To Delete Messaging Server and Calendar Server Users with LDAP Tools (Deleting Messaging Server, Calendar Server, and Communications Express Users)

Deleting Messaging Server, Calendar Server, and Communications Express Users

Previous: To Delete Messaging Server and Calendar Server Users with Delegated Administrator Command-Line Tools
Next: To Delete Users of Calendar Server in Non-Hosted Domain Mode and Messaging Server

To Delete Messaging Server and Calendar Server Users with LDAP Tools

Before You Begin

You should be familiar with the syntax and operation of the LDAP tools such as ldapmodify.

Verify the user entry you want to delete.

The following ldif file shows an example of a user entry before you begin the deletion. Note that the inetUserStatus attribute is active:

dn: uid=jsmith,ou=People,o=sesta.com,o=root_suffix
icsFirstDay: 2
uid: jsmith
iplanet-am-modifiable-by: cn=Top-level Admin Role,o=root_suffix
icsTimezone: America/Denver
givenName: John
mail: jsmith@sesta.com
mailUserStatus: active
sn: Smith
cn: John Smith
mailDeliveryOption: mailbox
icsStatus: Active
icsCalendar: jsmith@sesta.com
mailHost: mail.siroe.com
objectClass: userpresenceprofile
objectClass: icscalendaruser
objectClass: top
objectClass: iplanet-am-managed-person
objectClass: iplanet-am-user-service
objectClass: inetadmin
objectClass: organizationalperson
objectClass: person
objectClass: inetuser
objectClass: inetlocalmailrecipient
objectClass: iplanetpreferences
objectClass: ipuser
objectClass: inetorgperson
objectClass: inetsubscriber
objectClass: inetmailuser
inetUserStatus: Active
userPassword: {SSHA}uSRLlYBjzFxu4f2nWtXU4XoVdExKSLcSRhYbFw==
iplanet-am-user-login-status: Active

Use the ldapmodify command to mark the messaging and calendar user for deletion.

This step changes the user's status to “deleted” in the LDAP directory by changing the value of the user's inetUserStatus attribute to deleted.

Example:

Create the following ldif file, named markUserDeleted.ldif:

dn: uid=jsmith,ou=People,o=sesta.com,o=root_suffix
changetype: modify
replace: inetuserstatus
inetuserstatus: deleted

Run the ldapmodify command:

ldapmodify -D "uid=admin,ou=People,o=siroe.com,o=root_suffix" -w &!2x%!a5
-f markUserDeleted.ldif

The user entry now looks like this:

dn: uid=jsmith,ou=People,o=sesta.com,o=root_suffix
icsFirstDay: 2
uid: jsmith
iplanet-am-modifiable-by: cn=Top-level Admin Role,o=root_suffix
icsTimezone: America/Denver
givenName: John
mail: jsmith@sesta.com
mailUserStatus: active
sn: Smith
cn: John Smith
mailDeliveryOption: mailbox
icsStatus: Active
icsCalendar: jsmith@sesta.com
mailHost: mail.siroe.com
objectClass: userpresenceprofile
objectClass: icscalendaruser
objectClass: top
objectClass: iplanet-am-managed-person
objectClass: iplanet-am-user-service
objectClass: inetadmin
objectClass: organizationalperson
objectClass: person
objectClass: inetuser
objectClass: inetlocalmailrecipient
objectClass: iplanetpreferences
objectClass: ipuser
objectClass: inetorgperson
objectClass: inetsubscriber
objectClass: inetmailuser
userPassword: {SSHA}uSRLlYBjzFxu4f2nWtXU4XoVdExKSLcSRhYbFw==
inetUserStatus: deleted
iplanet-am-user-login-status: Active

Use the appropriate command to remove mail and calendar resources from the user.

A resource can be a mailbox or a calendar.

