This topic has 7 replies, 3 voices, and was last updated 4 years, 2 months ago by Thunderlol.

  • Author
  • #22208

    Hi. I have setup an LDAP Connector to create Users in my Acitve Diretory. Everything works fine but when I create Users they are always deactivated at first. How can I fix that?


    Can you share the Json payload you use when creating a user?


    Honestly I am really new to all this and don’t know what you mean by that. I’m sorry!


    How do you create the user in AD?


    To create an active user in AD, you need to provide a password and make sure the ‘enabled’ flag is set to true

    If you use an http client like curl, a typical json payload would look like:

    POST http://localhost:8080/openidm/system/AD/account?_action=create

    “dn”: “CN=Test CreatefromOpenIDM,OU=create,DC=example,DC=com”,
    “__PASSWORD__” : “Passw0rd”,
    “__PASSWORD_NOTREQD__”: false,
    “sn”: “CreateAD”,
    “givenName”: “Test”,
    “displayName”: “Test CreatefromOpenIDM”,
    “sAMAccountName”: “testcreateIDM”,
    “__ENABLE__”: true,
    “userPrincipalName”: “[email protected]

     Bill Nelson

    What Gael is showing you are the command line details using a client like curl. I suspect that you may be using the Admin Console to attempt to provision this user, however, is that correct? If so, then

    1) make sure that all of the attributes that Gael has shown above (__PASSWORD__, sn, givenName, displayName, sAMAccountName, __ENABLE__, and userPrincipalName) are all detailed in your provisioner (aka “connector”).

    (You can see this in the openidm/conf/provisioner-openicf-userdirectory.json file on the filesystem, or you can attempt to navigate the UI to the connector section, edit the userdirectory connector details, and then look at the attribute properties configured. I find it easier to look directly at the config file.)

    2) make sure that all of these attributes all appear in your mapping between OpenIDM and AD

    (You can see this in the openidm/conf/sync.json file in the managedUser_systemUserDirectory mapping [or something like that]. You can also look for this mapping in the mappings section in the Admin UI, but again, I prefer the command line.)

    As Gael mentions, you need to set the __ENABLE__ flag to true for the user to be enabled.

    (Note: __ENABLE__ is a variable reference which, under the covers, simply points to the userAcctControl in AD)

    While Wayne’s tutorial is nice, it leaves out a few details as it does not show all the attributes or attribute values that are needed to complete the provisioning to AD.



    Ok, so I have to create the two properties __ENABLE__ and __PASSWORD__ in the Account Object Types of my Connector. After that how do I add them to my mapping? Like what do I use as Source and Target. Sorry that I seem kinda lost but it’s just alot of new stuff that I need to learn.

Viewing 8 posts - 1 through 8 (of 8 total)

You must be logged in to reply to this topic.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?