Verify account validity using LDAPSearchValve
This document describes verification of user account in PhenixID Server, using LDAPSearchValve.
The reader of this document should have some basic knowledge about PhenixID Server.
We will make changes to phenix-store.json, so make sure to have a recent copy/backup of this file.
System requirements
PhenixID Server installed.
Overview
When using login scenarios against LDAP, a search for the id of the person logging in, is one of the first steps performed.
This document will explain how we can include validity of the account, in the search, before doing the bind.
So we make sure that the account has a value that enables login, meaning that the account is not locked, expired or disabled in any way.
Example below is made against Microsoft Active Directory.
The values are examples and other values could also be of interest, make sure to add the values needed.
In the example below, the search will be successful if the userid is correct and 'userAccountControl' has any of the values specified. In case we get any other value for 'userAccountControl', the search will fail.
When the configuration is done, make sure to test the login thoroughly, making sure that only allowed accounts can login.
Example, LDAPSearchValve
{
"name" : "LDAPSearchValve",
"enabled" : "true",
"config" : {
"connection_ref" : "fe37eb47-8738-4bff-ae9f-f9066a0a431f",
"base_dn" : "DC=org,DC=local",
"scope" : "SUB",
"size_limit" : "0",
"filter_template" : "(&(sAMAccountName={{request.User-Name}})(|(userAccountControl=512)(userAccountControl=544)(userAccountControl=66048)(userAccountControl=66080)(userAccountControl=262656)(userAccountControl=262688)(userAccountControl=328192)(userAccountControl=328224)))",
"attributes" : "mobile"
}
}