Can LDAP import be configured to reactivate a re-enabled AD account?

[Dave Woodhead]

Users are sometimes deactivated in our Active Directory system, e.g. when on maternity leave, and reactivated at a later date. When the accounts are deactivated the corresponding Hornbill users are set to Archived, but our AD import does not reactivate Hornbill accounts for re-activated AD accounts.

According to my colleague who implemented our AD import, we have workflow logic in Hornbill that states:
1) when users appear in BU’s AD = create them in Hornbill with xyz roles
2) when users get disabled in BU’s AD = archive them

Is it possible to enhance an AD import to re-enable Hornbill logins for users when their AD account is reactivated?

[Steve Giller]

@Dave Woodhead You can set the Status of a User as part of the import.

Setting the Status to Active when the User is updated should achieve your goal here, although without knowing how your Imports and AD are set up it's tricky to give more detailed advice.

[Dave Woodhead]

Thanks Steve, I'll liaise with my AD team and see if they're able to set up an additional rule.

[Dave Woodhead]

Our AD expert has stated that the current configuration states "Currently: ‘status value = active, upon action = create’" and his interpretation that what we need is "status value = active, upon action = create & update"

H has also provided screenshots (attached) of what he believes is required to set status to Active for reactivated AD accounts. Could you let me know if the screenshot represents the correct configuration we need?

Is he on the right track?

 

 

Thanks

[Steve Giller]

That looks right to me.

This will make any User that is updated by this import Active.

The "gotcha" to keep an eye on would be to ensure that any Users you wish to remain archived are not picked up by this Import.

[Dave Woodhead]

Thanks Steve.

[Dave Woodhead]

Steve,

My technical colleague Mark has been looking into this more over the last couple days and running various tests using Hornbill’s LDAP utilities and has commented as follows:

My conclusion is that their suggestion, in combination with making sure we run the archive last, would achieve the aim….but in a horribly inefficient way. Yes the ‘gotcha’ is accurate, disabled accounts are caught in the change and made active.

If we put this suggestion in place today, we’d be activating over 600 people in Hornbill who are currently archived, and then for the vast majority we’d be archiving them again an hour later. This number will just grow and grow as time goes on. Yes this captures a small number of accounts we want to revert from archive to active, but at the cost of lengthy and cumbersome runtimes and resource usage on the upload scripts, which again will get worse over time. Our upload runtime and resource usage is something that Hornbill themselves are already grumbling about as our scripts exist now, never mind after making this change. It also just seems generally backwards and inefficient.

Are there any alternative approaches which other Hornbill customers have adopted to delver a more efficient LDAP import? As Mark mentions, we've already received concerns from your Platform team about the load our current import is creating, so adding more transactions would presumably be preferable to both them and us.

Thanks

[Steve Giller]

On 9/6/2021 at 10:00 AM, Dave Woodhead said:

e.g. when on maternity leave

This is the part that caught my eye - if these Users are in an AD group that is excluded (by the filter) from the import, they will not be updated and therefore not reactivated.

As Hornbill is importing from your Active Directory I see this more as an AD issue than a Hornbill one.

Not being AD experts we can't advise properly, but there should be other ways to filter out based on AD criteria.

For example, I know you can filter on first name (givenName) and surname (sn) so I imagine that you could use a "not" filter on an attribute that is set to "Maternity Leave" or "Long Term Sick" etc. to avoid these Users being picked up.

[Dave Woodhead]

Thanks Steve, I'll check back with my AD experts and see whether we have the necessary user data to enable more precise filtering.

[SamS]

Hi @Dave Woodhead,

Also not knowing your exact configuration, the simplest remedy would be to have at least three LDAP configurations (more are possible) run in sequence:

1) Only Create - to create the users (this is what you appear to have)

2) Only Update - to disable (archive) only those users which are disabled (you appear to have a way of telling which users they are - i.e. via either a specific OU or via useraccountcontrol (you appear to have this as well)

3) Only Update - to enable only those users which are NOT disabled (this configuration might also be used to keep the account information fresh in Hornbill; you might have this set up - but without setting up the Account Status to update) - this would require modifying the search to exclude disabled accounts.

HOWEVER:

IF your main (Create) configurations search ONLY contains Active users (i.e. disabled users are not in that OU or are already filtered out here), THEN you "just" have to set "Status" "Action" to "Both" (in your screenshot you have it as "Only Create".

The "problem" with the above solutions is that when the account status is manually changed WITHIN Hornbill, the status will be overridden next time the import utility runs.

[Dave Woodhead]

Thanks @SamS, I'll run this my by AD team. We've received concerns from Hornbill's platforms team previously about the amount of time our LDAP processes are taking, so before introducing additional steps I will investigate whether we can apply filters and only include recently created/changes accounts in our LDAP feed.

Dave