PAB Deprovisioning.
Is their a utility to delete orphaned PAB's? Something similar to what is done for user mailboxes?
Jay,
Okay. This '/sunone/SUNWmsgsr/lib/purge' utility is
suppose to be used for all user deprovisioning then?
Recommended method something alongs these lines:
1. Set mailUserStatus to "deleted" for user.yes
2. Run mboxutil to get orphaned mailboxes to
delete.not needed. purge should do that, too.
3. Remove actual LDAP entry from directory if
necessary.
Will it remove subscriptions for shared folders too?
Example:
Purging user 'a'.
User 'b' has a subscription to a folder shared by
user 'a.' When user 'a' is purged will the
subscription user 'b' has be removed or will it just
not work?I suspect it will just not work. The subscription actually lives in user b's settings, so it's not likely to be changed. Same as removing the mailbox with mboxutil.
>
In the configutil setting for local.schedule.purge
what's the "-num=5" used for?http://docs.sun.com/source/819-0106/cfgutil.html
Interval for running purge. Uses UNIX crontab format:
minute hour day-of-month month-of-year day-of-week. See local.schedule.expire above.
Default: 0 0,4,8,12,16,20 * * * /opt/SUNWmsgsr/lib/purge -num=5
and the referral to "above":
Interval for running imexpire. Uses UNIX crontab format:
minute hour day-of-month month-of-year day-of-week
The values are separated by a space or tab and can be 0-59, 0-23, 1-31, 1-12 or 0-6 (with 0=Sunday) respectively. Each time field can be either an asterisk (meaning all legal values), a list of comma-separated values, or a range of two values separated by a hyphen. Note that days can be specified by both day of the month and day of the week. Both will be required if specified. Example, setting the 17th day of the month and Tuesday will require both values to be true.
Interval Examples:
1) Run imexpire at 12:30am, 8:30am, and 4:30pm:
30 0,8,16 * * *
2) Run imexpire at weekday morning at 3:15 am:
15 3 * * 1-5
3) Run imexpire only on Mondays:
0 0 * * 1
Default: 0 23 * * * /sbin/imexpire
Similar Messages
-
IDM 8.1 deprovisioning of domino user thowing error
Hi,
I am using Sun IDM 8.1. I configured Lotus Domino as an resource. I am able to do the following successfully.
1) Creation of a user
2) Modification
3) Change password
I am facing problem in deprovisioning or deleting a user from the resouce.
Error Message.
Entry <username> is not registered and does not belong to an organization
Unregistered accounts cannot belong to groups. The request to remove this user to group(s) was not performed
I have checking the permissions of the id used in resouce. It has all the privilages for managing a user i.e create,modify and delete.
Please help.
Thanks in advance.Hi,
According to the Resource Reference documentation the Domino adaptor does not support deletion of a user.
According to the documentation "When deprovisioning or disabling, you must send a list of DenyGroups that the user will be
added to. When enabling, you must send a list of DenyGroups that the user will be removed
from."
There are code examples. -
Automatic Deprovisioning of AD resource Accounts from CSV file attribute
My scenario is somewhat like this,
I have a CSV flatfile Active Sync which contains the following columns:
accountId,firstname,lastname,department,location,region
ausmani,Arsalan,Bhagwan,Uphone,Milpitas,US
aahmed,Aftab,Singh,Telenor,Cairo,EMEA
hkhan,Hello,Khan,Lahore,Dublin,EMEA
I have created a role and has assigned AD resource to it. I have hardcoded this role in the waveset.roles field name in my creation form.
When I start FlatFileActiveSync, these above mentioned 3 accounts are created in IDM and they are also assigned AD role, and hence they are automatically provisioned to AD as, due to the fact that I am assigning resource on role base.
I am using Update User workflow in my poll-workflow configuration in my Flatfile synchronization policy.
Currently I am able to automatically provision a account from CSV file towards IDM and towards AD. All this process is automatic.
My problem is that how can I automatically disable and deprovision accounts via a CSV. What I should include in CSV that IDM will know that this account has to be disable and deprovision from resource??? Moreover, which workflow I have to use?
Thanks,
Farhan.Even I am struck at the same place. Please let me know if you find out.
Thanks you in advance
Prabhu -
User status doesn't changes in WebAdmin console even after deprovisioning..
When a user’s organization is changed from one to another, he is automatically deprovisioned at once from the target resource (if already provisioned).
