Description
This article describe how to prevent importing disabled remote LDAP users using remote sync rule in FortiAuthenticator.
Scope
FortiAuthenticator.
Solution
When importing remote users on FortiAuthenticator using remote sync rule, it can be seen that some of the disabled users are imported with status enabled even when they have been disabled on Active Directory.
This happens because the LDAP server will not reflect to FortiAuthenticator that the user is disabled.
In the example below, the group 'Testgroup' is present with 2 users: 'genci', which is disabled, and 'gimi', which is enabled.
The LDAP filter needs to be adapted to exclude the disabled users.
This expression filters for disabled users:
(userAccountControl:1.2.840.113556.1.4.803:=2)
The correct filter that needs to be run in this example case in the remote sync rule should be in the following format:
(&(objectClass=person)(&(!(userAccountControl:1.2.840.113556.1.4.803:=2)))(|(memberOf=CN=Testgroup,CN=Users,DC=forti,DC=test)))
Running the 'Test Filter' on the remote sync rule created will show only the user 'gimi', and not the other user 'genci'.
The logs on FortiAuthenticator confirm that only this user is imported under the Remote Users database.
