Categories
LDAP filter out disabled users
Does anyone know the syntax and the location to put it in order to filter out any disabled users. We use Active Directory groups for catalog security and Agent recipient lists. Any time there is a disabled user in one of our list the Agent fails. I have been trying update the syntax in the weblogic - Provider specific screen to filter these out. I have tried variations of (&(sAMAccountName=%u)(objectclass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2)) but have not been able to get it to work.
We are on 12c
Answers
-
Are you running the Agent as a deleted user? If so it makes sense that the Agent fails since the user is no longer there.
If it's in the recipient list it should only fail for that particular user but still sending it to all other users.
0 -
Yes it runs as the disabled user. It fails the whole Agent though which doesn't make sense.
Is there a way to have disabled users filter out of the search list.
This user is disabled. How do I get her to not even show in this list?
0 -
The problem is that the list you're showing is a fixed list of users. So if you add a user there and after it's disabled you'll always have the same error.
If you have more than 1 user (with at least one disabled) does it fail for all of them?
0 -
a) That's an MSAD integation issue and has nothing to do with any specific OBI version.
b) Having to write (!userAccountControl:1.2.840.113556.1.4.803:=2)) is the poorest solution imaginable.
c) This is really something where your MSAD admins must be of assistance since they control it and they design it. If they don't help you...escalate. It's their LDAP.
d) If you are pulling the users for agents dynamically then the question becomes: "Where are you pulling them from and why are disabled user still in there in the first place?"
0 -
a) Yes
b) This was a solution that I have found and my MSAD admin gave me. It works when used in the weblogic Provider setup in the All Users Filter and the User from Name Filter. When used here I can no longer query in the weblogic User/Group section for the disabled users.
c) They have been trying to assist.
d) Where are the settings for this. I have many additional things I would like to change about this that I can not find where to change them. Besides not pulling disabled users I would also like to be able to search for a users actual name and not the ID. Currently we have to search for their ID and their name is returned. (See example above)
Thanks for the information.
0 -
ad d) Well *you* have to know where the dynamic list gets pulled up! Are you reading it from a DB table?
0 -
I do not believe so. It should be straight from the Active Directory. I can filter the list in the weblogic users/groups but I do not know where these settings are for the list that the recipients are pulling from.
0 -
@Christian Berg i believe he doesn't use a dynamic list but rater a static list.
But when a user in his static list gets disabled, since he Agent "run As" the recipient the whole agent fails.
0 -
Yes exactly. And I want to be able to remove all disabled users from this list with some type of filter.
0 -
The problem is not in the OBIEE-LDAP filter I would say...
The problem is in your static list of users...
Do you have specific data filters tied up with those users? do you need the Run-as for this purpose?
Can you take the list of users from an analysis instead of a static list? If so you could create a SA on top of MSAD to retrieve only the valid users.
0