Release : Identity Manager 14.4.x
Please do the following steps.
1. First of all, run the following ldapsearch command to get the inclusion objects for those orphaned accounts and put the data into an ldif file.
ldapsearch -LLL -h <IMPS hostname> -p 20389 -D "eTGlobalUserName=etaadmin,eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects,dc=im,dc=eta" -o ldif_wrap=no -W -o ldif_wrap=no -s one -b "eTSubordinateClass=eTDYNAccount,eTSuperiorClass=eTGlobalUser,eTInclusionContainerName=Inclusions,eTNamespaceName=CommonObjects,dc=im,dc=eta" "(&(objectclass=eTInclusionObject)(eTSubordinateClassEntry=*eTDYNDirectoryName=<DYN EndpointName>*)(etSuperiorClassEntry=eTGlobalUserName=[default user]*))" null | sed -e 's/dn: //g' -e '/^$/d' > orphaned.ldif
Notes:
Ldapsearch tool version 2.4.46 is being used (on 14.4.1 vApp machine the 'config' user can run this ldapsearch tool version). The sed command is built-in command in Linux and it is used to remove unnecessary data.
The above command is one line.
The above command will prompt the password to authenticate to Provisioning Server, please key in the etaadmin user's password
Replace with <IMPS hostname> Provisioning Server's IP address/FQHN
Replace with <DYN EndpointName> the DYN Endpoint Name
E.g.
ldapsearch -LLL -h localhost -p 20389 -D "eTGlobalUserName=etaadmin,eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects,dc=im,dc=eta" -o ldif_wrap=no -
W -o ldif_wrap=no -s one -b "eTSubordinateClass=eTDYNAccount,eTSuperiorClass=eTGlobalUser,eTInclusionContainerName=Inclusions,eTNamespaceName=CommonObjects,dc=im,dc=eta" "(&(objectclass=eTInclusionObject)(eTSubordinateClassEntry=*eTDYNDirectoryName=exampleEndpoint*)(etSuperiorClassEntry=eTGlobalUserName=[default user]*))" null | sed -e 's/dn: //g' -e '/^$/d' > orphaned.ldif
The resulting orphaned.ldif will contains all the DNs of the inclusion objects we need to delete. The contents of orphaned.ldif is like the following.
... |
2. Then run ldapdelete command to delete the inclusion objects in batch
ldapdelete -h <IMPS hostname> -p 20389 -D "eTGlobalUserName=etaadmin,eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects,dc=im,dc=eta" -W -f orphaned.ldif
Important:
a. Please make sure to back up Provisioning Directory before running the above ldapdelete. Please refer to:
Provisioning Maintenance
Backing Up Data
b. Deleting 40k inclusion objects may cause performance issue. Please do it during maintenance window. Shutdown IM application if necessary and let run only Provisioning Server with its Provisioning Directory. Do not delete 40k objects in one go, but split the orphaned.ldif file to small chunk of files and run ldapdelete multiple times.