[OPENAM-8474] Active Directory ( AD ) DataStore doesn't show User Status in OpenAM GUI Created: 02/Mar/16 Updated: 20/Jul/18 Resolved: 31/Aug/16
|Affects Version/s:||11.0.2, 12.0.0, 12.0.1, 12.0.2|
|Fix Version/s:||12.0.4, 12.0.5, 14.0.0|
|Reporter:||David Bate||Assignee:||Mark de Reeper|
|Sprint:||AM Sustaining Sprint 20, AM Sustaining Sprint 21, AM Sustaining Sprint 26, AM Sustaining Sprint 27|
|Support Ticket IDs:|
With AM 11.x and 12.x with Active Directory as the DataStore, the OpenAM console/gui does not correctly reflect the existing or newly created users, User Status, such as Active or Inactive. The radio button on in the users entry does not show any item. The User Status itself is written to the Active Directory Datastore, but is not displayed by OpenAM.
I have verified this behavior with 11.0.2, 12.0.1 & 12.02.
You can change the User Status configuration:
to other relevant AD userAccountControl values. The new values are the ones
|Comment by David Bate [ 02/Mar/16 ]|
Steps to reproduce:
1. Have an Active Directory installed and running on port 636 (ldaps) with the
2. Create a Realm --> ad
3. Go into Realm: Access Control --> Realm /ad
Delete the existing DataStore.
4. Click New and add a new Active Diretory DataStore called "ad"
5. Configure these settings:
LDAP User Search attribute: samAcccountName
Attrbute Name of User Status: userAccountControl
Authentication Configuration Naming Attribute: samAccountName
persistent search controls: dc=windows,dc=example,dc=com
6. Verify that you have users in the Subjects tab (this verifies that AD has been set up correctly as your DataStore)
7. Click on Existing users. Verify that the "Active" and "Inactive" do not show
8. In the Subjects tab, click "New" and create this user:
9. Now click on the user am12usertest1 in the Subjects, and verify that
Issue has been reproduced.
10. The userAccountControl is being created. See this ldif from my AD server with the user that was created:
in AD, it is marked as Inactive: userAccountControl: 546
|Comment by Peter Major [X] (Inactive) [ 08/Mar/16 ]|
Workaround that seems to work for me: add inetuserstatus to the list of LDAP User Attributes in the Data Store settings.
|Comment by David Bate [ 12/Mar/16 ]|
The workaround works if you are using the values of 544 and 546 for Active/Inactive. If we set the values to other AD UserAccountControl settings such as 66048 & 66050 (even after a restart), if I change someone to Active, their entry in the AD is 544 for UserAccountControl and if you select them to Inactive, the entry in AD is 546, rather then with 66048 & 66050 that was configured.
|Comment by Peter Major [X] (Inactive) [ 24/Mar/16 ]|
The proposed fix for this would be to automatically add inetuserstatus attribute to the user defined attributes list just like what we did with
|Comment by Jonathan Thomas [ 06/Sep/16 ]|
In 12.0.x/11.0.x patches
|Comment by Filip Kubáň [X] (Inactive) [ 06/Oct/16 ]|
verified on: OpenAM 12.0.4-RC7 Build b32bf97e3c (2016-September-28 10:46)