Oracle Internet Directory is an LDAP compliant user directory. To my surprise I recently found out that it does not remove membership attributes from groups when users get disabled. This is at least true for the version 10.1.4.3. I am not sure if the behavior is different in the 11g version.
This became an issue for us because the IT security department wanted to ensure that memberships were removed when users were disabled. Our solution was to basically create a plug-in and register the plug-in with OID.
Oracle Identity Management Application Developers Guide located here provides detailed information on how to extend the behavior of OID. This document has sections for building custom plug-ins and their deployment.
I used their JAVA API to build this plug-in. Before I start sharing some code, here is some general information about the plug-in.
1. The plug-in will get executed whenever OID performs a modify operation.
2. The plug-in will determine if the modify operation involves changing of the "orclisenabled" attribute.
3. The plug-in will determine whether the value of the "orclisenabled" attribute is being set to "DISABLED"
4. If above is true, plug-in will search the group base for membership and remove them.
5. This plug-in also creates a simple text file for logging and appends membership information that is being removed
The plug-in is packaged as a jar file. To deploy this plug-in, copy the jar file to $ORACLE_HOME/ldap/server/plug-in directory. Before you can start using this plug-in, it must be registered with OID. To register, you will need to perform an ldapadd command with necessary plug-in configuration.
Here is the configuration entry I used to register this plugin.
Enjoy!
This became an issue for us because the IT security department wanted to ensure that memberships were removed when users were disabled. Our solution was to basically create a plug-in and register the plug-in with OID.
Oracle Identity Management Application Developers Guide located here provides detailed information on how to extend the behavior of OID. This document has sections for building custom plug-ins and their deployment.
I used their JAVA API to build this plug-in. Before I start sharing some code, here is some general information about the plug-in.
1. The plug-in will get executed whenever OID performs a modify operation.
2. The plug-in will determine if the modify operation involves changing of the "orclisenabled" attribute.
3. The plug-in will determine whether the value of the "orclisenabled" attribute is being set to "DISABLED"
4. If above is true, plug-in will search the group base for membership and remove them.
5. This plug-in also creates a simple text file for logging and appends membership information that is being removed
public class RemoveDisabledUsers extends ServerPluginAdapter {
public PluginResult when_modify(PluginDetail pluginDetail) throws Exception {
try {
// Retrieve the PluginFlexfield Object from the PluginDetail
PluginFlexfield flxFldObj = pluginDetail.getPluginFlexfield();
String logLocation = flxFldObj.getFlexfield("logLocation");
if (logLocation == null) {
logLocation = "/var/log/RemoveDisabledUsers.log";
}
FileWriter fstream = new FileWriter(logLocation, true);
BufferedWriter out = new BufferedWriter(fstream);
ModifyLdapOperation modifyLdapOperation = (ModifyLdapOperation) pluginDetail.getLdapOperation();
LdapModification ldapModification = modifyLdapOperation.getLdapModification();
if (ldapModification != null) {
ModificationItem modItem = ldapModification.getModificationItemAt(0);
// for each item bein modified in the ldap operation
BasicAttribute attr = (BasicAttribute) modItem.getAttribute();
if ((attr.getID()).equalsIgnoreCase("orclisenabled")) {
String str = (String) attr.get(0);
if (str.equalsIgnoreCase("disabled")) {
// user is being disabled
out.write(now() + " RemoveDisabledUsers Plug-in executing.\n");
disableUser(pluginDetail, out);
}
}
PluginResult result = new PluginResult();
result.setLdapOperation(modifyLdapOperation);
out.close();
return result;
} else {
throw new PluginException("RemoveDisabledUsers Plug-in Error.\n");
}
} catch (Exception e) {
throw e;
}
}
public String now() {
String DATE_FORMAT_NOW = "MM-dd-yyyy HH:mm:ss";
Calendar cal = Calendar.getInstance();
SimpleDateFormat sdf = new SimpleDateFormat(DATE_FORMAT_NOW);
return sdf.format(cal.getTime());
}
private void disableUser(PluginDetail pluginDetail, BufferedWriter out) throws Exception {
LdapBaseEntry entry = pluginDetail.getLdapBaseEntry();
String userDN = entry.getDN();
Server server = pluginDetail.getServer();
InitialLdapContext context = (InitialLdapContext) server.getLdapContextFromServerPlugin();
SearchControls searchcontrols = new SearchControls();
searchcontrols.setReturningAttributes(null);
searchcontrols.setSearchScope(SearchControls.SUBTREE_SCOPE);
NamingEnumeration result = context.search("cn=Groups,dc=dpt,dc=company,dc=com", "uniquemember=" + userDN, searchcontrols);
while (result.hasMore()) {
SearchResult searchresult = (SearchResult) result.next();
String groupDN = searchresult.getName() + ",cn=Groups,dc=dpt,dc=company,dc=com";
ModificationItem[] mods = new ModificationItem[1];
mods[0] = new ModificationItem(DirContext.REMOVE_ATTRIBUTE, new BasicAttribute("uniquemember", userDN));
context.modifyAttributes(groupDN, mods);
out.write(now() + " Disabled User " + userDN + " removed from group " + groupDN + "\n");
}
}
}
The plug-in is packaged as a jar file. To deploy this plug-in, copy the jar file to $ORACLE_HOME/ldap/server/plug-in directory. Before you can start using this plug-in, it must be registered with OID. To register, you will need to perform an ldapadd command with necessary plug-in configuration.
Here is the configuration entry I used to register this plugin.
dn: cn=RemoveDisabledUsers,cn=plugin,cn=subconfigsubentry
orclPluginFlexfield;logLocation: /var/tmp/RemoveDisabledUsers.log
objectclass: orclPluginConfig
objectclass: top
orclPluginName: RemoveDisabledUsers.jar
orclPluginType: operational
orclPluginTiming: when
orclPluginLDAPOperation: ldapmodify
orclPluginEnable: 1
orclPluginVersion: 1.0.1
orclPluginIsReplace: 0
cn: RemoveDisabledUsers
orclPluginKind: Java
orclPluginAttributeList: orclisenabled
Enjoy!
Comments