How to get a list all global user accounts of a specific endpoint type.
search cancel

How to get a list all global user accounts of a specific endpoint type.

book

Article ID: 48842

calendar_today

Updated On:

Products

CA Directory CA Identity Manager CA Identity Governance CA Identity Portal

Issue/Introduction

A solution is the following windows command script. this is a sample for an Active Directory endpoint type.   The provided examples can be used as a reference to access to other endpoint types. 

Environment

Identity Manager

Resolution

Beginning of the windows command script.

In this part, the settings are customizable, depending on the environment:

@ECHO OFF
SET ETAHOME="C:\Program Files (x86)\CA\Identity Manager\Provisioning Server"
:: Host name of Provisioning server:
SET HOST=<HostName>
:: Provisioning Domain Name:
SET DOMAIN=im
:: Provisioning Server administrator:
SET USERDN="eTGlobalUserName=<AdminName>,eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects,dc=%DOMAIN%,dc=eta"
:: Provisioning Server administrator password:
SET PASSWD=<Password>

 

The following ldap search request retrieves the global users with their id attribute.
The resulting list is stored into the temp0.ldi file.

SET BASEDN="eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects,dc=%DOMAIN%,dc=eta"
SET FILTER="(eTGlobalUserName=*)"
:: Attributes you want to extract
SET ATTRIB=eTID
%ETAHOME%\bin\ldapsearch -LLL -h %HOST% -p 20389 -D %USERDN% -w %PASSWD% -b %BASEDN% -s one %FILTER% %ATTRIB% >Temp0.ldi

 

The following program concatenates split lines (fixed length line format) to one line per attribute.
The c program source code is shown in appendix. Input file: temp0.ldi output file: temp1.ldi

ConvertLdifToLong.exe Temp0.ldi Temp1.ldi

The following sequence calls in a loop the ldapsearch sub-routine passing the etid of each global user. At the end of the process all temporary files are deleted.

:: Loop reading Temp1.ldi file
FOR /F "tokens=1,2 delims= " %%A IN (Temp1.ldi) DO IF "%%A"=="eTID:" CALL :LdapSearch %%B
:: delete temporary files
del Temp*.ldi
GOTO:EOF

 

This following sub-routine reads the user/ads accounts inclusions. You can change etadsaccount value to another endpoint type account class name.

:LdapSearch
SET BASEDN="eTSubordinateClass=eTADSAccount,eTSuperiorClass=eTGlobalUser,eTInclusionContainerName=Inclusions,eTNamespaceName=CommonObjects,dc=%DOMAIN%,dc=eta"
:: Attributes you want to extract
SET ATTRIB=eTSuperiorClassEntry eTSubordinateClassEntry
SET FILTER="(&(objectClass=eTInclusionObject)(eTRelationship=USERACCOUNT)(eTPID=%1))"
%ETAHOME%\bin\ldapsearch -LLL -h %HOST% -p 20389 -D %USERDN% -w %PASSWD% -b %BASEDN% -s one %FILTER% %ATTRIB% >Temp2.ldi
ConvertLdifToLong.exe Temp2.ldi Temp3.ldi

 

This is the end of the sub-routine and script. For each global user (superior class) the related accounts (subordinate class) are displayed when existing.

FOR /F "tokens=1-4 delims==:," %%A IN (Temp3.ldi) DO IF "%%A"=="eTSuperiorClassEntry" SET GU=%%C
FINDSTR "eTSubordinateClassEntry:" Temp3.ldi >NUL
IF %ERRORLEVEL% NEQ 0 GOTO:EOF
ECHO -----------
ECHO Global User=%GU%
FOR /F "tokens=1-2 delims=:" %%A IN (Temp3.ldi) DO IF "%%A"=="eTSubordinateClassEntry" echo %%B
 
SAMPLE OF RESULTING REPORT.
-----------
Global User=administrator
 eTADSAccountName=Administrator,eTADSContainerName=Users,eTADSDirectoryName=<DirectoryName>,...
-----------
Global User=<UserName>
  eTADSAccountName=<UserName>,eTADSOrgUnitName=Provisioning,eTADSDirectoryName=<DirectoryName>,....
-----------
Global User=[default user]
 eTADSAccountName=<UserName>,eTADSContainerName=Users,eTADSDirectoryName=<DirectoryName>,...
 eTADSAccountName=<UserName>,eTADSContainerName=Users,eTADSDirectoryName=<DirectoryName>,...
 eTADSAccountName=<UserName>,eTADSOrgUnitName=Provisioning,eTADSDirectoryName=<DirectoryName>,...
 
 
APPENDIX: CONVERTLDIFTOLONG.CPP
 
#include "stdafx.h"
int main(int argc, char * argv[])
{
 FILE *Infp, *Outfp;
 char InChar;
 bool Eol=false;
 if (argc != 3) {printf ("Usage: ConvertLdifToLong InPutFileName OutPutFileName\n");return 1;}
 if (fopen_s(&Infp, argv[1], "r")) {printf ("Could not open input file %s\n", argv[1]);return 1;}
 if (fopen_s(&Outfp, argv[2], "w")) {printf ("Could not open output file %s\n", argv[2]);return 1;}
 while ((InChar=fgetc(Infp))!= EOF)
 {
 if (InChar=='\n'){Eol=true;continue;}
 else if (Eol) {Eol=false;if (InChar==' ')continue;else fputc('\n', Outfp);}
 fputc(InChar, Outfp);
 }
 _fcloseall( );return 0;
}

Powered by Wolken Software