Delete OpenLDAP Account

Identity Security Cloud (ISC) ISC Discussion and Questions
, , ,
1

Hi All,
I have a use case to scramble password and later delete OpenLDAP account when user moves to specific (actually more than one LCS).
As OpenLDAP is not supporting enable or disable i cannot use service standard rule as i used for AD accounts.
Workflow currently does not support account deletion for LDAP.
Is there a way i can active password scramble and delete when account moves to a LCS.
Is there any cloud or connector rule through which i can achieve this?
Thanks
V

2

Hi @anandan07

Before provisioning rule will be helpful to achieve this use case.

Please find the below URL.

Let me know if you required full rule.

Thank you!

3

OpenLDAP does not support enable/disable. still can i use before provisioning rule when to delete the ids when there is a change in LCS. Do you have any sample refer or use?

4

Hi @anandan07,

You can use the SailPoint Service Standard Before Provisioning Rule:
Services Standard Before Provisioning Rule - Identity Security Cloud (ISC) / ISC Discussion and Questions - SailPoint Developer Community

This is a standard rule developed by SailPoint, which includes various operations. You must work with your PS (Professional Services) team to deploy this rule.

Once deployed, you can attach the rule to your source:

image
image392Ă—100 3.24 KB

Then, configure the cloudServicesIDNSetup parameter of your source as follows:

image
image425Ă—405 6.99 KB

[
    {
        "eventActions": [
            {
                "Action": "ChangeOperation",
                "Attribute": null,
                "Value": "Delete"
            }
        ],
        "Identity Attribute Triggers": [
            {
                "Attribute": "accountsToDelete",
                "Value": "true",
                "Operation": "eq"
            }
        ],
        "Operation": "Modify"
    }
]

Some connectors do not support the Enable/Disable operation. To work around this limitation, we enforce synchronization on a selected attribute on the target system.

In our case, when the lifecycleState is changed to archive, we set the identity attribute accountsToDelete to true. Based on the configuration provided above, this attribute is also synchronized to an arbitrary attribute in LDAP to trigger synchronization. The Before Provisioning Rule will then detect this synchronization (Modify operation) and change it to a Delete operation.

1 Like
5

Hi, I tried
But when the attribute gets updated, AD connector is trigging the password change and account deletion. But Open LDAP is not trigging – both have the “beforeProvisioningRule”: “Services Standard IdentityNow BeforeProvisioning Rule”

[
{
“eventActions”: [
{
“Action”: “ScramblePassword”,
“Attribute”: “password”,
“Value”: null
}
],
“Identity Attribute Triggers”: [
{
“Attribute”: “openldapStatus”,
“Value”: “Inactive”,
“Operation”: “eq”
}
],
“Operation”: “Modify”
},
{
“eventActions”: [
{
“Action”: “ChangeOperation”,
“Attribute”: null,
“Value”: “Delete”
}
],
“Identity Attribute Triggers”: [
{
“Attribute”: “openldapStatus”,
“Value”: “Delete”,
“Operation”: “eq”
}
],
“Operation”: “Modify”
}
]

6

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.