November 22, 2018 at 4:02 pm #23945jm89Participant
I have a mapping setup between the managed user(source) object and a opendj ldap account(target).
By default if i delete a managed user the ldap account still exists, the mapping doesn’t take care of deleting the linked ldap account.
I need the ldap account to be deleted. I’m thinking of either doing this in the post delete action of the managed user or setting the UNASSIGNED behaviour of the mapping to delete unlinked target objects.
Which do you think would be the better option? Or is there another better way of handling this scenario?November 22, 2018 at 5:50 pm #23946[email protected]Participant
IMHO IDM is lacking regarding retries (might have improved with 6.x). So if you try to delete in postDelete, your LDAP-server might be unavailable and deletion in LDAP might fail. But even if you had a hundred retries, eventually deletion would fail, resulting in orphaned entries in LDAP.
Therefore, I would prefer to handle this issue in the mappings, which usually should triggering immediately via livesync but will definitely get the job done later using reconciliation.
I’m not sure if UNASSIGNED will trigger, SOURCE_MISSING seems to be more likely, depending on your setup.
It is easy, if you can identify LDAP-entries that are managed by IDM, e.g. “all entries in LDAP are managed by IDM”. Be very careful, if you have a LDAP-server where entries might be managed by others, e.g. “LDAP is used to connect to Active Directory and some entry ‘Domain administrator’ is unassigned…”.November 23, 2018 at 4:27 pm #23966ssripathy1Participant
As stated above, your solution should be DELETE action on a SOURCE_MISSING situation that happens when target recon is done as part of 2nd phase within reconciliation process.
UNASSIGNED would be if your target found, target object during recon and no link exists and for that no DELETE is possible.
You must be logged in to reply to this topic.