Automic Workload Automation

 View Only
Expand all | Collapse all

Ldap Sync - enable "user is active" option

  • 1.  Ldap Sync - enable "user is active" option

    Posted Jun 25, 2021 08:59 AM
    Edited by Olgun Onur Ozmen Jan 12, 2024 03:47 AM

    Hi all,
    i have a strange problem about ldap sync . Our problem is that when the user department changes, the user becomes passive and does not return to active again. I simulate this way. let me explain.

    autoDeactivateUsers=true :

    1. In case of employee quitting from company , employee is deleted from LDAP and his user is deactivated in automic. No problem here.
    2. In case of employee changes a department within the company, the CN value changes, which is not deleted from the LDAP. When Ldap sync runs, it deactivates the user and changes the group in automic, then but it does not make it active again. So he/she cannot enter automic because user is deactive.


    autoDeactivateUsers=false:

    1. In case of employee quitting from company , employee is deleted from LDAP and his user still active on automic. We dont want that. Its security vulnerability.
    2. In case of employee changes a department within the company , user still active on automic and changes the group in automic. This fixes our problem but there is a security vulnerability from item 1.


    Do you have a solution for i show with yellow color "autoDeactivateUsers=true -> bullet 2"  ?
    =====================================================================

    i opened idea for this. Please vote

    https://community.broadcom.com/idea/ldap-sync-enable-user-is-active-option-for-internal-department-changes



  • 2.  RE: Ldap Sync - enable "user is active" option

    Posted Jun 25, 2021 02:43 PM
    Have you checked the logs for any errors?


  • 3.  RE: Ldap Sync - enable "user is active" option

    Posted Jun 28, 2021 01:03 PM
    Edited by Olgun Onur Ozmen Jun 28, 2021 01:13 PM
    No error on log. Everything is seems to be normal. It can also disable the user, but it does not activate even though it receives no errors. How does it behave when you try the above scenario in your local?





  • 4.  RE: Ldap Sync - enable "user is active" option

    Broadcom Employee
    Posted Jul 09, 2021 09:24 AM
    Hi @Olgun Onur Ozmen

    LPDAPSync does not automatically activate already existing AE-users.

    As the name of the flag (autoDeactivateUsers) implies, LDPASync deactivates existing AE-users when they are no longer found in the directory or not.
    The documentation (https://docs.automic.com/documentation/webhelp/english/AA/12.3/DOCU/12.3/Automic%20Automation%20Guides/help.htm#LdapSync/setup-configuration-clientSetting.htm) was enhanced to make this clear. ​

    ------------------------------
    Engineering Program Manager
    Broadcom
    ------------------------------



  • 5.  RE: Ldap Sync - enable "user is active" option

    Posted Mar 10, 2022 06:42 AM
    Edited by Olgun Onur Ozmen Mar 10, 2022 06:46 AM

    Hi Michael,

    I know the documentation. We have been dealing with this problem for a long time. Our problem is that when the user department changes, the user becomes passive and does not return to active again. Let me explain it this way.

    autoDeactivateUsers=true :

    1. In case of employee quitting from company , employee is deleted from LDAP and his user is deactivated in automic. No problem here.
    2. In case of employee changes a department within the company, the CN value changes, which is not deleted from the LDAP. When Ldap sync runs, it deactivates the user and changes the group in automic, then but it does not make it active again. So he/she cannot enter automic because user is deactive.

    autoDeactivateUsers=false:

    1. In case of employee quitting from company , employee is deleted from LDAP and his user still active on automic. We dont want that. Its security vulnerability.
    2. In case of employee changes a department within the company , user still active on automic and changes the group in automic. This fixes our problem but there is a security vulnerability from item 1.

    Do you have a solution for i show with yellow color "autoDeactivateUsers=true -> bullet 2"  ?


    Documentation:
    autoDeactivateUsers
    
    Enables/disables deactivation of AE user objects as follows:
    
    true:LDAP Sync deactivates AE user objects that cannot be found in the directory within the specified domain and search filter
    false: LDAP Sync does not change the active state of the user object in the AE. Removing a user from LDAP will not delete or deactivate the user object in the AE, but the user cannot login to the AE anymore as authentication is done against LDAP.​



  • 6.  RE: Ldap Sync - enable "user is active" option

    Posted Mar 10, 2022 07:17 AM
    I would join @Olgun Onur Ozmen on this problem. We are manually marking IDs as ACTIVE whenever user is reporting after department change he/she is getting ACCESS DENIED error. ​

    ------------------------------
    Regards,
    Prosenjit
    ------------------------------



  • 7.  RE: Ldap Sync - enable "user is active" option

    Posted Mar 10, 2022 09:02 AM
    I don't think this feature is missing, but I haven't been able to find a solution for years. There is a point we missed. I hope they didn't miss the possibility of a departmental change :)


  • 8.  RE: Ldap Sync - enable "user is active" option

    Posted Dec 23, 2022 08:44 AM
    i opened idea for this. Please vote

    https://community.broadcom.com/idea/ldap-sync-enable-user-is-active-option-for-internal-department-changes

    ------------------------------
    Olgun Onur Ozmen
    https://www.linkedin.com/in/olgunonurozmen/
    ------------------------------



  • 9.  RE: Ldap Sync - enable "user is active" option

    Posted Jun 02, 2023 08:22 AM

    can those who suffer from this issue join the vote? I invite you to vote.



    ------------------------------
    Olgun Onur Ozmen
    https://www.linkedin.com/in/olgunonurozmen/
    ------------------------------



  • 10.  RE: Ldap Sync - enable "user is active" option

    Posted Jun 06, 2023 07:09 AM

    Voted :-)