CF Operator is Unable to Remove a User from UAA when the Origin is LDAP
search cancel

CF Operator is Unable to Remove a User from UAA when the Origin is LDAP

book

Article ID: 293605

calendar_today

Updated On:

Products

Operations Manager

Issue/Introduction

Symptoms:

After a user of LDAP origin is removed from UAA it came back again with a successful login against this user via CF CLI.

Steps to reproduce the issue:

1. User of LDAP origin could be retrieved with UAAC

ubuntu@pivotal-ops-manager:~$ uaac user get 'exampleuser'
 id: 3d5e8ca2-eeaf-45a3-9b2e-5f477a6c01f3
 meta
 version: 0
 created: 2017-11-21T02:11:14.000Z
 lastmodified: 2017-11-21T02:11:14.000Z
 name
 familyname: example
 emails:
 -
 value: [email protected]
 primary: false
 groups:
 -
 value: c671a376-4427-41df-b806-ce519cc49006
 display: approvals.me
 type: DIRECT
 ......
 -
 value: ad068b47-5a62-4957-a637-552c74ed1b36
 display: cloud_controller_service_permissions.read
 type: DIRECT
 -
 value: 336f402f-c11e-4090-ae9e-c084b3816980
 display: oauth.approvals
 type: DIRECT
 approvals:
 active: true
 verified: true
 origin: ldap
 schemas: urn:scim:schemas:core:1.0
 externalid: cn=example user,dc=aliceldap,dc=com
 username: exampleuser
 zoneid: uaa
 passwordlastmodified: 2017-11-21T02:11:14.000Z
 lastlogontime: 1511230274378

2. Log in with this user on CF CLI is successful

[root@dev2 ~]# cf login
API endpoint: https://api.example.com
Email> exampleuser
Password>
Authenticating...
OK

3. Delete the user with UAAC

ubuntu@pivotal-ops-manager:~$ uaac user delete 'exampleuser'
user account successfully deleted

4. User not able to be retrieved via UAAC

ubuntu@pivotal-ops-manager:~$ uaac user get 'exampleuser'
CF::UAA::NotFound: CF::UAA::NotFound

5. Login with this user on CF CLI is still successful

[root@dev2 ~]# cf login
API endpoint: https://api.example.com 
Email> exampleuser 
Password>
Authenticating...
OK

6. Then the user could be shown with UAAC again

ubuntu@pivotal-ops-manager:~$ uaac user get 'exampleuser'
 id: 3d5e8ca2-eeaf-45a3-9b2e-5f477a6c01f3
 meta
 version: 0
 created: 2017-11-21T02:11:14.000Z
 lastmodified: 2017-11-21T02:11:14.000Z
 name
 familyname: example
 emails:
......
 approvals:
 active: true
 verified: true
 origin: ldap
 schemas: urn:scim:schemas:core:1.0
 externalid: cn=example user,dc=aliceldap,dc=com
 username: exampleuser
 zoneid: uaa

 

Environment


Cause

If removal is required for the user of LDAP origin, the user has to be deleted from LDAP server side first then deleted from UAA. Otherwise, the user metadata in UAA will be synchronized from LDAP server automatically with next successful login via CF CLI.

 

Resolution

Remove the user of LDAP origin from LDAP server first, then delete it from UAA. 

 


Powered by Wolken Software