We are using an OpenLDAP connector for integrating with an LDAP. The issue is that we don’t have the possibility to enable/disable accounts from IDN side, although the documentation states that it is one of the features of the basic LDAP integration. Our idea is to perform some additional actions with a BeforeProvisioning rule every time the account was enabled/disabled, but we cannot even trigger it.
Does anyone know how could we get this enablement/disablement action on the accounts (or any workaround? The main downside of this is that we cannot include this source to the ‘Inactive’ state of the authoritative source Identity Profile, so the leavers wouldn’t generate a disablement of their corresponding LDAP account.
Hi Sergio, openldap does not support account enable/disable. You need to rely on attribute sync to update the account. We use a custom attribute to indicate whether the account is active/inactive. You can create an attribute in the identity, which is set to true when the user is active, false when the user is termed. Create a corresponding attribute in openldap which is synced to the attribute you created on the identity. This attribute will get synced to openldap when it changes from true to false.
In my case, I created a before provisioning rule which looks for changes in the employee type and sets the openldap account active/inactive. The attributes employeeType and personTypeInternal are identity attributes and must be synced to openldap so this rule runs when they change.
Here is a code snippet:
String employeeType = currentIdentity.getAttribute("employeeType");
String personTypeInternal = currentIdentity.getAttribute("personTypeInternal");
String adMail = currentIdentity.getAttribute("email");
if (oudAcctRequest.getOperation().equals(ProvisioningPlan.AccountRequest.Operation.Create)) { // This is a create operation
// Do not do anything, create profile is handling this scenario
}
else if (oudAcctRequest.getOperation().equals(ProvisioningPlan.AccountRequest.Operation.Modify)) {
if (null != personTypeInternal && personTypeInternal.equalsIgnoreCase("Canceled Hire")){
oudAcctRequest.setOperation(AccountRequest.Operation.Delete); // No-show use case, delete the account
}
// set swAccountStatus to active if employee or consultant new hire or rehire
else if (null != employeeType && (employeeType.equalsIgnoreCase("Employee") || employeeType.equalsIgnoreCase("Consultant"))) { // Enable the account if the user is an employee or consultant
oudAcctRequest = updateValues(oudAcctRequest, "Active");
if (null != adMail && !adMail.startsWith("Noemail")) {
AttributeRequest mailattrRequest = new AttributeRequest("mail", ProvisioningPlan.Operation.Set, adMail);
oudAcctRequest.add(mailattrRequest);
}
}
else if (null != employeeType && null != personTypeInternal && (employeeType.startsWith("Ex-") || personTypeInternal.equalsIgnoreCase("Garden Leave") || personTypeInternal.equalsIgnoreCase("Separation Agreement"))) {
// Otherwise if ex employee or ex Consultant,garden leave/separation set swAccountStatus to inactive and remove the mail attribute
oudAcctRequest = updateValues(oudAcctRequest, "Inactive");
List oudEmailList = getAttrFromOUDAccount("mail");
if (null != oudEmailList && !oudEmailList.isEmpty()) {
String oudEmail = (String) oudEmailList.get( 0 );
AttributeRequest mailattrRequest = new AttributeRequest("mail", ProvisioningPlan.Operation.Remove, oudEmail);
oudAcctRequest.add(mailattrRequest);
}
removeGroups(oudAcctRequest);
}
oudAcctRequest = revokeGroupRequest(oudAcctRequest);
} else if (oudAcctRequest.getOperation().equals(ProvisioningPlan.AccountRequest.Operation.Delete)) { // This is a delete operation, do nothing
}