Layer 7 Access Management

Expand all | Collapse all

Remove provisioning role and account from user

Jump to Best Answer
  • 1.  Remove provisioning role and account from user

    Posted 03-12-2017 02:14 PM

    Hello,

     

    We have  a requirement wherein at a particular date , all the provisioning roles and accounts should be removed from the user.

     

    Can this be achieved using the etautil script?

     

    We actually with following script :-

     

    etautil -d domain -u user -p pwd update 'eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects,dc=domain,dc=eta' eTGlobalUser eTGlobalUserName="%UID%" to eTRoleDN='' eTSyncUsers=1 >> eTdelete.log

     

    It removes the role but the accounts are still not removed? Can anyone assist where we are wrong in here ?

     

    Thanks,

    Shashank



  • 2.  Re: Remove provisioning role and account from user
    Best Answer

    Posted 03-12-2017 08:59 PM

    The eTSyncUsers=1 means to create any accounts that should be there based on templates and/or assign account templates to those accounts as needed.

     

    The eTSyncDelete=1 means to delete any accounts that are not prescribed by a Provisioning Role/Template and to delete those accounts.

     

    You can try the following:

    etautil -u user -p pwd update 'eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects' eTGlobalUser eTGlobalUserName='%UID%' to eTRoleDN='';

    etautil -u user -p pwd update 'eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects' eTGlobalUser eTGlobalUserName='%UID%' to eTSyncDelete='1';

     

    If you want to perform a single etautil bind and then feed in the file of commands it would be:

    etautil -u user -p pwd -f input.txt

    where input.txt would have one command per line such as:

    update 'eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects' eTGlobalUser eTGlobalUserName='%UID%' to eTRoleDN='';

    update 'eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects' eTGlobalUser eTGlobalUserName='%UID%' to eTSyncDelete='1';



  • 3.  Re: Remove provisioning role and account from user

    Posted 03-17-2017 01:39 PM

    Hello Kenny,

     

    Yes this helped

     

    Thanks a lot for quick response !

     

    Shashank