But when you check the status of that user in the WebAdmin console it shows as Provisioned to that resource. Even manually disabling and revoking the access doesn’t works. Nor the user can be provisioned to that target resource again as in when you go to resource profile of that user, there is no resource (that specific target resource to which he was provisioned earlier) present.Can anybody give a solution to the above problem???
Thanks in Advance ..
Abhishek -
Adding users to PAB group with same last name as existing
Cannot add user to PAB group when user has same last name as an existing Group member.
Seems to work, see number tick up and green bar flash, but, never really adds.Joea,
It appears that in the past few days you have not received a response to your
posting. That concerns us, and has triggered this automated reply.
Has your problem been resolved? If not, you might try one of the following options:
- Visit http://support.novell.com and search the knowledgebase and/or check all
the other self support options and support programs available.
- You could also try posting your message again. Make sure it is posted in the
correct newsgroup. (http://forums.novell.com)
Be sure to read the forum FAQ about what to expect in the way of responses:
http://forums.novell.com/faq.php
If this is a reply to a duplicate posting, please ignore and accept our apologies
and rest assured we will issue a stern reprimand to our posting bot.
Good luck!
Your Novell Product Support Forums Team
http://forums.novell.com/ -
Hello,
To delete a user's PAB, it can be done using the Admin Console.
To delete 50,000 users PAB, i think it is inefficient to use Admin Console. Is there any available command line to do it?
the servers we're using are:
NDS 4.12
IMS 5.0 P2
Thanks!If you script it you certainly can delete the pab from 50000 user entries
rather quickly.
Write a perl script or a shell script which loops through all
of the userids and removes the paburi attribute. That is the reason
I gave you the sample ldif file that would be input for the
ldapmodify command.
The logic for this script would be:
for each uid in the list of uids
loop
print the dn to file x.ldif
print the changetype and change commands to file x.ldif
print blank line to file x.ldif
end
once that is done call ldapmodify and feed it the x.ldif
file which would now have entries which look like:
dn: uid=foo,ou=People,o=your.domain.com,o=somesuffix
changetype: delete
delete: paburi
dn: uid=bar,ou=People,o=your.domain.com,o=somesuffix
changetype: delete
delete: paburi
HINT: It does not matter how you generate the x.ldif file (use whatever tools you are comfortable with to get to that point then run the ldapmodify command).
As to your second question, the pab database is stored under the o=pab tree. You have to remove that tree from the ldap directory, but you need to delete the paburi attributes first. -
How to migrate address book in outlook express to PAB?
How to migrate address book in outlook express to SUN messages server 's PAB?
Use any LDAP command ?
Thanks!We provice no supported technique for this.
-
Complete Newbie - PAB Uniqueness
Hmmm, sorry to post what must seem a very simple question to you guys, but we have Directory Server running with Messaging Server (with little training)! Our problems seems to have arisen when converting Outlook address books to CSV files, then squirting those CSV files into the PAB using a PHP script! Now we seems to have broken the functionality of the address book side of things as we can no longer edit or add adresses via the messenger express front end - I suspect uniqueness problems - where on earth do I start looking? I know that I have some repeated values in an LDIF dump against UN: and DN:, I also know that my uiqueness plug-in is not switched on....
Thanks in anticipation....About training ~
To anyone who might be interested in instructor led training
for Captivate (or any Adobe product), you can find the nearest
Adobe Certified training in Adobe's "Partner Finder"
located
at this link
. Rick's comment back in December might lead some to believe
that he is
the contact for training, and of course that couldn't be
further from the truth ... Adobe's "finder" can help find training
in any country in the world, or any state in the nation (if you are
in the U.S.). And of course, there are dozens of (us) certified
trainers, most of them quite possibly more convenient to you than
Rick.
To clarify - Rick might be a good enough instructor (I
wouldn't know, but I assume he is a very passable teacher) but my
point is that he is just one of many qualified Captivate
instructors. The above mention of Kevin Siegel brings to mind that
Kevin also puts on a good (training) show - in addition to writing
an excellent Captivate user's manual. Kevin presents on-line
(virtual) training seminars for those who might benefit from
learning in a "live" environment while at their own home or office.
Check that possibility out at
this link to Kevin's
registration page
. -
PAB to Address Book server dynamic migration
I'm using JES3, 2005Q1.
I was able to apply the batch migration from PAB to Address book server as described in the Communications Express 6 2005Q1 Administration Guide. In the same chapter (Chapter 7), the dynamic migration is described. This migration happens only when the user logs in.
