Jazz Forum Welcome to the Jazz Community Forum Connect and collaborate with IBM Engineering experts and users

LDAP sync about user who is removed from Active Directory

Questions
Tags
Users
Badges
Yohko Tanaka
(10523239) Jan 06 '14, 7:06 p.m.
I configured CLM 4.0.3 on WAS 8.5 with Active Directory.
When synchronizing AD with JTS, I found that users who were deleted from AD still remains in JTS user directory.
I read the infocenter and expected that Error record was created, but it didn't.

Synchronizing LDAP with Jazz Team Server repository user information
http://pic.dhe.ibm.com/infocenter/clmhelp/v4r0m3/topic/com.ibm.jazz.repository.web.admin.doc/topics/cldapsynctask.html

Is this behaviour expected? ( I understand so, by reading the article below, but want to make sure just in case.)
https://jazz.net/forum/questions/7546/updates-to-ldap-jazzadmins-group-not-getting-populated

Is there any way to sync "deleted users"? (If deleted from AD, the users deleted from JTS as well)
If it's impossible, is there any way to know the users who were removed from AD but still remains JTS?

0 votes

Comments
sam detweiler
Jan 06 '14, 9:25 p.m.

You should not remove the user from jts, as their id is in all kinds of data. The user should be archived. 

1 answer
6,358 views
0 votes

One answer

Permanent link
Ralph Schoon
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER (63.9k33648) Jan 07 '14, 5:46 a.m.
As far as I can tell, deletion of users is not supported. As Sam points out, you are supposed to archive users that should no longer be used.

Please see the answer on https://jazz.net/forum/questions/137633/deleting-users-non-ldap-tomcat-in-rtc-4x for details.

1 vote

Comments
Yohko Tanaka
Jan 08 '14, 8:59 p.m.

Thank you Sam, Ralph.

I understand that I should archive users.
It would be great if you could tell me one more.

Is there any way to know users who aren't in LDAP any more?
I expected that LDAP sync results create "error record" about those users, but it didn't.


Thank you in advance.

Ralph Schoon
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER Jan 09 '14, 3:47 a.m.

JTS or RTC don't "know" about what is in LDAP and what is not, as far as I can tell. The user entry is just managed in the database. If LDAP is configured, RTC delegates authentication to LDAP through the application server.

I don't think RTC does anything about  users that are not found in LDAP. In cases where you use mixed local and LDAP authentication, this would also not be an indicator that the user needs to be archived.

You could probably use LDAP tools to report the users in the relevant repository groups in LDAP.
You could export the Jazz users using the repotools  -exportUsers command and then go through both lists and compare them. I am not sure if -importUsers could be used to archive users no longer in LDAP. You could experiment with it.

If not, you could use an approach similar to described in https://rsjazz.wordpress.com/2012/10/12/changing-the-jazz-user-id-using-the-rtc-plain-java-client-libraries/ to automatically archive the user.

Yohko Tanaka
Jan 09 '14, 11:43 p.m.

Thank you!
I'll try some way you introduced.

Your answer

Register or log in to post your answer.

Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.

Ask a question
Guidelines
FAQ
Search context
Follow this question

By Email: 

Once you sign in you will be able to subscribe for any updates here.

By RSS:

Answers
Answers and Comments
Question details
× 7,499

Question asked: Jan 06 '14, 7:06 p.m.

Question was seen: 6,358 times

Last updated: Jan 09 '14, 11:43 p.m.

Confirmation Cancel Confirm