One of our Connections customers has the following as a requirement:
Inactivate users based on LDAP GROUP
Solution
The solution I found was to create a text file based on LDAP group and run sync_all_dns.sh command and then run the command delete_or_inactivate_employees.sh
The java program
The class bellow read the LDAP and verify if the user is a member of the group. I not found good information on how to use the ITDS API to check if a user is a member of a group, so i need to do it “manually”.
import java.io.BufferedWriter;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileWriter;
import java.util.ArrayList;
import java.util.Hashtable;
import java.util.Properties;
import javax.naming.ldap.InitialLdapContext;
import javax.naming.*;
import javax.naming.directory.*;
public class GroupSearch
{
public static boolean compara(String nome, ArrayList
boolean blnFound = grupo.contains(nome.toUpperCase());
return blnFound;
}
@SuppressWarnings({ “rawtypes”, “unchecked” })
public static void main(String args[])
{
InitialLdapContext ctx = null;
Hashtable hashtable null;
Properties prop = new Properties();
try
{
//load a properties file
prop.load(new FileInputStream(“config.properties”));
//get the property value and print it out
String url = “ldap://”+prop.getProperty(“server”);
String username = prop.getProperty(“username”);
String password = prop.getProperty(“password”);
String base = prop.getProperty(“base”);
String groupName = prop.getProperty(“groupFilter”);
String userFilter = prop.getProperty(“userFilter”);
// Set up LDAP config settings
hashtable = new Hashtable();
hashtable.put(“java.naming.ldap.version”, “3”);
hashtable.put(“java.naming.factory.initial”,
“com.sun.jndi.ldap.LdapCtxFactory”);
hashtable.put(“java.naming.security.authentication”, “Simple”);
hashtable.put(“java.naming.referral”, “follow”);
hashtable.put(“java.naming.provider.url”, url);
hashtable.put(“java.naming.security.principal”, username);
hashtable.put(“java.naming.security.credentials”, password);
// Make LDAP connection
ctx = new InitialLdapContext(hashtable, null);
System.out.println(“Connection established”);
// Set up Search Controls”
SearchControls sc = new SearchControls();
SearchControls gc = new SearchControls();
sc.setSearchScope(SearchControls.SUBTREE_SCOPE);
gc.setSearchScope(SearchControls.SUBTREE_SCOPE);
sc.setReturningAttributes(new String [] { “uid”,”sn”,”cn”});
// perform search on directory
System.out.println(“Searching the directory please wait.”);
NamingEnumeration results = ctx.search(base,userFilter,sc);
NamingEnumeration groupResult = ctx.search(base,groupName, gc);
// loop until we have gotten all entries returned by search
// Arraylist with group members
ArrayList
while (groupResult.hasMore()) {
SearchResult gr = (SearchResult) groupResult.next();
Attributes gattrs = gr.getAttributes();
NamingEnumeration gattrsList = gattrs.getAll();
while (gattrsList.hasMore()) {
Attribute gatribute = (Attribute) gattrsList.next();
NamingEnumeration values = gatribute.getAll();
while (values.hasMore()) {
members.add(values.next().toString().toUpperCase());
}
}
}
// dump users to file
System.out.println(“File createdrn BUILD SUCCESSFUL”);
File file = new File (“delete_or_inactivate_employees.in”);
if (!file.exists()){
file.createNewFile();
}
FileWriter fw = new FileWriter (file.getAbsoluteFile());
BufferedWriter bw = new BufferedWriter(fw);
while (results.hasMore())
{
// get the SearchResult object
SearchResult sr = (SearchResult) results.next();
Attributes attributes=sr.getAttributes();
Attribute shortName = attributes.get(“sn”);
//ouptput DN of entry
String nome = sr.getName().toString()+”,”+base;
Attribute userName = attributes.get(“uid”);
String usuario = userName.toString();
//IF A USER ARE ON THE GROUP WRITE TO FILE
if (compara(nome,members)){
String dn = usuario.replace(“uid: “, “$dn:uid=”)+”,”+base+”rn”;
String cnshortName.toString().replace(“sn: “,”uid:”)+”rn”+”.”+”rn”;
bw.write(dn+cn);
}
}
bw.close();
// Close the connection to LDAP
ctx.close();
}
catch (Exception ex)
{
System.out.println(“EXCEPTION = ” + ex.toString());
}
}
}
Configuration
The file config.properties set the parameters. GroupFilter is the filter for the desired group and userFilter is the filter to search for users on the ldap server. This filter must be the same used on the profiles_tdi.properties to avoid problems.
This file must be on the same folder of ExportLdap.jar
The file must have the following lines:
Server=
username=
password=
base=
groupFilter=
userFilter=
I put the files ExportLdap.jar and config.properties on
For example :
server=yourldapserver:389
username=cn=root
password=
groupFilter=(&(objectclass=groupOfUniqueNames)(cn=DenyGroup))
userFilter= (&(uid=*)(objectclass=inetOrgPerson))
Running the solution
Put the files config.properties and ExportLdap.jar in the folder:
Run the script sync_all_dns.sh
Run java –jar ExportLdap.jar
the program will genereate the file delete_or_inactivate_employees.in
The final step run ./delete_or_inactivate_employees.sh script