In the documentation it is stated that there is an attribute called "mepabmigration". This attribute is essential for dynamic migration. But I couldn't figure out how to get this attribute, as it is not predefined nor there is a description on it anywhere.
Any idea about this? especially the mepabmigration attribute.
Regards,"attribute" implies LDAP.
http://docs.sun.com/app/docs/doc/819-2661/6n4uetjt7?q=mepabmigration&a=view
This attribute is added automatically.... Nothing for you to do, here. -
Problem with revoking accounts on deprovisioned Date
Hello,
I am setting the De-provisioning date for a user manually from UI to the current date(tried with yesterday's date too). After I submit, I ran the "Set User Deprovisioned Date" Job. It has updated the user deprovisioned date field, but the user's accounts are still in "Provisioned" status.
Is there any other job that needs to be executed after this to revoke the accounts? or "Set User Deprovisioned Date" Job will revokes the account also along with setting the deprovisioned date.(which somehow is no happening in my case.)
Thanks
sjitYou haven't mentioned the version but for 11.1.1.5 you can get it here:
http://docs.oracle.com/cd/E21764_01/doc.1111/e14308/scheduler.htm#BABECJFD
Also the jar would be OIMServer.jar or xlScheduler.jar
-Bikash -
Where it PAB gets stored? How to access it?
Hi All
Through web accesss of sunone mail I can able to create the contacts and groups. But my question is where they get stored and how to access it. They can be accessed through ldap or not? If so what is the uri? Can we see the contacts in netscape console or not? If yes where? Could you post all sorts of information about PAB?There are several things that can cause problems. Please start with exact version of iMS you're running. Send the output from running
imsimta version
Did your PAB ever work? Has it changed in some way, such as changing the name of the server? Was this an upgrade from an earlier version? Did you attempt to load data manually? Have you customized your webmail interface? -
Hi I have form calling a sub process that checks out the user for deprovision and then attempts to gather all the resource accounts for a particular resource.
For some reason when I make the call to get the resource accounts it is returning null. I have used this in other workflows. Any thoughts?
Here is code.
Check out User:
<Activity id='3' name='Checkout deprovision View'>
<!--<Variable name='view'/> may not be needed as the view is from the actuive -->
<Action id='0' name='Checkout deprovision View' application='com.waveset.session.WorkflowServices'>
<block name='incheckout view' trace='true'>
<ref>accountId</ref>
<ref>user</ref>
<Argument name='op' value='checkoutView'/>
<Argument name='type' value='Deprovision'/>
<Argument name='id' value='$(accountId)'/>
<Argument name='name' value='$(accountId)'/>
<Return from='view' to='deprovisionView'/>
</block>
</Action>
<Transition to='Set deprovision options PA'>
<isnull>
<ref>WF_ACTION_ERROR</ref>
</isnull>
</Transition>
<Transition to='end'/>
<WorkflowEditor x='205' y='-74'/>
</Activity>
Gather the resource accounts:
<Activity id='4' name='Set deprovision options PA'>
<Action id='0' name='Get the PA reosurce'>
<expression>
<block name='Set Deprovision options PA' trace='true'>
<set name='resourceAccountPA'>
<rule name='TPC_GetResourceAccountsOfAResource_Rule'>
<argument name='resourceAccountsList'>
<rule name='TRV_Rul_getHashMapKeysUtil'>
<argument name='hashMapObject' value='$(deprovisionView.escapedNamesMap)'/>
</rule>
</argument>
<argument name='resourceName' value='PA'/>
</rule>
</set>
<set name='totalAccountPA'>
<length><ref>resourceAccountPA</ref></length>
</set>
<set name='ctr'>
<i>0</i>
</set>
</block>
</expression>
</Action>
The above returns nothing.
