-1

i am deleting a user in Tivoli ldap using spring ldaptemplate -> ldaptemplate.unbind().

When i delete a user its DN automatically gets deleted from uniqueMember of Groups.

Can someone tell me how and why this scenario happens?

I try to create a new Attribute Organization in Users and put Org DN in it but when i delete organisation this DN is not remove.

Is there a setting i am missing which is present in UniqueMember and not in my custom attribute which will auto delete the organisation DN from my Users branch

Update: I found a Way to Handle this in Theory but i am not able to implement it https://www.ibm.com/support/knowledgecenter/SSVJJU_6.3.0/com.ibm.IBMDS.doc/plugin198.htm

Has anyone tried this? if someone can point me to an example

Jashanpreet Singh
  • 122
  • 11
  • Why are you complaining? That's exactly what you want to happen. Don't you like referential integrity? – user207421 Jun 14 '17 at 07:50
  • i Understand that the deletion of user in uniqueMember is suppose to Happen but my problem is why the same scenario not reproducible by a custom attribute i created. – Jashanpreet Singh Jun 14 '17 at 10:27

2 Answers2

0

The cascade delete could be a result of a trigger. Perhaps these post operations will point you in the right direction of how the implement your requirement.

ipper
  • 624
  • 4
  • 13
0

The fact that your user is removed from a group when the user is removed is a common behaviour of LDAP directories which manage the membership that way.

If a user is deleted, it will maintain the integrity of the members of the group and remove the non existing user in these groups.

The group membership behaviour is generally linked to the objectClasses which represent a group.

I don't know if it is possible to extend this behaviour on custom objectClass tivoli.

Update :

From what I understand of the documentation you linked, what I would do would be :

  • Add to the user an attribute (which I think must be of the DN syntax). We will call this attribute organization

  • Add the plugin configuration file in tivoli containing this confiruration : 

    at=organization
dn=dc=example,dc=com

  • Add the DN of an organization to the user organization attribute

  • Try to remove the organization to see if it is reflected
Esteban
  • 1,752
  • 1
  • 8
  • 17
  • So by this if i have a custom attribute named "organisation" in users branch we have to manually delete the "organization" from all the users if i delete the group? This behavious looks quite Awkward – Jashanpreet Singh Jun 14 '17 at 10:33
  • As I stated, I don't know enough Tivoli to tell you that it is possible or not to extend this behaviour, all LDAP implementation does not stick "the same way" to what the protocol describes. For instance, on OpenLDAP you can configure the `memberOf` overlay to whatever objectClass you want. I just pointed you what this behaviour is, and what to look for in the Tivoli documentation. I tried to look for, but nothing appears to me after some searches. So either need some digging or this is not possible – Esteban Jun 14 '17 at 10:38
  • @JashanPreet I updated my answer with what I would do regarding the documentation you posted – Esteban Jun 15 '17 at 08:58
  • I found a Way to Work this in Theory atleast but was not able to do this to make it work https://publib.boulder.ibm.com/tividd/td/ITIM/SC32-1147-03/en_US/HTML/im451inst_ux_ws48.htm – Jashanpreet Singh Jun 15 '17 at 11:19