Delete orphaned LDAP accounts
When integrating the LDAP server into your new midPoint ecosystem, you found some accounts that are either leftovers from the past or even obviously malicious attack attempts. Now is the time to clean such accounts from the LDAP server. Deleting accounts is, however, not to be taken lightly. Mistakes can happen and it is a good practice to avoid hard-deleting everything without any grace period.
In this module, you will add configurations to:
-
Delay account deletion to provide limited grace period.
-
Disable accounts prior to their (delayed) hard deletion.
-
Activate the synchronization rule for deleting unmarked unmatched accounts.
Both delayed delete and disable instead of delete are outbound activation mappings.
-
Refer to the following guide on working with activation mappings in GUI: Resource wizard: Object type activation
-
Refer to Activation and Disable instead of Delete for more conceptual details.
Human errors happen. Give them a grace period
The first step to avoid irreversible mistakes is to disable accounts instead of deleting them right away. The next step is to configure the length of the grace period, i.e., for how long midPoint needs to wait before actually deleting the orphaned or malicious accounts.
-
In the target LDAP resource, go to Accounts.
-
Select Configure > Activation.
-
Select the Outbound tab and click Add outbound.
-
In the Activation rules modal that appears, select Disable instead of delete.
-
Repeat to add also the Delayed delete activation rule.
-
This activation rules requires you to set the delay length. In production, sensible values could span between multiple days and one or two months. For testing, you can set it to as little as dozens of seconds.
-
-
Use the Proposed lifecycle state for both activation configurations.
Figure 1. Outbound activation mappings for delayed delete and disable instead of delete
Prepare resource-side account deletion for testing
In a previous module, you have created an LDAP synchronization rule to delete unmatched accounts. The rule is still in the Draft lifecycle state because we did not want to delete accounts on the resource before we created the grace period configuration.
Now that the configuration is in place, you can safely activate the synchronization rule. You will first put it to the Proposed lifecycle state to enable testing; once tested, you will put it to the Active state.
-
In the target LDAP resource, go to Accounts.
-
Select Configure > Synchronization.
-
Set the lifecycle state of the delete-unmatched-resource-object rule to Proposed.
-
Rule: Delete resource object reaction to the Unmatched situation
-
-
Click Save synchronization settings to save the change.
Figure 2. List of target LDAP resource synchronization rules with the delete-unmatched-resource-object now in the Proposed state
Simulate behavior of the new configuration
You are now ready to simulate the updated configuration before you put it to production.
To check the behavior of your new configuration, use reconciliation tasks. You already have both simulation and production reconciliation tasks defined.
Refer to the Reconcile the LDAP accounts module to refresh your knowledge on working with reconciliation tasks.
-
Run the reconciliation task in the preview mode with development configuration.
-
Inspect the simulation results to see if the configuration behaves as expected.
If you changed nothing else on the resource or in midPoint in the meantime, you should see only the accounts you need to get rid of are affected.
Figure 3. Synchronization simulation results showing that one account would be deleted from the resource.
Delete unwanted accounts on production
Once tested and verified, activate the whole configuration on production.
-
Switch the lifecycle state of the delete-unmatched-resource-object synchronization rule to Active.
-
Switch the activation rules to the Active lifecycle state.
-
Run the production reconciliation task.
Was this page helpful?
YES
NO
Thanks for your feedback