cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Active Directory - Provision but no Deprovision

Go to solution
former_member283791
Participant

on ‎11-18-2011 4:22 PM

0 Kudos

Hey guys,

I got an issue with controlling an AD from IdM. Problem is that my deprovisioning doesn't run, at all!

I created my repository with the standard values (starting point, starting point groups, naming attribute = cn (right?)) and I defined provisioning, deprovisioning and modify tasks using the tasks in the SAP PF ADS tasks.

So I can assign a privilege (AD group) to a user in IdM. This user get's created in AD and get's added to the correct group.

Problem is when I remove this privilege again it is not getting removed from AD. Neither is the user being disabled/removed.

To answer the obvious question: Yes all the jobs are activated and have a dispatcher assigned.

What I see in the log is: Modify User. And that's it, normally I would assume that the deprovision job get's triggered next.

Hope someone has an answer for me!

regards,

Jonathan

(have a nice weekend )

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

former_member2987
Active Contributor
‎11-21-2011 2:29 PM
0 Kudos

Couple of things here Jonathan,

Check the Repository and make sure that the naming attribute is CN as well.

When you are deprovisioning are you doing a ModRDN or deleting the entry?

If it's a delete, specify Changetype Delete

If you're moving the user you'll need to set up a ModRDN as part of the process.

Or were you just doing something else like disabling the account via userAccountControl? Then you might need to specify a Changetype Modify.

If you're just removing the user from the group it should be specifying the DN of the group with a - member and the dn of the user.

Hope this helps!

Matt

Show replies
Show replies
former_member283791
Participant
‎11-22-2011 1:08 PM
0 Kudos

Hey Matt,

Thanks for the answer.

I am using the provisioning framework for this, so after determining that the entry type is MX_PERSOn he should go over to removing all the group assignments, disabling the user and than deleting the user.

Nothing of what you proposed seems to work however. The problem really is that deprovisioning isn't triggered. After the "ModifyUser" job has run nothing happens. Where normally he should automatically start the DeprovisionADS job.

KR,

Jonathan

former_member2987
Active Contributor
‎11-22-2011 9:27 PM
0 Kudos

So the job itself is not firing? Try running under the windows engine rather than the Java Engine. just disregard the warning. It's quite the useful troubleshooting trick, since it will return slightly different messages and is always a good thing to try with any AD related activities.

Matt

Former Member
‎11-23-2011 8:53 AM
0 Kudos

Hi Jonathan,

the user you want to delete is created by the IDM within the ActiveDirectory?

the user has been read into the IDM by initial load of ActiveDirectory?

Assuming you are using IDM 7.1, please have a look at the status of attribute "MXREF_MX_PRIVILEGE". The status should be something like "1000" oder "1100". In case of "21" the IDM thinks, that the privilege isn't assigned correctly, so it doesn't start the deprovisioning after deleting the privileges within the user.

Kind regards,

Achim

former_member2987
Active Contributor
‎11-23-2011 2:22 PM
0 Kudos

Achim,

Good point, also make sure that you're either passing the Privilege as the MSKEY or the MSKEYVALUE in <> characters, which will cause IDM to look up and pass the MSKEYVALUE for you.

former_member283791
Participant
‎11-24-2011 9:11 AM
0 Kudos

hey Achim,

The user (a test user of mine) did exist in the AD when I performed the initial load. But the user also existed in the IdM at the time of the Initial Load.

Having said that I have already removed the user manually from IdM and AD. Than created him again on IdM and have IdM provision him to AD.

If I search for the MXREF_MX_PRIVILEGE entry it does not exist for this user (MSKEY)

@Matt: I switched all the deprov jobs to Windows runtime but again I don't think it's getting that far. For some reason after the ModifyUser nothing happens.

Any other ideas guys? I really appreciate the help btw. And yes, running 7.1 SP6

Former Member
‎11-28-2011 4:33 PM
0 Kudos

Hi Jonathan,

please have a look at the view mxiv_oentries for your user.

there you can find the old entries and the former assigned privileges (MSKEYs).

Please check the status there.

kind regards,

Achim

Answers (0)

Ask a Question