How to delete inclusions to [default user] Global User in bulk using ldapdelete?
search cancel

How to delete inclusions to [default user] Global User in bulk using ldapdelete?


Article ID: 262653


Updated On:


CA Identity Manager


Explore and Correlate against a DYN Endpoint has been executed with "Correlate accounts to global users - User existing global users" option selected and now there are more than 40k orphaned accounts, i.e. accounts that is correlated to [default user] Global User.
Using below KB article, we can utilize Provisioning Manager's "Remove Account From User..." function to remove the association of the account to [default user].
How can we do this task in bulk?


Release : Identity Manager 14.4.x


Please do the following steps.

1. First of all, run the following ldapsearch command to get the inclusion objects for those orphaned accounts and put the data into an ldif file.

ldapsearch -LLL -h <IMPS hostname> -p 20389 -D "eTGlobalUserName=etaadmin,eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects,dc=im,dc=eta" -o ldif_wrap=no -W -o ldif_wrap=no -s one -b "eTSubordinateClass=eTDYNAccount,eTSuperiorClass=eTGlobalUser,eTInclusionContainerName=Inclusions,eTNamespaceName=CommonObjects,dc=im,dc=eta" "(&(objectclass=eTInclusionObject)(eTSubordinateClassEntry=*eTDYNDirectoryName=<DYN EndpointName>*)(etSuperiorClassEntry=eTGlobalUserName=[default user]*))" null | sed -e 's/dn: //g' -e '/^$/d' > orphaned.ldif

    Ldapsearch tool version 2.4.46 is being used (on 14.4.1 vApp machine the 'config' user can run this ldapsearch tool version). The sed command is built-in command in Linux and it is used to remove unnecessary data.
    The above command is one line.
    The above command will prompt the password to authenticate to Provisioning Server, please key in the etaadmin user's password
    Replace with <IMPS hostname> Provisioning Server's IP address/FQHN
    Replace with <DYN EndpointName> the DYN Endpoint Name


ldapsearch -LLL -h localhost -p 20389 -D "eTGlobalUserName=etaadmin,eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects,dc=im,dc=eta" -o ldif_wrap=no -
W -o ldif_wrap=no -s one -b "eTSubordinateClass=eTDYNAccount,eTSuperiorClass=eTGlobalUser,eTInclusionContainerName=Inclusions,eTNamespaceName=CommonObjects,dc=im,dc=eta" "(&(objectclass=eTInclusionObject)(eTSubordinateClassEntry=*eTDYNDirectoryName=sgneteauto_sgcadir1401*)(etSuperiorClassEntry=eTGlobalUserName=[default user]*))" null | sed -e 's/dn: //g' -e '/^$/d' > orphaned.ldif

The resulting orphaned.ldif will contains all the DNs of the inclusion objects we need to delete. The contents of orphaned.ldif is like the following.



2. Then run ldapdelete command to delete the inclusion objects in batch

ldapdelete -h <IMPS hostname> -p 20389 -D "eTGlobalUserName=etaadmin,eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects,dc=im,dc=eta" -W -f orphaned.ldif

a. Please make sure to back up Provisioning Directory before running the above ldapdelete. Please refer

b. Deleting 40k inclusion objects may cause performance issue. Please do it during maintenance window. Shutdown IM application if necessary and let run only Provisioning Server with its Provisioning Directory. Do not delete 40k objects in one go, but split the orphaned.ldif file to small chunk of files and run ldapdelete multiple times.