It's all about the answers!

Ask a question

LDAP sync about user who is removed from Active Directory


Yohko Tanaka (10522635) | asked Jan 06 '14, 7:06 p.m.
I configured CLM 4.0.3 on WAS 8.5 with Active Directory.
When synchronizing AD with JTS, I found that users who were deleted from AD still remains in JTS user directory.
I read the infocenter and expected that Error record was created, but it didn't.

Synchronizing LDAP with Jazz Team Server repository user information
http://pic.dhe.ibm.com/infocenter/clmhelp/v4r0m3/topic/com.ibm.jazz.repository.web.admin.doc/topics/cldapsynctask.html

Is this behaviour expected? ( I understand so, by reading the article below, but want to make sure just in case.)
https://jazz.net/forum/questions/7546/updates-to-ldap-jazzadmins-group-not-getting-populated

Is there any way to sync "deleted users"? (If deleted from AD, the users deleted from JTS as well)
If it's impossible, is there any way to know the users who were removed from AD but still remains JTS?

Comments
sam detweiler commented Jan 06 '14, 9:25 p.m. | edited Jan 06 '14, 9:25 p.m.

You should not remove the user from jts, as their id is in all kinds of data. The user should be archived. 

One answer



permanent link
Ralph Schoon (59.0k23642) | answered Jan 07 '14, 5:46 a.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER
As far as I can tell, deletion of users is not supported. As Sam points out, you are supposed to archive users that should no longer be used.

Please see the answer on https://jazz.net/forum/questions/137633/deleting-users-non-ldap-tomcat-in-rtc-4x for details.


Comments
Yohko Tanaka commented Jan 08 '14, 8:59 p.m.

Thank you Sam, Ralph.

I understand that I should archive users.
It would be great if you could tell me one more.

Is there any way to know users who aren't in LDAP any more?
I expected that LDAP sync results create "error record" about those users, but it didn't.


Thank you in advance.


Ralph Schoon commented Jan 09 '14, 3:46 a.m. | edited Jan 09 '14, 3:47 a.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER

JTS or RTC don't "know" about what is in LDAP and what is not, as far as I can tell. The user entry is just managed in the database. If LDAP is configured, RTC delegates authentication to LDAP through the application server.

I don't think RTC does anything about  users that are not found in LDAP. In cases where you use mixed local and LDAP authentication, this would also not be an indicator that the user needs to be archived.

You could probably use LDAP tools to report the users in the relevant repository groups in LDAP.
You could export the Jazz users using the repotools  -exportUsers command and then go through both lists and compare them. I am not sure if -importUsers could be used to archive users no longer in LDAP. You could experiment with it.

If not, you could use an approach similar to described in https://rsjazz.wordpress.com/2012/10/12/changing-the-jazz-user-id-using-the-rtc-plain-java-client-libraries/ to automatically archive the user.


Yohko Tanaka commented Jan 09 '14, 11:43 p.m.

Thank you!
I'll try some way you introduced.

Your answer


Register or to post your answer.