For mail services, you use the msuserpurge command. msuserpurge finds all user entries where inetUserStatus or mailUserStatus is set to deleted and purges those user mailboxes from the message store. All resources associated with those users are also removed. msuserpurge then marks the mailUserStatus attribute in the affected user entries as “removed.”

msuserpurge -d domain

-d domain: Specifies the domain of the user marked for deletion

For calendar services, you use the csclean command. csclean finds all user entries where inetUserStatus or icsStatus is set to deleted and removes all calendars belonging to the deleted users. It then marks the icsStatus attribute in the affected user entries as “removed.”

csclean clean domain

clean: Mandatory argument for running the csclean command
domain: Specifies the domain of the user marked for deletion

Example:

msuserpurge -d sesta.com
csclean clean sesta.com

The user entry now looks like this:

dn: uid=jsmith,ou=People,o=sesta.com,o=root_suffix
icsFirstDay: 2
uid: jsmith
iplanet-am-modifiable-by: cn=Top-level Admin Role,o=root_suffix
icsTimezone: America/Denver
givenName: John
mail: jsmith@sesta.com
sn: Smith
cn: John Smith
mailDeliveryOption: mailbox
icsCalendar: jsmith@sesta.com
mailHost: mail.siroe.com
objectClass: userpresenceprofile
objectClass: icscalendaruser
objectClass: top
objectClass: iplanet-am-managed-person
objectClass: iplanet-am-user-service
objectClass: inetadmin
objectClass: organizationalperson
objectClass: person
objectClass: inetuser
objectClass: inetlocalmailrecipient
objectClass: iplanetpreferences
objectClass: ipuser
objectClass: inetorgperson
objectClass: inetsubscriber
objectClass: inetmailuser
userPassword: {SSHA}uSRLlYBjzFxu4f2nWtXU4XoVdExKSLcSRhYbFw==
inetUserStatus: deleted
icsStatus: removed
mailUserStatus: removed
iplanet-am-user-login-status: Active

Permanently remove the user entry from the directory.

Example:
1. Create the following ldif file, named deleteUser.ldif:
  uid=jsmith,ou=People,o=sesta.com,o=root_suffix
2. Run the ldapdelete command:
  ldapdelete -D "uid=admin,ou=People,o=siroe.com,o=root_suffix" -w &!2x%!a5 -f deleteUser.ldif
  The user entry is removed from the directory.

Delete the user from all groups (mail lists) in which the user is a member or owner.

Use the ldapsearch command to search the directory for all groups. If, in your directory, all groups are located under ou=Groups under a single domain, you can restrict the search to the ou=Groups subtree.

In each group, search on the following attributes:
owner uniqueMember
Delete each instance where the value is:
uniqueMember:uid=jsmith,ou=People,o=sesta.com,o=root_suffix
In each instance where the value is:
owner:cn=John Smith,ou=People,o=sesta.com,o=root_suffix
change the owner to another user.

Note –
Once a user is no longer specifically named as a group member or owner, the user will no longer appear in any groups, including dynamic group memberships and any nested groups.

If the user created an address book in Communications Express, use LDAP tools to find and remove the personal address-book related LDAP entries.

The LDAP data for a user's personal address book is stored in a base entry and several subordinate entries. For a sample listing, see User Data Stored in the Directory by Communications Express.

The following steps summarize how to find and remove these entries. You might want to write your own script to automate these steps.
1. Use the ldapsearch command to find the user's address-book base entry and all its descendants.
  
  The base entry is piPStoreOwner=user, where user specifies the user ID to be deleted.
  
  Example:
  ldapsearch -b "piPStoreOwner=jsmith,o=sesta.com,o=PiServerDb" -s sub "objectclass=*" dn
  This example finds the personal address book DNs for a user named jsmith in the sesta.com domain.
2. Use the ldapdelete command to remove each subordinate entry.
  
  Example:
  ldapdelete -D "uid=admin,ou=People,o=siroe.com,o=root_suffix" -w &!2x%!a5 "piEntryID=e10976f864e00m,piPStoreOwner=jsmith,o=sesta.com,o=PiServerDb"
  You might prefer not to run ldapdelete for each subordinate entry. Instead, you can create a response file based on the LDIF output generated from the preceding ldapsearch command. The response file can be used with ldapdelete to iteratively delete the multiple entries.
3. Use the ldapdelete command to remove the user's address-book base entry.
  
  Example:
  ldapdelete -D "uid=admin,ou=People,o=siroe.com,o=root_suffix" -w &!2x%!a5 "piPStoreOwner=jsmith,o=sesta.com,o=PiServerDb"
  When you complete these steps, all user-related data maintained by Communications Express is removed.