Details

    • Type: Feature Request Feature Request
    • Status: Open
    • Priority: Minor Minor
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Labels:
      None
    • Environment:
      LIFERAY VERSION: 6.1 GA 2
      LDAP: MS Active Directory
    • Similar Issues:
      Show 5 results 

      Description

      Description
      After disabling a LDAP user account, this change is not reflected within the portal. The user is still 'active'

      Steps to reproduce
      1) Import LDAP users. (Active Directory)
      2) Disable LDAP account.
      3) Login as user. / Search for user.

      Expected Result: Because LDAP account is disabled, the account in Liferay should also be disabled. A disabled LDAP user in Liferay should not be pulled up within search results.

      Actual Result: A disabled LDAP user is still able to access and log into Liferay. Their names will still appear within search results.

        Issue Links

          Activity

          Hide
          Randy Zhu added a comment -

          In preparation for Ideation; we are merging New Feature and Improvement tickets into a singular ticket type called “Feature Request”. Additional information to follow soon.

          Show
          Randy Zhu added a comment - In preparation for Ideation; we are merging New Feature and Improvement tickets into a singular ticket type called “Feature Request”. Additional information to follow soon.
          Hide
          Tino Schwarze added a comment -

          Users disabled in AD should be disabled upon periodic import as well.

          Disabled users may be recognized by evaluating the userAccountControl property of the LDAP user (special permissions are required for the querying user to access this property). It is a bitfield. If (userAccountControl & 2) = 2, the user is disabled in AD. (see http://support.microsoft.com/kb/305144/en-us )

          Note that expired users are marked differently and are not detectable by checking the userAccountControl field, but by checking the accountExpires field.

          IMHO this is a must-have for LDAP/AD integration...

          Show
          Tino Schwarze added a comment - Users disabled in AD should be disabled upon periodic import as well. Disabled users may be recognized by evaluating the userAccountControl property of the LDAP user (special permissions are required for the querying user to access this property). It is a bitfield. If (userAccountControl & 2) = 2, the user is disabled in AD. (see http://support.microsoft.com/kb/305144/en-us ) Note that expired users are marked differently and are not detectable by checking the userAccountControl field, but by checking the accountExpires field. IMHO this is a must-have for LDAP/AD integration...
          Hide
          Aaron Weikle added a comment -

          I agree this is a MUST. If a domain account is disabled it should not appear in the Portal as being active.

          Show
          Aaron Weikle added a comment - I agree this is a MUST. If a domain account is disabled it should not appear in the Portal as being active.

            People

            • Assignee:
              SE Support
              Reporter:
              Alex Chau
            • Votes:
              9 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated:

                Development

                  Structure Helper Panel