Additional LDAP OU definition for Inactive users and its impact on authentication

Lann
Giga Guru

HI all

We have a LDAP integration to create /update users with this filter

We don't have a RDN value specified for this OU definition and the Query field value is mail.

 

 

(&(objectClass=person)(sn=*)(!(objectClass=computer))(mail=*@mycompanyname.com)(manager=*)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))

 

 

Since this will get only Active records from Source and we don't want to pull a big mass in same OU definition we are not expanding above filter for inactives and are looking to create a second OU definition for User table to get only the Inactive users from LDAP and use a Update only transform and ignore any Inserts

 

Will creating a second OU definition for Inactive users cause any impacts to LDAP authentication .We have Use LDAP for password authentication system property set to Yes . 

Coincidentally i was developing another OU definition to get some Users from a different branch Acquisitions and had an RDN value specified as  OU=<<Acquired company name>>,OU=Acquisitions

and it caused some authentication failures  due to the new OU definition , when i deactivated that definition everything was fine

I read from docs below and trying to make out how it connects to my existing and new inactive user setup and its impact on authentication

Can an Inactive user OU definition cause auth issues?

 

Thanks

Lakshmi

 

 

LDAP authenticationUse LDAP authentication to access using LDAP credentials.

When a user enters network credentials in the login page:
  1. The instance passes the credentials to an LDAP server to find the instance.
  2. With RDNs, it validates the user's DN string. It validates only if at least one of the LDAP OU configurations with table=sys_user has an RDN configured.
  3. The LDAP server responds with an authorized or unauthorized message that the system uses to determine whether access should be granted

 

 

1 ACCEPTED SOLUTION

Lann
Giga Guru

after trying this out, the Inactive OU definition didn't affect the authentication provided the new OU definition doesn't have a RDN (same as the Active OU definition) . Otherwise it impacted

View solution in original post

2 REPLIES 2

Lann
Giga Guru

Any thoughts here

Lann
Giga Guru

after trying this out, the Inactive OU definition didn't affect the authentication provided the new OU definition doesn't have a RDN (same as the Active OU definition) . Otherwise it impacted