[OPENAM-8474] Active Directory ( AD ) DataStore doesn't show User Status in OpenAM GUI Created: 02/Mar/16  Updated: 20/Jul/18  Resolved: 31/Aug/16

Status: Resolved
Project: OpenAM
Component/s: console, idrepo
Affects Version/s: 11.0.2, 12.0.0, 12.0.1, 12.0.2
Fix Version/s: 12.0.4, 12.0.5, 14.0.0

Type: Bug Priority: Major
Reporter: David Bate Assignee: Mark de Reeper
Resolution: Fixed Votes: 0
Labels: EDISON
Remaining Estimate: 0h
Time Spent: 7h
Original Estimate: 3h

Issue Links:
is related to OPENAM-9643 None Admin users are inactive and can... Closed
Sprint: AM Sustaining Sprint 20, AM Sustaining Sprint 21, AM Sustaining Sprint 26, AM Sustaining Sprint 27
Support Ticket IDs:
QA Assignee: Filip Kubáň [X] (Inactive)
Verified Version/s:


With AM 11.x and 12.x with Active Directory as the DataStore, the OpenAM console/gui does not correctly reflect the existing or newly created users, User Status, such as Active or Inactive. The radio button on in the users entry does not show any item. The User Status itself is written to the Active Directory Datastore, but is not displayed by OpenAM.

I have verified this behavior with 11.0.2, 12.0.1 & 12.02.
This happens with XUI on, or with the Classic UI.

You can change the User Status configuration:
Attrbute Name of User Status: userAccountControl
user Status Active Value: 544
User Status Inactive Value: 546

to other relevant AD userAccountControl values. The new values are the ones
written to the AD DataStore, but these aren't seen as well in the AM GUI.

Comment by David Bate [ 02/Mar/16 ]

Steps to reproduce:

1. Have an Active Directory installed and running on port 636 (ldaps) with the
correct schema addded:
ad_user_schema.ldif also ensure that AD's Root CA is imported into the Tomcat that is running OpenAM's truststore. In my tests I used Windows Server 2012 R2

2. Create a Realm --> ad

3. Go into Realm: Access Control --> Realm /ad
and click on DataStores.

Delete the existing DataStore.

4. Click New and add a new Active Diretory DataStore called "ad"

5. Configure these settings:
ldap server, use port 636: mine is windows.example.com:636
bind dn: CN=Administrator,CN=Users,dc=openam,dc=example,dc=com
bind password: cn=Administrator's password
LDAP OrgDN: mine is dc=windows,dc=example,dc=com

LDAP User Search attribute: samAcccountName

Attrbute Name of User Status: userAccountControl
user Status Active Value: 544
User Status Inactive Value: 546

Authentication Configuration Naming Attribute: samAccountName

persistent search controls: dc=windows,dc=example,dc=com

Hit save

6. Verify that you have users in the Subjects tab (this verifies that AD has been set up correctly as your DataStore)

7. Click on Existing users. Verify that the "Active" and "Inactive" do not show

8. In the Subjects tab, click "New" and create this user:

ID: am12usertest1
First Name: am12
Last Name: usertest1
Full Name: am12usertest1
Password: pick and AD compliant password
User Status: Select "Active" or "Inactive" and remember which one you picked.
I picked "Inactive"

Click OK

9. Now click on the user am12usertest1 in the Subjects, and verify that
NO "Inactive" button is selected.

Issue has been reproduced.

10. The userAccountControl is being created. See this ldif from my AD server with the user that was created:

version: 1

dn: CN=am12usertest1,CN=Users,DC=windows,DC=example,DC=com
objectClass: user
objectClass: organizationalPerson
objectClass: person
objectClass: top
cn: am12usertest1
instanceType: 4
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=windows,DC=example,D
accountExpires: 9223372036854775807
badPasswordTime: 0
badPwdCount: 0
codePage: 0
countryCode: 0
displayName: FullName am12usertest1
distinguishedName: CN=am12usertest1,CN=Users,DC=windows,DC=example,DC=com
dSCorePropagationData: 16010101000000.0Z
givenName: am12
lastLogoff: 0
lastLogon: 0
logonCount: 0
name: am12usertest1
objectGUID:: 8jyktIERUEKzqMWWhkx54A==
objectSid:: AQUAAAAAAAUVAAAA7AbY/qViexOjeOvpbgQAAA==
primaryGroupID: 513
pwdLastSet: 0
sAMAccountName: $E31000-JDNFC5H0T49H
sAMAccountType: 805306368
sn: usertest1
userAccountControl: 546
userPassword:: Q2FuZ2V0aW53aW4x
uSNChanged: 37029
uSNCreated: 37025
whenChanged: 20160301222908.0Z
whenCreated: 20160301220436.0Z

in AD, it is marked as Inactive: userAccountControl: 546

Comment by Peter Major [X] (Inactive) [ 08/Mar/16 ]

Workaround that seems to work for me: add inetuserstatus to the list of LDAP User Attributes in the Data Store settings.

Comment by David Bate [ 12/Mar/16 ]

The workaround works if you are using the values of 544 and 546 for Active/Inactive. If we set the values to other AD UserAccountControl settings such as 66048 & 66050 (even after a restart), if I change someone to Active, their entry in the AD is 544 for UserAccountControl and if you select them to Inactive, the entry in AD is 546, rather then with 66048 & 66050 that was configured.

Comment by Peter Major [X] (Inactive) [ 24/Mar/16 ]

The proposed fix for this would be to automatically add inetuserstatus attribute to the user defined attributes list just like what we did with OPENAM-7988.

Comment by Jonathan Thomas [ 06/Sep/16 ]

In 12.0.x/11.0.x patches OPENAM-9643 will need to be included.

Comment by Filip Kubáň [X] (Inactive) [ 06/Oct/16 ]

verified on: OpenAM 12.0.4-RC7 Build b32bf97e3c (2016-September-28 10:46)

Generated at Wed Nov 25 06:00:23 UTC 2020 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.