How to get a list all global user accounts of a specific endpoint type.
search cancel

How to get a list all global user accounts of a specific endpoint type.

book

Article ID: 48842

calendar_today

Updated On:

Products

CA Directory CA Identity Manager CA Identity Governance CA Identity Portal CA Risk Analytics CA Secure Cloud SaaS - Arcot A-OK (WebFort) CLOUDMINDER ADVANCED AUTHENTICATION CA Secure Cloud SaaS - Advanced Authentication CA Secure Cloud SaaS - Identity Management CA Secure Cloud SaaS - Single Sign On CA Security Command Center CA Data Protection (DataMinder) CA User Activity Reporting

Issue/Introduction

A solution is the following windows command script. this is a sample for ads endpoint type. this can be changed to other endpoint types. This has been tested on windows 2008 r2 sp1 64-bit with im provisioning server r12.6.0

Environment

Release:
Component: IDMGR

Resolution

Beginning of the windows command script.

In this part, the settings are customizable, depending on your own values.

 

@ECHO OFF
SET ETAHOME="C:\Program Files (x86)\CA\Identity Manager\Provisioning Server"
:: Host name of Provisioning server:
SET HOST=<HostName>
:: Provisioning Domain Name:
SET DOMAIN=im
:: Provisioning Server administrator:
SET USERDN="eTGlobalUserName=<AdminName>,eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects,dc=%DOMAIN%,dc=eta"
:: Provisioning Server administrator password:
SET PASSWD=<Password>

The following ldap search request retrieves the global users with their id attribute.
The resulting list is stored into the temp0.ldi file.

 

SET BASEDN="eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects,dc=%DOMAIN%,dc=eta"
SET FILTER="(eTGlobalUserName=*)"
:: Attributes you want to extract
SET ATTRIB=eTID
%ETAHOME%\bin\ldapsearch -LLL -h %HOST% -p 20389 -D %USERDN% -w %PASSWD% -b %BASEDN% -s one %FILTER% %ATTRIB% >Temp0.ldi

 

The following program concatenates splitted lines (fixed length line format) to one line per attribute.
The c program source code is shown in appendix. Input file: temp0.ldi output file: temp1.ldi

ConvertLdifToLong.exe Temp0.ldi Temp1.ldi

The following sequence calls in a loop the ldapsearch sub-routine passing the etid of each global user. At the end of the process all temporary files are deleted.

 

:: Loop reading Temp1.ldi file
FOR /F "tokens=1,2 delims= " %%A IN (Temp1.ldi) DO IF "%%A"=="eTID:" CALL :LdapSearch %%B
:: delete temporary files
del Temp*.ldi
GOTO:EOF

 

This following sub-routine reads the user/ads accounts inclusions. You can change etadsaccount value to another endpoint type account class name.

 

:LdapSearch
SET BASEDN="eTSubordinateClass=eTADSAccount,eTSuperiorClass=eTGlobalUser,eTInclusionContainerName=Inclusions,eTNamespaceName=CommonObjects,dc=%DOMAIN%,dc=eta"
:: Attributes you want to extract
SET ATTRIB=eTSuperiorClassEntry eTSubordinateClassEntry
SET FILTER="(&(objectClass=eTInclusionObject)(eTRelationship=USERACCOUNT)(eTPID=%1))"
%ETAHOME%\bin\ldapsearch -LLL -h %HOST% -p 20389 -D %USERDN% -w %PASSWD% -b %BASEDN% -s one %FILTER% %ATTRIB% >Temp2.ldi
ConvertLdifToLong.exe Temp2.ldi Temp3.ldi


This is the end of the sub-routine and script. For each global user (superior class) the related accounts (subordinate class) are displayed when existing.

FOR /F "tokens=1-4 delims==:," %%A IN (Temp3.ldi) DO IF "%%A"=="eTSuperiorClassEntry" SET GU=%%C
FINDSTR "eTSubordinateClassEntry:" Temp3.ldi >NUL
IF %ERRORLEVEL% NEQ 0 GOTO:EOF
ECHO -----------
ECHO Global User=%GU%
FOR /F "tokens=1-2 delims=:" %%A IN (Temp3.ldi) DO IF "%%A"=="eTSubordinateClassEntry" echo %%B
 
SAMPLE OF RESULTING REPORT.
-----------
Global User=administrator
 eTADSAccountName=Administrator,eTADSContainerName=Users,eTADSDirectoryName=<DirectoryName>,...
-----------
Global User=<UserName>
 eTADSAccountName=<UserName>,eTADSOrgUnitName=Provisioning,eTADSDirectoryName=<DirectoryName>,.... ----------- Global User=[default user] eTADSAccountName=<UserName>,eTADSContainerName=Users,eTADSDirectoryName=<DirectoryName>,... eTADSAccountName=<UserName>,eTADSContainerName=Users,eTADSDirectoryName=<DirectoryName>,... eTADSAccountName=<UserName>,eTADSOrgUnitName=Provisioning,eTADSDirectoryName=<DirectoryName>,... APPENDIX: CONVERTLDIFTOLONG.CPP #include "stdafx.h" int main(int argc, char * argv[]) { FILE *Infp, *Outfp; char InChar; bool Eol=false; if (argc != 3) {printf ("Usage: ConvertLdifToLong InPutFileName OutPutFileName\n");return 1;} if (fopen_s(&Infp, argv[1], "r")) {printf ("Could not open input file %s\n", argv[1]);return 1;} if (fopen_s(&Outfp, argv[2], "w")) {printf ("Could not open output file %s\n", argv[2]);return 1;} while ((InChar=fgetc(Infp))!= EOF) { if (InChar=='\n'){Eol=true;continue;} else if (Eol) {Eol=false;if (InChar==' ')continue;else fputc('\n', Outfp);} fputc(InChar, Outfp); } _fcloseall( );return 0; }