Uploaded image for project: 'Crowd Data Center'
  1. Crowd Data Center
  2. CWD-4324

Crowd unable to retrieve "Account Disabled" flag for delegated directories

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Answered
    • Icon: Low Low
    • None
    • 2.7, 2.7.1, 2.7.2, 2.8
    • Directory - LDAP

      Bug Description

      As describe in this improvement request, Crowd has the ability to retrieve "Account Disabled" since version 2.7.0. This however only work for CONNECTOR method of integration with Active Directory.

      DELEGATED method will not work because Crowd will only retrieve the user information from AD server after a successful authentication. However, it is not possible for a disabled users to authenticate hence its status won't be brought over to Crowd and this user will still be counted as licensed user.

      How to replicate

      1. Create a new test user in AD
      2. Create both "Connector" and "Delegated" directories to the AD
      3. Synchronise the "Connector" directory and login using the user from "Delegated" directory
      4. Both directories will specified the user as "Active"
      5. Disabled the user in AD
      6. Synchronise the "Connector" directory and login using the user from "Delegated" directory

      Expected behaviour

      User registered under the "Connector" and "Delegated" directory will be registered as "Disabled"

      Result

      Only user registered under "Connector" directory registered as "Disabled" and the user from "Delegated" directory won't be able to login and still registered as active.

            [CWD-4324] Crowd unable to retrieve "Account Disabled" flag for delegated directories

            aanastasov added a comment -

            Hello,

            Active Directory does not allow deactivated users to authenticate. The simplest approach to synchronise deleted and ‘disabled’ users from any remote ‘Delegated Authentication’ directory is to use the ‘Delegated Directory Pruning for Crowd’ plugin. It periodically scans delegated directories for users who have been deleted or deactivated and, depending on its configuration, deactivates or deletes them. You can find more instructions on how to configure it here: https://confluence.atlassian.com/crowd/pruning-delegated-directories-1055690249.html

            I hope this answers the question and I will close the ticket. If there is a more specific problem that the plugin doesn’t solve, I suggest opening another ticket with more details about your specific use case.

            Kind Regards,
            Anastas 

            aanastasov added a comment - Hello, Active Directory does not allow deactivated users to authenticate. The simplest approach to synchronise deleted and ‘disabled’ users from any remote ‘Delegated Authentication’ directory is to use the ‘Delegated Directory Pruning for Crowd’ plugin. It periodically scans delegated directories for users who have been deleted or deactivated and, depending on its configuration, deactivates or deletes them. You can find more instructions on how to configure it here:  https://confluence.atlassian.com/crowd/pruning-delegated-directories-1055690249.html I hope this answers the question and I will close the ticket. If there is a more specific problem that the plugin doesn’t solve, I suggest opening another ticket with more details about your specific use case. Kind Regards, Anastas 

              Unassigned Unassigned
              scahyadiputra Septa Cahyadiputra (Inactive)
              Affected customers:
              4 This affects my team
              Watchers:
              7 Start watching this issue

                Created:
                Updated:
                Resolved: