I have a LDAP data collector working great, every new user gets created in iTOP, i'm very happy with it. But I need help for when we have people leaving the company. We need to be able to deactivate them in AD, and the collector would update in ITOP these users as inactive.
En Francais : J'ai un LDAP collector qui marche super bien sauf que actuellement, il ne fait que créer de nouvelles personnes et de nouveaus comptes. J'aimerais que quand un utilisateur dans AD est désactivé, que le statut change dans ITOP via le collecteur. Je ne sais pas comment faire. A noter que mon iTOP est en francais.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hi Sébastien,
This setting is part of the xxxx.json file describing the policy for the DataSynchro. (I am sorry, I don't know the name of that file maybe collectors/ldapuser.json)
You can modify your DataSynchro in iTop then recreate that file on your collector server, running this command:
deletepolicyupdate is a list of values separated by semi-colons, of the form attribute_code:value to specify which attribute of the associated object to set and to which value. Example: status:obsolete;description:no longer synchronized.
If your collector also create/update Person, apply a similar change on the corresponding .json file
Bonne chance
Vincent
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I've been fiddling with this for weeks now, it just won't work.
I've modified the itopuserldapcollector.json file and also the itoppersonldapcollector.json file as well. See files attached for screenshot.
Note that the statuses are different for user and person in itop so I figured it should be reflected in those files but neither of them work so far, i've got plenty of users disabled in LDAP that are still enabled in itop both as a user and person.
What could I check to see where it fails?
Also, I looked at the itop.synchro_data_ldap_users table in the database and this entire STATUS column is null, is that normal?
Hello Sebastien,
I suspect that this setting will only affect User and Person which replicas have disappeared from the source after you have changed the Datasynchro setting. Because The datasynchro process ONLY the replicas which have been touched within the last "full_load_interval" for performance reason.
You have 2 strategies:
1. Resync manually your Users and Persons in iTop with a manual CSV import for those with a no more seen replicas, and rely on the new policy to keep them synchronized from now on.
2. Try to change the "full_load_interval" to one year for a single run, to force the Datasynchro to revisit all replicas (I have not tested, one year is just an arbitrary number, it depends on your iTop history, it could take a long time to process)
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I looked at the itop.synchro_data_ldap_users table in the database and this entire STATUS column is null, is that normal?
I am not familiar at all with the LDAP collector, but is LDAP providing a status which would be mapped to a User and/or Person iTop Status, probably not, which explain why the full "status" column is empty in the table. So it is most probably normal.
This has nothing to do with the DataSynchro Policy which can update a field (like "status" here) even if that field is not part of the synchro, I mean not provided by the Source.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Does it have anything to do with this?
Also I switched the full load interval to a year in seconds, 31 449 600, and tested by deleting one of my disabled users from LDAP entirely, nothing changed in ITOP.
EDIT : It seems the full load interval is not taking into account, the user I test with has not been syncronized although I resynced 3 times today.
Hi,
I have a LDAP data collector working great, every new user gets created in iTOP, i'm very happy with it. But I need help for when we have people leaving the company. We need to be able to deactivate them in AD, and the collector would update in ITOP these users as inactive.
En Francais : J'ai un LDAP collector qui marche super bien sauf que actuellement, il ne fait que créer de nouvelles personnes et de nouveaus comptes. J'aimerais que quand un utilisateur dans AD est désactivé, que le statut change dans ITOP via le collecteur. Je ne sais pas comment faire. A noter que mon iTOP est en francais.
Hi Sébastien,
This setting is part of the xxxx.json file describing the policy for the DataSynchro. (I am sorry, I don't know the name of that file maybe collectors/ldapuser.json)
You can modify your DataSynchro in iTop then recreate that file on your collector server, running this command:
or directly modify it:
"delete_policy": "update", "delete_policy_update": "status:disabled",deletepolicyupdate is a list of values separated by semi-colons, of the form attribute_code:value to specify which attribute of the associated object to set and to which value. Example: status:obsolete;description:no longer synchronized.
If your collector also create/update Person, apply a similar change on the corresponding .json file
Bonne chance
Vincent
Hi,
I've been fiddling with this for weeks now, it just won't work.
I've modified the itopuserldapcollector.json file and also the itoppersonldapcollector.json file as well. See files attached for screenshot.
Note that the statuses are different for user and person in itop so I figured it should be reflected in those files but neither of them work so far, i've got plenty of users disabled in LDAP that are still enabled in itop both as a user and person.
What could I check to see where it fails?
Also, I looked at the itop.synchro_data_ldap_users table in the database and this entire STATUS column is null, is that normal?
Hello Sebastien,
I suspect that this setting will only affect User and Person which replicas have disappeared from the source after you have changed the Datasynchro setting. Because The datasynchro process ONLY the replicas which have been touched within the last "full_load_interval" for performance reason.
You have 2 strategies:
1. Resync manually your Users and Persons in iTop with a manual CSV import for those with a no more seen replicas, and rely on the new policy to keep them synchronized from now on.
2. Try to change the "full_load_interval" to one year for a single run, to force the Datasynchro to revisit all replicas (I have not tested, one year is just an arbitrary number, it depends on your iTop history, it could take a long time to process)
I am not familiar at all with the LDAP collector, but is LDAP providing a status which would be mapped to a User and/or Person iTop Status, probably not, which explain why the full "status" column is empty in the table. So it is most probably normal.
This has nothing to do with the DataSynchro Policy which can update a field (like "status" here) even if that field is not part of the synchro, I mean not provided by the Source.
Also, in both json files, there is this :
" user_delete_policy": "nobody"
Does it have anything to do with this?
Also I switched the full load interval to a year in seconds, 31 449 600, and tested by deleting one of my disabled users from LDAP entirely, nothing changed in ITOP.
EDIT : It seems the full load interval is not taking into account, the user I test with has not been syncronized although I resynced 3 times today.
Last edit: Sebastien Jean 2021-07-07
Hello,
user_delete_policy is a datasynchro option. See the corresponding documentation : Creating the Synchro Data Source definition file