ServiceNow KB: LDAP OU Definition containing "(userAccountControl:1.2.840.113556.1.4.803:=2)" could retrieve locked accounts beside inactive users (KB0679975)

LDAP OU Definition containing "(userAccountControl:1.2.840.113556.1.4.803:=2)" could retrieve locked accounts

Problem

Some customers would like to retrieve inactive accounts by importing them using our LDAP integration. However, on some LDAP, the userAccountControl:1.2.840.113556.1.4.803:=2 search will fetch both inactive and locked accounts.

Inactive accounts are accounts disabled on the LDAP server. Locked accounts are accounts on which the password needs to be reset or too many incorrect passwords have happened, etc. On some cases, locked accounts are still active and users will unlocked the accounts at some point.

If you disable LDAP locked accounts on the instance, once they unlocked their accounts on their LDAP server, they will not be able login into the instance and your administrators might need to re-enable the account on the instance.

Symptoms

You will notice this problem if:

You have an LDAP import to retrieve the inactive accounts
Your inactive accounts are fetch using the LDAP OU Definition filter: (userAccountControl:1.2.840.113556.1.4.803:=2)
Some active users reports that their users can not login into the instance and those users have recently have their accounts locked (e.g. too many password retries).
Some users report their accounts have been set disabled while their LDAP account remains active.

Cause

The LDAP server searching for (userAccountControl:1.2.840.113556.1.4.803:=2) retrieves inactive and locked accounts.

Resolution

Please educate your system administrators the LDAP query containing userAccessControl could retrieve both inactive and locked users.

To avoid importing locked accounts, please modify the filter to avoid the records with userAccountControl is 512* or 544* or modify the LDAP import transformation map onBefore script to avoid disabling the required user.

Note: userAccountControl is a cumulative attribute defined on the LDAP server itself as it controls the User account properties by masks. Please contact your LDAP administrator to validate if there is a better query to cover your business requirement.

Notifications

Article Information