Best way to handle deleted user reconciliation with ldap account

This topic has 2 replies, 3 voices, and was last updated 2 years, 3 months ago by ssripathy1.

  • Author
    Posts
  • #23945
     jm89
    Participant

    I have a mapping setup between the managed user(source) object and a opendj ldap account(target).

    By default if i delete a managed user the ldap account still exists, the mapping doesn’t take care of deleting the linked ldap account.

    I need the ldap account to be deleted. I’m thinking of either doing this in the post delete action of the managed user or setting the UNASSIGNED behaviour of the mapping to delete unlinked target objects.

    Which do you think would be the better option? Or is there another better way of handling this scenario?

    #23946

    IMHO IDM is lacking regarding retries (might have improved with 6.x). So if you try to delete in postDelete, your LDAP-server might be unavailable and deletion in LDAP might fail. But even if you had a hundred retries, eventually deletion would fail, resulting in orphaned entries in LDAP.

    Therefore, I would prefer to handle this issue in the mappings, which usually should triggering immediately via livesync but will definitely get the job done later using reconciliation.

    I’m not sure if UNASSIGNED will trigger, SOURCE_MISSING seems to be more likely, depending on your setup.

    It is easy, if you can identify LDAP-entries that are managed by IDM, e.g. “all entries in LDAP are managed by IDM”. Be very careful, if you have a LDAP-server where entries might be managed by others, e.g. “LDAP is used to connect to Active Directory and some entry ‘Domain administrator’ is unassigned…”.

    #23966
     ssripathy1
    Participant

    As stated above, your solution should be DELETE action on a SOURCE_MISSING situation that happens when target recon is done as part of 2nd phase within reconciliation process.

    UNASSIGNED would be if your target found, target object during recon and no link exists and for that no DELETE is possible.

    .

Viewing 3 posts - 1 through 3 (of 3 total)

You must be logged in to reply to this topic.

©2021 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?