Here is my rule 'TRV_Rul_getHashMapKeysUtil':
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE Rule PUBLIC 'waveset.dtd' 'waveset.dtd'>
<Rule id='#ID#Rule:TRV_Rul_getHashMapKeysUtil' name='TRV_Rul_getHashMapKeysUtil' primaryObjectClass='Rule'>
<RuleArgument name='hashMapObject'/>
<cond>
<notnull>
<ref>hashMapObject</ref>
</notnull>
<block>
<defvar name='keysSet'>
<invoke name='keySet'>
<ref>hashMapObject</ref>
</invoke>
</defvar>
<defvar name='keysList'>
<new class='java.util.ArrayList'>
<ref>keysSet</ref>
</new>
</defvar>
<ref>keysList</ref>
</block>
<block>
<list>
<null/>
</list>
</block>
</cond>
<MemberObjectGroups>
<ObjectRef type='ObjectGroup' id='#ID#Top' name='Top'/>
</MemberObjectGroups>
<Properties>
<Property name='editorOriginalName' value='TRV_Rul_getHashMapKeysUtil'/>
</Properties>
</Rule>
seems like this is not returning anything to the rule: <argument name='hashMapObject' value='$(deprovisionView.escapedNamesMap)'/>
Thanks!Hi,
Please change the checkout code to;
<Action id='-1' name='Checkout deprovision View' application='com.waveset.session.WorkflowServices'>
<Argument name='op' value='checkoutView'/>
<Argument name='type' value='Deprovision'/>
<Argument name='id' value='$(accountId)'/>
<Argument name='name' value='$(accountId)'/>
<Return from='view' to='deprovisionView'/>
</Action>
Regards
Arjun -
Procedure to fully backup a users email & manually deprovision a OCS user
Procedure to BACKP/RESTORE email account (Note you need to create a dir on filesystem to store the backup)
Backup a users email account
Source the midtier env e.g. ORACLE_HOME , ORACLE_SID , PATH
oesbkp task=backup type=all user=<email_address> admindn=cn=orcladmin password=<password>
ldaphost=<hostname> ldapport=3090 backupdir= < path to backup dir >
Restore a users email account
Source the midtier env e.g. ORACLE_HOME , ORACLE_SID , PATH
oesbkp task=restore type=all user=<email_address> admindn=cn=orcladmin password=<password>
ldaphost=<hostname> ldapport=3090 backupdir= < path to backup dir >
Procedure to Manually Deprovision A user in OCS
In this example we will delete the user:
email [email protected]
userid 100009
Step 1 : Delete the user in the GAL
Source the 10g cal env e.g. ORACLE_HOME , ORACLE_SID , PATH
Check for user in GAL
uniuser -ls -n 1 | grep <user_name>
Delete the user from the GAL
uniuser -del "S=<last_name>/G=<first_name>*" -n 1
e.g.
uniuser -ls -n 1 | grep bruce.wayneEnter a password:
+ [email protected]/UID=100009/AUTOREFRESH=1/
uniuser -del "S=wayne/G=bruce*" -n 1Enter a password:
Delete "S=wayne/G=bruce/UID=100009/ID=5566/NODE-ID=1" and its agenda [y/n]: y
uniuser: "S=wayne/G=bruce/UID=100009/ID=5566/NODE-ID=1" has been deleted
Step 2: Delete the user in the OID e.g. ORACLE_HOME , ORACLE_SID , PATH
Source the midtier env
Check for user in OID (Note ensure you have the correct port in this example we user 3060)
ldapsearch -h <hostname> -p 3060 -D "cn=orcladmin" -w <password> -s sub \
-b "cn=Users,dc=...................." -v "cn=<userid>"
Delete the user in OID
Create a file called "user.ldif" of the format
echo "cn=<userid>, cn=Users, dc=....................">user.ldif
Execute the ldapdelete utility
ldapdelete -h <hostname> -p 3060 -D "cn=orcladmin" -w <password> -v -f user.ldif
deleting entry cn=<userid>, cn=Users, dc=............................................
delete completed
Step 3: Delete user from the mail store
Source the midtier env e.g. ORACLE_HOME , ORACLE_SID , PATH
Check for user in that database
echo "select username from es_user where USERNAME like '%<username>%';" > user.sql
sqlplus "es_mail/password"@<user.sql
Create "mailstore_user.txt" of the format
echo "mail=<email_address>">mailstore_user.txt
Clean the mail store
oesucr mailstore_user.txt -d -v
oesucr mailstore_user.txt -clean_user_mailstore_dataHi Guys,
Interesting question. I've me wondering how I can do something similar. But not so much for the email(coz we are not using Oracle Mail), but for the security setup of a user in OCS. eg. a user is granted access to many folders or objects, we want an easy way to deprovision everything. (if backing up is possible before the deprovisioning, even better - just in case a wrong delete was performed, it is recoverable).
The other thing I'm interested is whether a branch in OCS can be backed-up and recovered easily (together with all it's meta-data and attributes) ?
Regards
Steve -
Email Notification while deprovision - OIM
Hi,
Is there any Out-of-box feature available in OIM for sending email to user's manager 7 days before user's deprovision date?.Thanks.You need to create your own scheduled task in Java.
