Disabling accounts from OpenIDM and sync in OpenDJ

This topic has 13 replies, 5 voices, and was last updated 6 years, 1 month ago by [email protected].

  • Author
  • #11522


    In managedUser_sourceLdapopendjAccount mapping, I have mapped accounStatus(source) to disabled(target) attribute.
    The use case is, when user account is disabled in OpenIDM, it should be disabled from OpenDJ as well.
    But this doesn’t work. The value for disabled is blank.

    Since accountStatus holds values like ‘active’ and ‘inactive’ and disabled is a boolean field, I wrote a transform script:

    if ( source == 'inactive') {
    } else {

    But this doesn’t seem to work.
    Can anyone help?


     Bill Nelson

    “source” is an object that contains all attributes – of which the accountStatus is just one. Depending on the object you are using (I assume it is managed/user) then you probably have others like mail, sn, sn, or other. You need to specify the attribute you are referring to in your comparison (such as source.cn). You should also use the exact match operator (“===”) instead of the “==” when making string comparisons.


    Hi Bill,

    I have selected the source as accountStatus and not complete user object. So the source would be accountStatus right?
    We get all other attributes like mail, sn, givenName only when we select the complete user object.

     Bill Nelson

    Not knowing how you are implementing this I would give something like source.accountStatus a try.


    I tried using the following code:

    if ( source.accountStatus === 'inactive' ) {
    } else {

    It still doesn’t work.
    Ideally ‘ds-pwp-account-disabled’ field should be set to true in OpenDJ.

    Am I missing something here?



    You can always use logging to examine the source-object you are referring to.
    Something along the lines of “logger.error(“this is source: {}”,source);” should be easy to spot in openidm.log


    logger.error(“this is source: {}”,source); prints ‘inactive’ in the logs.
    It goes inside the if statement, but in OpenDJ true value is not set in ds-pwp-account-disabled attribute.
    This is what I get in the logs:
    Method: update


    So using “source” instead of source.accountStatus is correct.

    Ignore the mapping for a moment and read the system object directly via system/opendj/account….
    does it report ds-pwp-account-disabled? Can you modify it by modifying the system object?


    You can also check the logs for clues during reconciliation.

    I gave it a quick try and used the following transform for accountStatus(source) and disabled(target):

    if ( source === 'inactive' ) { true; } else { ; }

    I got an error message when trying “Single Record Reconciliation” (which is an easy way to test reconciliation using one entry):

    Attribute value conflicts with the attribute’s schema definition on operation UPDATE for system object:…

    accountStatus is a string in the user managed object and the disabled property in the connector is a boolean. At least it is in my lab.

    I’m not sure what the right solution is for your use case, but at least you now have another avenue to pursue.


    Hi bgallantfr,

    Since the disabled attribute is boolean, I had to write the transform script.
    I tried your approach as well, but still no luck.
    The disabled attribute gets a value of either true or false through this script. But it is not updated in OpenDJ due to schema violation.
    I also tried returning 1 instead of true and 0 instead of false considering the boolean values, but no luck.


    You try fiddling around with the mapping to solve you issue. I consider it to be quite unlikely, perhaps technically impossible, to solve your issue that way.

    For the mapping to work, the configuration of the provisioner has to be correct, for the provisioner to work, the proxy-accounts needs the correct capabilities, etc.

    Can you perform the modification using LDAP and the proxy-account you configured in OpenIDM?
    What is the LDAP-schema of the attribute?

    If you succeed using LDAP:
    what’s the mapping in provisioner.openicf-opendj.json for the specific attribute? Does it conform to the LDAP-schema?
    Can you toggle the attribute using REST-calls at system/opendj/….?

    Check your mapping only after checking all those preconditions.


    What all operators are allowed in the transform script apart from ===?
    Can we use something like string.includes() or string.contains()?



    I have been trying disabled users with the same attribute ‘ds-pwp-account-disabled’ but OpenIDM can handle it delete it but never merge or replace. I think was a bug.


    Yes this seems to be a bug. Confirmed this with Forgerock.
    The disable functionality is not supported by the DJ LDAP connector

Viewing 14 posts - 1 through 14 (of 14 total)

You must be logged in to reply to this topic.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?