Issue
Some customers would like to retrieve inactive accounts by importing them using our LDAP integration. However, on some LDAP, the userAccountControl:1.2.840.113556.1.4.803:=2 search will fetch both inactive and locked accounts.
Inactive accounts are accounts disabled on the LDAP server. Locked accounts are accounts on which the password needs to be reset or too many incorrect passwords have happened, etc. In some cases, locked accounts are still active and users will unlock the accounts at some point.
If you disable LDAP locked accounts on the instance, once they unlocked their accounts on their LDAP server, they will not be able to log in to the instance and your administrators might need to re-enable the account on the instance.
Symptoms
You will notice this problem if:
- You have an LDAP import to retrieve the inactive accounts
- Your inactive accounts are fetched using the LDAP OU Definition filter: (userAccountControl:1.2.840.113556.1.4.803:=2)
- Some active users report that their users can not log in to the instance and those users have recently had their accounts locked (e.g. too many password retries).
- Some users report their accounts have been set disabled while their LDAP account remains active.
Cause
The LDAP server searching for (userAccountControl:1.2.840.113556.1.4.803:=2) retrieves inactive and locked accounts.
Resolution
Please educate your system administrators on the LDAP query containing userAccessControl could retrieve both inactive and locked users.
To avoid importing locked accounts, please modify the filter to avoid the records where userAccountControl is 512* or 544*, or modify the LDAP import transformation map onBefore script to avoid disabling the required user.