This is more of a question to confirm how users and resolvers function when a user may be transient within a resolver.
For example, we would like to ensure that an ActiveDirectory/LDAP account that is disabled will not be able to login via tokens. I have added the search (!(UserAccountControl:1.2.840.1135188.8.131.523:=2)) to ignore disabled accounts.
- User is assigned tokens
- User account in AD is disabled
a. While user is disabled, two-factor authentications fail
- User account is re-enabled
a. Two-factor authentications begin working agian
Since this is working as I want it to, I wanted to confirm this is expected behavior and will not change in the future. If a user is temporarily removed from a resolver, do the tokens stay in their existing state or is there a backgroup janitorial job that will delete them at some point?
Hopefully this isn’t too confusing.