Cleanup of deleted user Artefacts from WebSphere Portal and reestablish Unique ID binding on LDAP change

Added by Stefan Schmitt | Edited by IBM contributor

Stefan Schmitt on October 20, 2009 | Version 3

Edit
More Actions ▼

4 comments

Abstract

No abstract provided.

Tags: administrator, basic configuration, LDAP, multiple ldap, PUMA

WebSphere Portal stores aretefacts for Users and Groups retrieved from a Backend Repository. Usually this information is not stable. Users/Groups are deleted, LDAP server are moved or data is restored from Backup. By those actions orphan data bindings are left witihn theWebSphere Portal configuration which should be resolved from time to time.

Usually you want to remove entries for no longer existing users to reduce the amount of data store within your environment. For this scenario the cleanup User task has been added to the system.
In addition, it might happen that the bindings betweenWebSphere Portal artefacts and the corresponding LDAP users are lost , because of a LDAP server migration, this task provides the additional feature to "heal" your system and recreate lost bindings.

The steps start at the point where the users have been already removed from the backend.
1. open cmd
2. move to portalhome/bin
3. copy portalhome/base/wp.xml/doc/xml-samples/CleanupUser.xml to portalhome/bin
4. execute xmlaccess like ./xmlaccess.sh -in CleanupUsers.xml -out result.xml -user wpsadmin -password wpsadmin -url http://localhost:10040/wps/config

results in this sschmitt@wpsvm030:/opt/WebSphere/PortalServer/bin> ./xmlaccess.sh -in CleanupUsers.xml -out result.xml -user wpsadmin -password wpsadmin -url http://localhost:10040/wps/config Licensed Materials - Property of IBM, 5724-E76, 5655-R17, and 5655-M44, (C) Copyright IBM Corp. 2001, 2007 - All Rights reserved. US Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. EJPXB0006I: Connecting to URL http://localhost:10040/wps/config EJPXB0004I: Writing output file /opt/WebSphere/PortalServer/bin/result.xml EJPXB0002I: Reading input file /opt/WebSphere/PortalServer/bin/CleanupUsers.xml EJPXB0020I: The request was processed successfully on the server. sschmitt@wpsvm030:/opt/WebSphere/PortalServer/bin>

5. verify users or groups are included, in this case these two entries are to be migrated

6. Now open the result.xml file and modify cleanup-users="invalid" to cleanup-users="true" and add migrate-users="true"
7. Execute xmlaccess like ./xmlaccess.sh -in result.xml -out result2.xml -user wpsadmin -password wpsadmin -url http://localhost:10040/wps/config

Licensed Materials - Property of IBM, 5724-E76, 5655-R17, and 5655-M44, (C) Copyright IBM Corp. 2001, 2007 - All Rights reserved. US Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. EJPXB0006I: Connecting to URL http://localhost:10040/wps/config EJPXB0004I: Writing output file /opt/WebSphere/PortalServer/bin/result2.xml EJPXB0002I: Reading input file /opt/WebSphere/PortalServer/bin/result.xml EJPXB0020I: The request was processed successfully on the server

8. Verify by re-execution of cleanupuser sschmitt@wpsvm030:/opt/WebSphere/PortalServer/bin> ./xmlaccess.sh -in CleanupUsers.xml -out result3.xml -user wpsadmin -password wpsadmin -url http://localhost:10040/wps/config Licensed Materials - Property of IBM, 5724-E76, 5655-R17, and 5655-M44, (C) Copyright IBM Corp. 2001, 2007 - All Rights reserved. US Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. EJPXB0006I: Connecting to URL http://localhost:10040/wps/config EJPXB0004I: Writing output file /opt/WebSphere/PortalServer/bin/result3.xml EJPXB0002I: Reading input file /opt/WebSphere/PortalServer/bin/CleanupUsers.xml EJPXB0020I: The request was processed successfully on the server.

Server should not provide additional users and groups.

Edit
More Actions ▼

Attachments (0)

Versions (2)

Comments (4)

Travis Cornwell commented on Oct 10, 2011

Re: Cleanup of deleted user Artefacts from WebSphere Portal and reestablish Unique ID binding on LDAP change

The CleanUpUsers procedure cleans up entries in the Release database, namely the USER_DESC table. The most common symptom for "when" to run CleanUpUsers is when assigning permissions, you see blank lines in the Resource Permissions portlet. This is often the sign two entries for the same user existing in the Release database. One of the entries is outdated and needs to cleaned up, the other is valid / still in use.

Most common reasons to run CleanUpUsers

1) You use common name (cn) as your primary Portal attribute. Somebody gets married. Their LDAP information changes from "John Doe" to "John Smith" ... you would need to cleanup the old "John Doe" entries. The "John Smith" entries would already be active / in use.

2) An entry is deleted in recreated in the same LDAP server. The external identifier of the LDAP will have changed in that case, and will cause a duplicate entry in the Portal database as a result.

3) An LDAP server migration, moving from one LDAP to a different one and data is not replicated between the LDAPs. Although the distinguished names of the users may remain the same, the external identifiers will be different, causing duplicate entries.

MemberFixer and User Transformation Tool (UTT) clean the JCR database, but not the Release database. CleanUpUsers cleans the Release database. CleanUpUsers should be run prior to run MemberFixer and/or the User Transformation Tool.

Melissa Howarth commented on Sep 23, 2009

More explanation

Could you please add a bit more explanation/introduction to this article about when and why you would use it. Thanks

Joe Breal commented on Sep 10, 2009

Replacement for MemberFixer?

Just curious if this process is meant to replace MemberFixer.

Also, what versions does this work with?

Thanks

Joel B Allen commented on Sep 10, 2009

Users in the DB

Note that users that aren't in the databases but are in the LDAP will not show up for clean up by this task. Only users which are in the database that need to be cleaned up will be present.

This may help some who expect a user to get cleaned up if that user has been removed from the LDAP but does not show up in the clean up user task. It's likely that the user was never created in the database because that user never authenticated to Portal, causing a database entry to be created.

Copy and paste this wiki markup to link to this article from another article in this wiki.

Link:

About the Original Author

Recent articles by this author

Manage CORS in WebSphere Portal

How WebSphere Portal treats com.ibm.ws.security.web.logoutOnHTTPSessionExpire

How to Configure and Use OpenID, Facebook integration on WebSphere Portal

Cleanup of deleted user Artefacts from WebSphere Portal and reestablish Unique ID binding on LDAP change

Using WAS Admin console to import SSL credentials

Cleanup of deleted user Artefacts from WebSphere Portal and reestablish Unique ID binding on LDAP change