication failure. If users are denied access, instruct them to use the old User ID for the first authentication attempt after the change, and then use the new User ID for all subsequent authentication attempts.
If User ID is mapped to a user’s email, the initial authentication failure may not occur.
The Security Console recognizes the new User ID immediately.
If administrators need to deal with any issues arising from the User ID changing, instruct them to search for the user by the new User ID, not the old User ID.
The User ID is updated and the user can authenticate using the new User ID after an administrator manages the user, for example, the administrator views the user record.
The ability to authenticate through restricted authentication agents can be lost when default settings are used in Sun Java System Directory Server/Oracle Directory Server Enterprise Edition identity sources.
The default settings in Sun Java System Directory Server/Oracle Directory Server Enterprise Edition use the uid attribute as the Naming Attribute. The default settings in AM map User ID to the uid attribute. With these settings configured for Sun Java System Directory Server/Oracle Directory Server Enterprise Edition identity sources, any modification to the User ID (uid) changes the user’s distinguished name, which removes all LDAP group memberships for the user.
If a user whose DN changed belonged to a group with permission to authenticate on a restricted agent, the user can no longer authenticate through the restricted agent. To enable this user to authenticate through the restricted agent, you must re-add the user to the group associated with the restricted agent.
Related Articles
Manually (Bulk) Synchronize an Identity Source for Cloud Access Service Number of Views RSA Identity Management & Governance AuthRequest asking for a transient ID in SAML SSO integration Number of Views How to Include or Exclude an Active Directory OU from the Microsoft LDAP directory on RSA Authentication Manager 8.x Number of Views How to disable or enable the Other Users tile on the logon screen on a Windows machine protected by RSA Authentication Age… Number of Views How to create an external identity source to Active Directory in RSA Authentication Manager 8.x Number of Views
Trending Articles
RSA Authentication Manager 8.9 Release Notes (January 2026) RSA MFA Agent 2.5 for Microsoft Windows Installation and Administration Guide Quick Setup Guide - Passwordless Authentication in Windows MFA Agent for Active Directory Troubleshooting AFX Server issues in RSA Identity Governance & Lifecycle Downloading RSA Authentication Manager license files or RSA Software token seed records
