search cancel

User Store Disable Flag : Behavior among Active Directory AD and LDAP

book

Article ID: 49860

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On SITEMINDER SITEMINDER

Issue/Introduction

 

Running Policy Server with Active Directory as User Store.

Should the value of the disabled flag also be "0" in Active Directory (AD) to have SiteMinder consider the user as enabled?

Is there a difference in how the user account is "read" by SiteMinder which could explain the successful attempt in LDAP and the failure in Active Directory (AD)?

 

Resolution

 

The "disabled flag" attribute is a SiteMinder mechanism.

The directory server's account status takes precedence over anything SiteMinder might configure. Therefore, if the user is disabled in Active Directory, no amount of SiteMinder configuration can fix that.

By design, SiteMinder must honor the user directory's position on the account disabled state before its own. Otherwise, SiteMinder would risk authenticating and authorizing a user that was disabled intentionally by the administrator and therefore causes a security breach.

When the user is disabled in Directory Server (both LDAP and Active Directory (AD)), then irrespective of SiteMinder configuration user is not allowed to log in. This is because SiteMinder "binds" to LDAP with the supplied credentials. This is the same for Active Directory (AD) & LDAP. For example, if a user is disabled in SunOne LDAP (right-click user in SunOne console and make inactive), "bind" would fail - which means SiteMinder can't authenticate that user anymore.