- Assert there is no configure mapping for "Status" on the LDAP Server connection
- Login with an inactive LDAP user
- Configure an appropriate mapping for Status attribute (LDAP does not have a standarized attribute to describe activation status, see tip below)
- Login again
Expected outcome: User is unable to login because the LDAP user is deactivated
Actual outcome: User is able to login because the modifiedDate timestamps of the portal user & LDAP entry match, so the newly mapped LDAP "status" attribute is not imported
Note: The effect only lasts for the login at step 4. Any subsequent login attempts will fail because the act of simply logging in will update the portal user's modifiedDate timestamp.
Tip: To make it easier to create an "inactive" LDAP user, you can use an existing LDAP attribute such as roomNumber in the mapping. This attribute is available in the Person scehma which all portal users have by default. You will need to use a LDAP client (try JXplorer) to update the attribute with the value 5 which portal interprets as "deactivated".
- Discovered while testing
LPS-125588 Deactivated users are reactivated at next LDAP import