Using supplied scripts to delete inactive users based on inactivity length
You can use supplied Tivoli Directory Integrator (TDI) scripts to surface and delete users who have been inactive for specified length of time. You might use this process to ensure that users who are no longer in the organization, according to LDAP, are deleted from the Profiles directory. If your organization plans to reuse UID values, or other unique profiles fields, you should permanently delete inactive users to so that these values can be reassigned to others.
When you inactivate a user, their email field is cleared but other fields such as UID, GUID, and distinguished name are not. These users also remain listed in components such as Communities, Activities, and Profiles. After a specified length of time you may want to delete these inactive users completely from your other Connections components. You can use the revoke users sample to delete inactive users who meet the length of time criteria. For related information, see User life cycle details.
Typically the sync_all_dns utility is used to synchronize the Profiles data set on a scheduled basis. When a user leaves the organization, and is removed from the LDAP directory, by default the sync_all_dns utility inactivate that user by flagging them as inactive in the Profiles database and propagating this infomation to the other Connections components.
In this example, you will use supplied scripts to delete inactive user(s) who were inactivated earlier than the specified number of days. This gives the organization a transition period, during which the users are in an inactive state. These users can then be deleted after the transition period. The transition period can be any value, in days. When the user is deleted, their UID and GUID identifiers are made available for reuse.
See Deleting or inactivating users in the Profiles database for related information.
- Copy the revoke_users.sh or revoke_users.bat, revoke_users.xml, and revoke_users.properties files to the Profiles TDI solution directory from the supplied samples directory.
- Optional: Run the revoke_users script with
the validate parameter to check that you have installed
the fixpacks required to run the revoke_users script
with the revoke parameter. Results are sent to
the logs/ibmdi.log file. See the following sample output:
2012-06-19 11:22:03,076 INFO [AssemblyLine.AssemblyLines/validate.1] +++++++++ VALID TDI SOLUTION +++++++++++ - Optional: Run the revoke_users script with
the summary parameter to preview the users to be
deleted before actually deleting them.
This script creates the following two preview files:
- revoke.ldif – lists the inactive users to be deleted from the Profiles database by the revoke_users revoke script. These are the inactive users who have been inactive for as long as or longer than the specified amount of time.
- revoke_skip.ldif – lists the inactive users
to not be deleted from the Profiles database by the revoke_users
revoke script. These are the inactive users who have been
inactive for less than the specified amount of time.Note: The logs/ibmdi.log file is updated after every 10K user names processed.
Note: After flagging a user as inactive, but prior to revoking or deleting that user, you can retrieve that user and their data. However, after revoking or deleting a user, you cannot retrieve that user or that user’s data. - Run the revoke_users script with the revoke parameter
to delete the inactive users from the Profiles database.
This script creates the same revoke.ldif and revoke_skip.ldif files as the revoke_users summary script. It then deletes the users listed in the revoke.ldif file from the Profiles database.