Sync Deletion of managed users

Tagged: , , ,

This topic has 4 replies, 3 voices, and was last updated 1 year, 4 months ago by jacandedo.

  • Author
  • #28493


    We have a ldap connector configured and a managed user – ldap mapping (no bidirectional).
    When we create a user, his account is created in ldap. Also updates are synchronized correctly.
    But when we delete the managed user, ldap account is not deleted!
    We tried a reconciliation and still same result.

    How can we delete the ldap account when the managed user is deleted?

    Complete flow:
    1) Create 2 users (managed user). 2 accounts created in ldap.
    2) managed user – ldap mapping trigger reconciliation. Result: Confirmed: 2
    3) Delete one of the users in the Admin UI –> 1 user in IDM, still 2 ldap accounts.
    4) Trigger the user – ldap mapping reconciliation. Result: Confirmed: 1

    Any idea?


    • This topic was modified 1 year, 4 months ago by jacandedo.
     Bill Nelson

    The operation applied to the target system is based on the action that you specify for any given situation.

    For instance, when you add a new managed/user object in IDM (and there is not a corresponding object in LDAP), then that is a situation of “ABSENT” and you need to decide what action you want to take for that situation. The default action for this situation is to “CREATE” the user on the target system. A creation event not only creates the object on the target, but it also creates a link between the managed/user object and the system/ldap/account object.

    If you update the user you just created, then your situation is “CONFIRMED”. This means that you have a managed/user object, it correlates to a system/ldap/account object, and there is a link between the two. The default behavior for this situation is to “UPDATE” the system object.

    You should familiarize yourself with each IDM situation so you can make the appropriate choice on what action to take. The two that I mention above are only two of many situations that you need to account for. ForgeRock has been nice to create what they call default actions for all situations (you can see this in the behaviors tab in the mapping) and I suspect that you may be using the default. But FR doesn’t include an action for a situation of “MISSING” – which is what happens to the managed object when you delete it. Essentially, you “had” a managed/user object (but it is now gone) but you still have a link in the links table that points to a system object for which there is now no source object – essentially, the source has gone MISSING.

    ForgeRock doesn’t create a default for this situation because every customer deals with deletions differently. So you would need to decide how you want to deal with it. If you want to “DELETE” it, then just change the default to “delete” in the behaviors tab for that mapping. Others may want to simply “DISABLE” the account for 90 days before deleting it – in which case you would tell it to update the flag that says how to DISABLE it and then set a task for a future time.

    Hope this helps.



    I’ve accomplished this with a behaviors / absent script. So in your case you would set up a sync from ldap to IDM and then in the behaviors / absent script issue a delete on the ldap object.

    openidm.delete(‘system/LDAP/account/’ + source._id,null)
    you could also perform the same type of thing in the onDelete script for the managed object.

    Depending on your idm user data, what I prefer to do is delete the ldap object before the managed user record, i.e. the user is termed etc. Creating a script in the behaviors / confirmed script to set the action based on logic.. i.e. user is termed set action to delete, else update.


    I’m going to test both solutions. Some thoughts before.

    In the synchronization results there should appear a “missing” result after deleting the managed user and executing the recon so that I can launch a script, but only the confirmed ones appear.

    Sounds good the bidirectional solution and for ldap makes sense but we have other systems that we don’t want the bidirectional sync.
    I was trying to avoid coding a script in the managed user (onDeleted action) because for every mapping I’ll have to review and maybe make some changes to this script.

    • This reply was modified 1 year, 4 months ago by jacandedo.

    Just make it work! It was my fault. As Bill said, I was missing the SOURCE_MISSING – DELETE action on the behaviors tab. I was making this change always after I deleted the user and then ran the reconciliation. That’s why IDM didn’t delete the ldap account (managed user was already deleted and the changes we made after the deletion).

    Thank you all!

Viewing 5 posts - 1 through 5 (of 5 total)

You must be logged in to reply to this topic.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?