search cancel

User Store Disable Flag : Behavior among Active Directory AD and LDAP


Article ID: 49860


Updated On:


CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On SITEMINDER SITEMINDER



Running Policy Server with Active Directory as User Store.

Should the value of the disabled flag also be "0" in Active Directory (AD) to have SiteMinder consider the user as enabled?

Is there a difference in how the user account is "read" by SiteMinder which could explain the successful attempt in LDAP and the failure in Active Directory (AD)?




The "disabled flag" attribute is a SiteMinder mechanism.

The directory server's account status takes precedence over anything SiteMinder might configure. Therefore, if the user is disabled in Active Directory, no amount of SiteMinder configuration can fix that.

By design, SiteMinder must honor the user directory's position on the account disabled state before its own. Otherwise, SiteMinder would risk authenticating and authorizing a user that was disabled intentionally by the administrator and therefore causes a security breach.

When the user is disabled in Directory Server (both LDAP and Active Directory (AD)), then irrespective of SiteMinder configuration user is not allowed to log in. This is because SiteMinder "binds" to LDAP with the supplied credentials. This is the same for Active Directory (AD) & LDAP. For example, if a user is disabled in SunOne LDAP (right-click user in SunOne console and make inactive), "bind" would fail - which means SiteMinder can't authenticate that user anymore.