search cancel

Why is viewing Account Properties showing stale information instead of the values that exist on the actual endpoint account?

book

Article ID: 256643

calendar_today

Updated On:

Products

CA Identity Suite CA Identity Manager

Issue/Introduction

Viewing Account Properties is showing stale information instead of the values that exist on the actual endpoint account

Environment

All Identity Manager

Cause

By default minimal information is stored in the Provisioning Repository for an account reference object and so requests to view the account properties results in a request to get the data in real-time from the actual endpoint.

However when account attributes are configured in either Custom Correlation Rules or in Endpoint Attribute Mappings then the those attribute values will be stored in the Provisioning Repository and that stored value will be displayed instead of fetching the data from the endpoint in real-time. This can result in viewing stale information for example until the next time an Explore is run to fetch and store the data for that attribute at the time of that Explore.

 

Resolution

If this is undesired you will need to remove the Custom Correlation Rule and/or Endpoint Attribute Mapping for that account attribute value. Be sure you understand your implementation and if there are reasons why you have such Custom Correlation Rule and/or Endpoint Attribute Mappings and if they are needed before removing them.

But removing that is not enough to automatically clear the stored value for that attribute on the account reference object within the Provisioning Repository so you will still continue to view the stale data. You will also need to manually clean up the stored value for that attribute from within the Provisioning Repository as well.

As an example, let's say there is a Custom Connector called MyConnectorType and you acquired an endpoint instance called MyEndpoint and you had an Endpoint Attribute Mapping between the Provisioning Global User attribute CustomField01 and the Account attribute MyAttribute where MyAttribute is mapped to the DYN attribute of eTDYN-str-multi-01. Removing that Endpoint Attribute Mapping would not clear the eTDYN-str-multi-01 account value automatically. This is just an example. Different Connectors and different attributes would result in different looking commands.

You would need to first remove that Endpoint Attribute Mapping but you would also need to use LDAP commands to get a list of all the account reference objects which had a value in that mapped attribute and then create an LDIF file to clear that attribute from all of those account reference objects. 

This request is going directly against the data layer under the Provisioning Server application (i.e. port 20391 is the Directory Router DSA) so it must be done carefully to avoid further problems or data corruption. The PASSWORD would be the password used when installing the product to bind directly against the Provisioning Repository data layer. 

Use ldapsearch command to get the list of account reference objects with a value in the a specific attribtue:

ldapsearch -LLL -h IMPS_HOST -p 20391 -D "eTDSAContainerName=DSAs,eTNamespaceName=CommonObjects,dc=etadb" -w PASSWORD -b "eTDYNDirectoryName=MyEndpoint,eTNamespaceName=MyConnectorType,dc=im,dc=etadb" -s sub "(&(objectclass=eTDYNAccount)(eTDYN-str-multi-01=*))" dn > accountlist.ldif

The resulting accountlist.ldif file would contain entries such as the following:

dn: eTDYNAccountName=user1,eTDYNContainerName=users,eTDYNDirectoryName=MyEn
 dpoint,eTNamespaceName=MyConnectorType,dc=im,dc=etadb

dn: eTDYNAccountName=user2,eTDYNContainerName=users,eTDYNDirectoryName=MyEn
 dpoint,eTNamespaceName=MyConnectorType,dc=im,dc=etadb
 
You would need to use that information to build a new input.ldif to delete the values for each of those accounts for that specific attribtue such as the following:

dn: eTDYNAccountName=user1,eTDYNContainerName=users,eTDYNDirectoryName=MyEndpoint,eTNamespaceName=MyConnectorType,dc=im,dc=etadb
changetype: modify
delete: eTDYN-str-multi-01

dn: eTDYNAccountName=user2,eTDYNContainerName=users,eTDYNDirectoryName=MyEndpoint,eTNamespaceName=MyConnectorType,dc=im,dc=etadb
changetype: modify
delete: eTDYN-str-multi-01

And then feed that created input.ldif file in with the ldapmodify command such as:

ldapmodify -F -h IMPS_HOST -p 20391 -D "eTDSAContainerName=DSAs,eTNamespaceName=CommonObjects,dc=etadb" -w PASSWORD -f input.ldif