It's all about the answers!

Ask a question

Is there a way to auto-archive a user when he/she is detected no longer on LDAP by the sync ?

long TRUONG (3654121147) | asked Jan 22 '15, 2:02 a.m.
 As user separation is handled via removal of credentials from LDAP, is it possible to trigger an auto-archive of a user when the LDAP sync fails to find this user's existence on LDAP.

Accepted answer

permanent link
Jeff Care (1.0k3833) | answered Jan 22 '15, 8:53 a.m.
 I'm not aware of anything automatic. I ended up writing a custom program against the API that reconciles project members against our corporate LDAP & then archives them if no LDAP record can be found.
long TRUONG selected this answer as the correct answer

long TRUONG commented Jan 22 '15, 4:20 p.m.

 Thx Jeff.

Wonder if it is possible, and your custom program generic enough, for you to share it with the community.

Should this be an enhance request ?

Jeff Care commented Jan 22 '15, 6:35 p.m.

 Unfortunately I can't share it publicly but if you are an IBM employee send me an internal note.

SEC Servizi commented Jan 23 '15, 5:15 a.m.
 if no LDAP record can be found

Which APIs are you using to achieve that? Could you post some more info?

Thanks in advance.

Kevin Ramer commented Jan 23 '15, 5:04 p.m.

My experience is probably the same as Jeff; I'll layout the process.
1) use repotools -exportUsers to send all users to a file
2) using some scripting process scan the file, ignoring those ID already archived (line ends with ,1 i think)
3) use an ldap query ( most *nix have ldapsearch ) with appropriate target and filters to verify each id exists, if not
4) repotools -archiveUser for each one not found in the ldap.
Perl works very well for #2 and one can leverage Net::LDAP to good effect for #3

long TRUONG commented Jan 24 '15, 7:11 p.m.

Wonder if there is a way to capture LDAP sync nightly failures for the list to be archive. 

One other answer

permanent link
Ralph Schoon (63.3k33646) | answered Jan 22 '15, 2:32 a.m.
There is nothing built in. I am not aware of an extension point for that either. It would be better to have some automation when retiring the user from LDAP. See for an easy way to get to that API with Java.

long TRUONG commented Jan 22 '15, 2:42 a.m.

 Thx for the quick answer Ralph.

Your answer

Register or to post your answer.

Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.