Skip to main content

Oracle Internet Directory plug-in to remove users from groups

Oracle Internet Directory is an LDAP compliant user directory. To my surprise I  recently found out that it does not remove membership attributes from groups when users get disabled. This is at least true for the version I am not sure if the behavior is different in the 11g version.

This became an issue for us because the IT security department wanted to ensure that memberships were removed when users were disabled. Our solution was to basically create a plug-in and register the plug-in with OID.

Oracle Identity Management Application Developers Guide located here provides detailed information on how to extend the behavior of OID. This document has sections for building custom plug-ins and their deployment.

I used their JAVA API to build this plug-in. Before I start sharing some code, here is some general information about the plug-in.

1. The plug-in will get executed whenever OID performs a modify operation.
2. The plug-in will determine if the modify operation involves changing of the "orclisenabled" attribute.
3. The plug-in will determine whether the value of the "orclisenabled" attribute is being set to "DISABLED"
4. If above is true, plug-in will search the group base for membership and remove them.
5. This plug-in also creates a simple text file for logging and appends membership information that is being removed

 public class RemoveDisabledUsers extends ServerPluginAdapter {  
      public PluginResult when_modify(PluginDetail pluginDetail) throws Exception {  
           try {  
                // Retrieve the PluginFlexfield Object from the PluginDetail  
                PluginFlexfield flxFldObj = pluginDetail.getPluginFlexfield();  
                String logLocation = flxFldObj.getFlexfield("logLocation");  
                if (logLocation == null) {  
                     logLocation = "/var/log/RemoveDisabledUsers.log";  
                FileWriter fstream = new FileWriter(logLocation, true);  
                BufferedWriter out = new BufferedWriter(fstream);  
                ModifyLdapOperation modifyLdapOperation = (ModifyLdapOperation) pluginDetail.getLdapOperation();  
                LdapModification ldapModification = modifyLdapOperation.getLdapModification();  
                if (ldapModification != null) {  
                     ModificationItem modItem = ldapModification.getModificationItemAt(0);  
                     // for each item bein modified in the ldap operation  
                     BasicAttribute attr = (BasicAttribute) modItem.getAttribute();  
                     if ((attr.getID()).equalsIgnoreCase("orclisenabled")) {  
                          String str = (String) attr.get(0);  
                          if (str.equalsIgnoreCase("disabled")) {  
                               // user is being disabled  
                               out.write(now() + " RemoveDisabledUsers Plug-in executing.\n");  
                               disableUser(pluginDetail, out);  
                     PluginResult result = new PluginResult();  
                     return result;  
                } else {  
                     throw new PluginException("RemoveDisabledUsers Plug-in Error.\n");  
           } catch (Exception e) {  
                throw e;  
      public String now() {  
           String DATE_FORMAT_NOW = "MM-dd-yyyy HH:mm:ss";  
           Calendar cal = Calendar.getInstance();  
           SimpleDateFormat sdf = new SimpleDateFormat(DATE_FORMAT_NOW);  
           return sdf.format(cal.getTime());  
      private void disableUser(PluginDetail pluginDetail, BufferedWriter out) throws Exception {  
           LdapBaseEntry entry = pluginDetail.getLdapBaseEntry();  
           String userDN = entry.getDN();  
           Server server = pluginDetail.getServer();  
           InitialLdapContext context = (InitialLdapContext) server.getLdapContextFromServerPlugin();  
           SearchControls searchcontrols = new SearchControls();  
           NamingEnumeration result ="cn=Groups,dc=dpt,dc=company,dc=com", "uniquemember=" + userDN, searchcontrols);  
           while (result.hasMore()) {  
                SearchResult searchresult = (SearchResult);  
                String groupDN = searchresult.getName() + ",cn=Groups,dc=dpt,dc=company,dc=com";  
                ModificationItem[] mods = new ModificationItem[1];  
                mods[0] = new ModificationItem(DirContext.REMOVE_ATTRIBUTE, new BasicAttribute("uniquemember", userDN));  
                context.modifyAttributes(groupDN, mods);  
                out.write(now() + " Disabled User " + userDN + " removed from group " + groupDN + "\n");  

The plug-in is packaged as a jar file. To deploy this plug-in, copy the jar file to $ORACLE_HOME/ldap/server/plug-in directory. Before you can start using this plug-in, it must be registered with OID. To register, you will need to perform an ldapadd command with necessary plug-in configuration.

Here is the configuration entry I used to register this plugin.

 dn: cn=RemoveDisabledUsers,cn=plugin,cn=subconfigsubentry  
 orclPluginFlexfield;logLocation: /var/tmp/RemoveDisabledUsers.log  
 objectclass: orclPluginConfig  
 objectclass: top  
 orclPluginName: RemoveDisabledUsers.jar  
 orclPluginType: operational  
 orclPluginTiming: when  
 orclPluginLDAPOperation: ldapmodify  
 orclPluginEnable: 1  
 orclPluginVersion: 1.0.1  
 orclPluginIsReplace: 0  
 cn: RemoveDisabledUsers  
 orclPluginKind: Java  
 orclPluginAttributeList: orclisenabled