Digg This -
Posted: 26 Apr 2006
A Forum reader asked the following question:
"I just Linux-enabled a bunch of my users, and my Linux profile object was set with the wrong User ID range. Is there a good way to bulk-delete those profiles?"
And here are the responses from Justin Grote and Aaron Burgemeister ...
Are you looking to delete the users or just remove their LUM-specific attribute information? Either way, it will probably be accomplished with an ldapmodify or ldapdelete query with the following as the filter:
ldapsearch -x -LLL '(&(uidNumber>=600)(uidNumber<=700))' dn
where 600 and 700 are the low and high numbers of your "goofed" user ID range. Once the ldapsearch finds what you want, you can pipe the output to ldapdelete, and it will remove the users.
ldapsearch -x -LLL '(&(uidNumber>=600)(uidNumber<=700))' dn | ldapdelete -x -n -v
The -n -v on ldapdelete will show you what it is going to delete before it does it. When you are absolutely sure, remove the -n.
If you just want to remove the attributes, that's *much* more difficult. It's basically the same process, only using ldapmodify to set certain attributes to null, thus removing them.
Note that instead of just -x above (which means anonymous simple bind), you will probably need to use -x -D "cn=your.ou=admin.o=fdn" and -W to specify an admin user.
How many users are involved? If there are just a few, you can manually modify those user IDs and then modify the Unix Config object to start after those IDs. If you're dealing with a bunch, a mass-operation (removal of uidnumbers) can be done fairly simply.
First, export the users with the uidnumber attribute set:
ldapsearch -h IPADDR -p PORTNUM -D ldapDNOfUser -x -W uidnumber=* dn >theFile.ldif
That will export all users in the environment with a uidnumber set (LUM-enabled, presumably). You can limit that by putting in the desired filter before the desired output ('dn'). Something like what was mentioned previously would be fine for a range of uidnumbers.
With that done, you just need to add two lines to each entry as follows:
changetype: modify delete: uidnumber
So an entry to start would look like this:
and at the end if would look like this:
dn: cn=someuser,ou=someOrgUnit,o=someOrg,dc=someDomain changetype: modify delete: uidnumber
That simply removes the uidnumber. You'll need a bunch of rights to do this, of course. Read that back in with ldapmodify (presumably all of this is being done in a file or two...read out to a file, modify the file, read the file back in).
ldapmodify -h IPADDR -p PORTNUM -D ldapDNOfUser -x -W -f ./theFile.ldif
You could also import it with ICE in iManager, ConsoleOne, or from a server's command line if that's more comfortable. Adding the '-n' switch to ldapmodify will prevent the operation from taking place but will show you what it would do if the '-n' switch was not in there.
That should work for any attribute, by the way. As a side note, there are a lot more changes made to a LUM-enabled object that include (but may not necessarily be limited to):
- gidnumber attribute (for the primary LUM-enabled group for a user)
- uamPosixUser and posixAccount auxiliary classes added (to the objectClass attribute)
- homeDirectory attribute
- loginShell attribute
- Regular eDirectory membership to the primary group (two attributes)
- A number of ACLs for [public], to see LUM-related stuff
Test this with one user first. If that works (adding back into LUM properly), go with the others.
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com