When the job(LDAP - Synchronize New and Changed Users) is executed, it activates and modifies users who do not have the 'External Authentication' box checked and are locked.
Steps to Reproduce:
1. Turn on LDAP with the Allow non-ldap users option switched on.
2. Create a user in Clarity who exists in the Clarity group.
3. Lock that user and ensure that the External authentication box is not checked.
4. Remove the row from the CMN_DIRECTORY_SERVER table if this is not the first time you are running the job.
5. Modify a field for the user on the ldap side. Choose a field like last name, first name, or email address that is mapped to a PPM field.
6. Run the LDAP - Synchronize New and Changed Users job.
Expected Result: Since the user's External Authentication box is unchecked, the user should not be modified nor activated.
Actual Result: The user in the application is modified and activated.
Clarity PPM 15.3+
The job is working as designed in Clarity PPM 15.3.
When making a change within Active directory and running the LDAP - Synchronize New and Changed Users job' job synchronizes LDAP records with CA Clarity PPM records by synchronizing the users you add to the LDAP "CA Clarity PPM" group and making them active on the CA Clarity PPM server. Clarity PPM checks only whether a user is present in a Clarity group on the LDAP server or whether an attribute being searched for is present in Clarity.
If a user is deactivated on the LDAP server, the next time the synchronization job runs, the user is deactivated in CA Clarity PPM.
If the user is reactivated on the LDAP server, the user will not be re-activated in Clarity. The resource will need to be reactivated.
'LDAP - Synchronize New and Changed Users job' job synchronizes LDAP records with Clarity records by synchronizing the users you add to the LDAP "CA PPM" group and making them active on the CA PPM server.
Refer to the documentation: Integrate Clarity PPM with Lightweight Directory Access Protocol (LDAP)