How to Deactivate a LDAP User?

security authentication ldap

11,883

Solution 1

To answer your question per the Oracle iPlanet (Sun) documentation :

Setting the attribute nsAccountLock to true will disable a users account, and prevent them from binding to the directory.

However, in terms of the code you already have, I just don't see any way of accomplishing this... Is there something preventing you from writing your own implementation for iPlanet using the System.DirectoryServices.Protocols namespace in .Net?

Here is how I bind and authorize users against an iPlanet server :

//Build servername from variables
var BuildServerName = new StringBuilder();
BuildServerName.Append(ServerName);
BuildServerName.Append(":" + Convert.ToString(Port));

var ldapConnection = new LdapConnection(BuildServerName.ToString());
//Authenticate the Admin username and password, making sure it's a valid login

try
{
    //Pass in the network (administrative) creds, and the domain.
    var networkCredential = new NetworkCredential(Username, Password, config.LdapAuth.LdapDomain);
    ldapConnection.SessionOptions.SecureSocketLayer = true;
    ldapConnection.SessionOptions.VerifyServerCertificate += delegate { return true; };
    ldapConnection.AuthType = AuthType.Anonymous;;
    ldapConnection.Bind(networkCredential);

    //Lets find this person so we can use the correct DN syntax when we authorize them.
    SearchRequest FindThem = new SearchRequest();
    FindThem.Filter = config.LdapAuth.LdapFilter.Replace("{{Patron}}", Patron);
    FindThem.DistinguishedName = config.LdapAuth.LdapDomain;
    FindThem.Scope = System.DirectoryServices.Protocols.SearchScope.Subtree;

    //We'll execute a search using the bound user
    SearchResponse searchresults = (SearchResponse) ldapConnection.SendRequest(FindThem);

    //Should only get on result back, if not throw an error
    if(searchresults.Entries.Count == 1)
    {
         SearchResultEntryCollection entries = searchresults.Entries;
         SearchResultEntry thispatron = entries[0];
         PatronDN = thispatron.DistinguishedName;
    }
 }

If you wanted to move disabled users to a specific group, from this point you could write logic to check the DistinguishedName of that user, and throw a handled exception if their DistinguishedName contains the name of that group. Also, if the nsAccountLock attribute is available to your binding account as a readable attribute, you could just check the value of that attribute for true, and handle the user accordingly.

Solution 2

Here is the java code for disabling and enabling user in Active Directory using JNDI. Make sure to connect with your AD before calling below code.

    public void disableEnableUser() throws Exception {
ModificationItem[] mods = new ModificationItem[1];
            //To enable user
            //int UF_ACCOUNT_ENABLE = 0x0001;
            //mods[0] = new ModificationItem(DirContext.REPLACE_ATTRIBUTE, new BasicAttribute("userAccountControl",Integer.toString(UF_ACCOUNT_ENABLE)));

        // To disable user
        int UF_ACCOUNT_DISABLE = 0x0002;
        mods[0] = new ModificationItem(DirContext.REPLACE_ATTRIBUTE, new BasicAttribute("userAccountControl",Integer.toString(UF_ACCOUNT_DISABLE)));

        ctx.modifyAttributes("CN=John ABC,OU=Users,OU=anyone,DC=yourcompanyname,DC=com", mods);
    }

Distinguished name = "CN=John ABC,OU=Users,OU=anyone,DC=yourcompanyname,DC=com" This name is depend on your structure of Active Directory, you can confirm from your suport team.

11,883

Author by

Jasper

Areas of interest and skill: Java / J2EE / MongoDB / Big Data/ Hadoop / Machine Learning / Cloud / Amazon EC2

Updated on June 04, 2022

Comments

Jasper almost 2 years
I am using a library to authenticate LDAP Users, whose code is as follows:
```
public void authUser(String username, String pwd)
    throws Exception
  {
    try
    {
      Properties env = getEnvironmentForContext();

      env.put("java.naming.security.principal", "uid=" + 
      username + ",ou=users, dc=company"));
      env.put("java.naming.security.credentials", pwd);
      context = getContext(env);
      System.out.println("Authentication Succeeded");
    }
    catch (Exception e)
    {
      System.out.println("Authentication Failed");
      throw e;
    }
  }
```
Please note, i cannot modify the above Authentication Code. It comes from a external Library.

But, i want to deactivate some users (not delete them), so that Authentication Fails. I am using LDAP (not Active Directory). Do not know what LDAP Software it is though, i can connect to it using 'LDAP Browser Client'.

The users exist under: dc=company, ou=users, uid=username

What attribute can i add/change on LDAP 'user' to de-activate a user.
Could i move the user to a different group like: dc=company, ou=deactivatedusers, uid=username? But this is not the preferred option, plus am not sure best way to do that.

EDIT: The LDAP being used is: Netscape/Sun/iPlanet
rogue lad almost 6 years

This is also an alternative.
pagep about 5 years

Sorry but this is super stupid. There are many occasions where you will need to threat deactivated account completely differently than activated. It's not only about the fact that the user can't log in...
user207421 about 5 years

@pagep In which case you would delete them, which is specifically excluded in the question.