Extend this class: com.thortech.xl.scheduler.tasks.SchedulerBaseTask
You need to override the execute() method which is the method that is run automatically when you trigger the task.
To check if there are any users that will be deprovisioned within the next 7 days you need to call e.g findUsers in the Thor.API.Operations.tcUserOperationsIntf to get users with a deprovisioned date that is equal or less than the system time + 7 days.
Then you can send an email for each of these users.
Build a jar file with your code and place it under <OIM_HOME>/xellerate/JavaTasks and <OIM_HOME>/xellerate/ScheduleTask.
You will need to configure the scheduled task through the Design Client's Xellerate Administration -> Task Scheduler. Point to your schedule task class in the class field including the full package name. -
Add a deprovisioning during an ongoing one
Hi, all!
Here's my problem. I have to deprovision one account when some other account is being deprovisioned. Using groups and roles is not an option. I am trying my luck in "Delete User" workflow. When it's called it is given the variable options which contains all the data about the accounts that need to go. I attempting to insert the values for the account that didn't come with the options variable. I have managed to create a ResourceInfo object and seem to be able to add it to options.targets, options.unlinkTargets and options.unassignTargets (trace='true' says so) but when I dump the options object using toXml nothing has changed and consequently the extra account is not deprovisioned. How should I go about this? Any clues? We are using Sun IdM 7.1.1.12.
Here are some code snippets:
Creating the ResourceInfo object:
<setvar name='RIobject'>
<new class='com.waveset.object.ResourceInfo'>
<concat>
<ref>resourceName</ref> --> theOtherResource
<s>|</s> --> |
<ref>accountId</ref> --> abc
</concat>
</new> abc@theOtherResource(accountGUID=null exists=false)
</setvar>
... appending and having the trace confirm it
<append>
<ref>options.targets</ref> --> [cn=abc,ou=MS Users,ou=User Accounts,dc=foo,dc=bar,dc=net@Windows(accountGUID=null exists=false)]
<ref>RIobject</ref> --> etc.
</append> --> [cn=abc,ou=MS Users,ou=User Accounts,dc=foo,dc=bar,dc=net@Windows(accountGUID=null exists=false), abc@theOtherResource(accountGUID=null exists=false)]
... but on the next line the toXml says it's not there:
<invoke name='toXml'>
<ref>options</ref> --> com.waveset.object.GenericObject@520c37
</invoke> --> <?xml version='1.0' encoding='UTF-8'?>
<Attribute name='targets'>
<List>
<ResourceInfo accountId='cn=abc,ou=MS Users,ou=User Accounts,dc=foo,dc=bar,dc=net' tempId='633ffabc068bfbb9:cb741e:12c78a22380:-3d6'>
<ObjectRef type='Resource' name='Windows'/>
</ResourceInfo>
</List>
</Attribute>
Tanks in advance.I found the problem: it's just me being tired. I used the wrong form of append. It should be the one that does not create a copy of the list ie. <append name='options.targets'>. This way it all works out.
Good bye and thanks for all the fish.
Maybe you are looking for
-
JSP-Editor not working properly
Hi everybody, I am working with ISA5.0 and NWDI. I have checked out the Web-Module Project crm/isa/web/b2b. Now I would like to modify JSP-Files. Unfortonately the JSP-Editor is not working properly. The JSP-Editor cannot resolve references to Tag-Li
-
Getting error while deploying New WebService project on standalone server
Hi, I have created a new Model project for WebService and I am able to test this new webservice project by launching "TalentTasksServiceImpl.java" file locally but getting some error while deploying it on standalone server. See below log for more det
-
Very simple: Does anyone with the 2.16GHz have the whine?
I'm starting to notice something. Of all of the users who are (rightfully) complaining about the whine problem, it seems that none of them are those with the 2.16GHz upgrade. I recently ordered my MacBook Pro (and therefore do not have it), but a qui
-
ESS ERP2005: total compensation statement and salary statement errors
Hello everyone, I am facing two problems with ESS on NW04s J2EE SP10 w. Portal and ERP2005 Backend. Both have been discussed here but some time ago and no sufficient answer has been found so I'd like to do a recap: 1) Salary Statement (and Time Slip
-
Can't Install Adobe flashplayer on my powerbook G4. Running on Ubuntu.
I've tried downloaded the Ubuntu version and even the Linux versions and windows versions. It's an apple PowerBook G4, 2006 model. What I keep getting is "Error: Wrong architecture 'i386'" I'm pretty sure it's Ubuntu 8.04. Nothing seems to be working