Home » forums » GCF / CPIP / CAS Connectors

removing ExternalAccount from user

Submitted by yeah on Mon, 2010-06-21 18:10

I have a CPIP connection that needs to be removed from a user account every once in a while.

I try deleting it at the command line, but Luminis errors. I think this error is by design actually:
*****************
cptool set user userName -d ExternalAccount=easName
ERROR: Unexpected exception
Cannot delete ExternalAccount from Person
com.pipeline.sdk.mapper.PropertyNotFoundException: Cannot delete ExternalAccount from Person
at com.pipeline.sdk.mapper.PersonMapper.deleteProperty(PersonMapper.java:483)
at com.pipeline.cptool.module.SetUser.setAttributes(SetUser.java:441)
at com.pipeline.cptool.module.SetUser.execute(SetUser.java:222)
at com.pipeline.cptool.ModuleUtils.processCommand(ModuleUtils.java:296)
at com.pipeline.cptool.CpTool.activate(CpTool.java:219)
at com.pipeline.cptool.CpTool.main(CpTool.java:73)
********************

Any other suggestions on how to remove this? I am looking for something that can be autmated. Sungard suggested exporting/importing LDIF files, but I'm not great at that without a LDAPBrowser, but more importantly, I want it to go through a Sungard programed tool or API because there is a much smaller chance of data corruption. Plus since I want this automated, the Browser won't work.

thanks for the suggestions.

‹ _DESTURL CPIP connector not working with FF and Safari ›

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

did find

Submitted by yeah on Mon, 2010-06-21 19:41.

I did find this earlier post:
http://www.lumdev.net/node/1711#comment-4049

I am hoping to find a different alternative than the ldapmodify command, but am going to start developing for it.

ldapmodify

Submitted by Jason on Mon, 2010-06-21 20:27.

ldapmodify is the only thing I can think of. I use it often for various luminis changes.

Since the attribute you want to modify can be multivalued, make sure to have your ldif specify which of them to delete:

example:
$ ldapmodify -h host1 -p 1389 -D cn=admin,cn=Administrators,cn=config -w -
Enter bind password:
dn: uid=bjensen,ou=People,dc=example,dc=com
changetype: modify
delete: mobile
mobile: (408) 555-7845

From http://docs.sun.com/app/docs/doc/819-0995/6n3cq3apv?a=view

thanks Jason, I am definitely

Submitted by yeah on Mon, 2010-06-21 21:02.

thanks Jason,
I am definitely progressing in this direction.

I'm not terribly familiar with the ldapmodify command, but I think I'll have this interaction completed soon. My question now: Is there a way to script the ldapmodify command? I didn't realize LDAPMODIFY was going to have so much manual interaction.

thank you for all your help so far.

Scope of change

Submitted by Steve.Boland on Tue, 2010-06-22 12:22.

Are you trying to script this for all users who have ExternalAccount=easName or one specific user?

Example bash script for deleting an attribute for a user

Submitted by Steve.Boland on Tue, 2010-06-22 12:33.

#!/bin/bash
# Prompt for the user login name and then deletes the pdsPssSRS attribute for that user
echo " "
echo -n "Enter the user's Luminis login: "
read vLogin
if [[ -z $vLogin ]]; then
echo "Nothing entered."
exit
fi

echo "Retrieving... "

# Convert input to all lowercase
vLogin=$(echo $vLogin|tr [A-Z] [a-z])

# Get all the LDAP info needed to log in
Ldap_host=$(configman -g pds.ldap.host.name)
Ldap_passwd=$(configman -g pds.ldap.directory_manager.password)
Ldap_owner=$(configman -g pds.ldap.directory_manager.userid)

# Get the person's UID and store it in the variable userDn
# -LLL Restricts the output to LDIFv1, disables comments and disables printing of the LDIF version.
# -x Use simple authentication instead of SASL
# -D Use the Distinguished Name binddn to bind to the LDAP directory.
# -h LDAP Hostname
# -b The starting base for the search. Change to match your LDAP info
userDn=$(ldapsearch -LLL -x \
-D "${Ldap_owner}" \
-w ${Ldap_passwd} \
-h ${Ldap_host} \
-b ou=People,o=YourSchool.ca,o=cp \
"pdsLoginId=${vLogin}" \
dn)
#
# Write out the commands to a temp file. $$ is the current process number
echo $userDn > $$.tmp
echo 'changetype: modify' >> $$.tmp
echo 'delete: pdsPssSRS' >> $$.tmp
#
echo "Deleting pdsPssSRS record from LDAP for ${vLogin}..."
#
ldapmodify -x \
-D "${Ldap_owner}" \
-w ${Ldap_passwd} \
-h ${Ldap_host} \
-f $$.tmp
#
# Remove the temp file
rm -f $$.tmp

on request only

Submitted by yeah on Tue, 2010-06-22 14:48.

The purpose is to delete it after it is requested, but there is going to be more than we can do with a Web Browser so I want a jsp page that will kick the script off.

Thanks for what you've written down for me. I think that has saved me a lot of research. Will post when its complete and also post the code in case its of any use to someone else. Obviously the community has written more of this than I have.

thanks.
~Terence

clear the values in ExternalAccount

Submitted by cfont on Thu, 2010-08-12 11:36.

1) assuming you are using the SecretStore to store credentials for this connector
2) assuming you want to prevent the user from using the SSO connector
3) assuming you do not have autosync = true

You can use cptool set user userName ExternalAccount="easName||"

This should "effectively" remove their SecretStore credentials from the system. And, if you have multiple accounts you could create a XML file to import that does the same thing:

<!DOCTYPE PIPELINE-USERS SYSTEM "pipeline-user-2.dtd">
<PIPELINE-USERS>
  <USER>
    <PROPERTY name="UserName">lumuser</PROPERTY>
    <PROPERTY name="ExternalAccount">alias||</PROPERTY>
  </USER>
  <USER>
    <PROPERTY name="UserName">lumuser2</PROPERTY>
    <PROPERTY name="ExternalAccount">alias||</PROPERTY>
  </USER>
</PIPELINE-USERS>

Hope that helps a little.

Syndicate content