LDAP user cleanup

Last modified by Michael Hamann on 2024/03/25 00:02

cogIn case users get deleted from LDAP, this application removes their XWiki profile pages and transfers ownership of their pages to an anonymous account.
TypeXAR
CategoryApplication
Developed by

Denis Gervalle, Thomas Mortagne, Alex Cotiuga, XWiki Development Team

Active Installs13
Rating
0 Votes
LicenseGNU Lesser General Public License 2.1

Installable with the Extension Manager

Description

In case users get deleted from LDAP, this application removes their XWiki profile pages and optionally transfers ownership of their pages to an anonymous account.

Note that removing the profile pages is not necessary to keep users from logging in; for this it is enough if they are disabled or deleted in the LDAP. This extension is only useful of you want to keep your user directory from being overcrowded with former members, or want to anonymize the contribution of former users e.g. due to data protection concerns.

Configuration

After installation of this optional utility you will find a new job shown in the "Scheduler" space. The new job has the title "Remove profile data for users no longer in LDAP".

Click on "edit" for this job to set up the configuration.
The first section contains necessary information about how to connect to LDAP and how to replace the user information:

ldap-cleanup-config1.png

  • If there is an explicit user to connect to the LDAP server, you can leave the fields LDAP bind user and LDAP bind password empty; the values from the configuration will used instead. If this is the case, you will be notified in the description
  • If your LDAP access is instead configured to connect with the login data from the user currently logging in (i.e. it contains placeholders like {0} and {1}), then you need to give here a dedicated LDAP user account and password. If the login doesn't work with a DN, try providing just the name of the user. The user should have read access to all users that can log in to the wiki, of it might remove valid user profiles because it cannot find them. Write access to the LDAP is not necessary and definitely not recommended.
  • The Replacement User defaults to the guest user. If you prefer you can give here the full doc name (e.g. with XWiki.-prefix) of a different user. This user does not need to exist. If the user exists, this should not have any special rights to avoid giving pages owned by to-be-deleted users more permissions by the handover of the ownership.
  • The Replacement Admin is used to replace document creator and authorship for all pages where the corresponding creator/author had admin rights at the moment of deletion. This is necessary to prevent these pages loosing their content rights needed to execute the contained code. If your administrators do not have "Programming" rights, especially in case where the scheduler is run in subwikis, you must replace the default XWiki.superadmin by a dedicated, manually created and disabled account which is given admin rights explicitly. Otherwise there is a risk of elevating permissions to "programming" for pages owned by to-be-deleted administrators. 

The second part concerns about for which field user information should be replaced, and if the scheduler job should really perform the action or just do a dry run:

ldap-cleanup-config2.png

In order to test and see the records of the operation after triggering the job manually, please keep the "Dry Run" option checked. Otherwise, in achieving the desired result - disabling or deleting inactive users you have to uncheck the "Dry Run" field. Before triggering the job, raise the log level for the logger org.xwiki.contrib.ldap.scheduler.OldUserCleanup to DEBUG. See also the Enable LDAP debug section.

Since 9.9.1, a third part was added. It manages whether the job should disable or delete the users. If the "Should disable instead of delete" option is set to yes, then the users will simply be disabled and the parameters in the section 2 of the configuration will be ignored, as they are needed only when deleting an user. Besides this, the job can now also detect if the LDAP users are set to inactive or are disabled. This option depends on each LDAP server implementation. For example, in Active directory, if an user is disabled, it will have the attribute "userAccountControl" set to "514". If these two fields are set, when the job runs, it will also delete/disable the LDAP users that are disabled.

ldap-cleanup-config3.png

Below of that configuration section is the code for the actual scheduler job, most of which does not need any editing. You might want to edit the "Cron Expression" if you want to have the job run more or less often than its preconfigured value. See also Scheduler for more information.

Acknowledgements

The development of this extension has been possible thanks to the generous support of the Evangelisches Johanneswerk gGmbH.

Release Notes

For release notes see the common LDAP release notes.

Prerequisites & Installation Instructions

We recommend using the Extension Manager to install this extension (Make sure that the text "Installable with the Extension Manager" is displayed at the top right location on this page to know if this extension can be installed with the Extension Manager). Note that installing Extensions when being offline is currently not supported and you'd need to use some complex manual method.

You can also use the following manual method, which is useful if this extension cannot be installed with the Extension Manager or if you're using an old version of XWiki that doesn't have the Extension Manager:

  1. Log in the wiki with a user having Administration rights
  2. Go to the Administration page and select the Import category
  3. Follow the on-screen instructions to upload the downloaded XAR
  4. Click on the uploaded XAR and follow the instructions
  5. You'll also need to install all dependent Extensions that are not already installed in your wiki

Be sure to configure the extension after installing or it will do nothing. See section Configuration above.

Dependencies

Dependencies for this extension (org.xwiki.contrib.ldap:ldap-user-cleanup 9.13.1):

Tags:
    

Get Connected