Mass deletion of users/group membership

[playdrums]

I want to mass delete users and ensure that the uid for each of those users is no longer a member of any group. In our previous openLDAP implementation running on linux, this could be a concern because new users with the same uid as a previous user could inherit group memberships. So, I had it set up such that removal from all groups happened in tandem with the delete.

On the surface this is easy – dscl can accomplish the user delete without a problem. However, it appears that uid’s for the deleted users are only removed from their group memberships if you use Workgroup Manager to delete the user. And, I don’t really see how I can get Workgroup Manager to handle a mass deletion of selected records.

//rant
Workgroup Manager sorely needs a full command line equivalent.
//end rant

Should I even be concerned about this? It at least appears that I should be because I just tested it and it looks like a new user will inherit the group of a previous user with the same uid. However, I’m not sure and all these special Apple group membership attributes are confusing.

Does anyone have a script for doing this?

[playdrums]

Thanks Josh!!!

It must be very super secret since googling it returns nothing for me.

I take it a typical header is required? Does it require only the recordName to delete or does it require a more detailed description like dsimport typically would? Since it isn’t documented I can’t find anything about usage.

[playdrums]

Findings:

When I use this flag wtih dsimport it does indeed remove the user record from OD. However, for groups that the user was a member of there are still remnants of that user in the group records. If I run either of the following, those groups still get returned:

(our group names end in ‘grp’ so I grep for it to reduce returned lines)

dscl /LDAPv3/127.0.0.1 -search Groups memberUid deletedUser | grep grp

dscl /LDAPv3/127.0.0.1 -search Groups GroupMembership deletedUser | grep grp

For all intents and purposes, if your uid is in one of those attributes, you’re really still a group member.

Also, in Workgroup Manager, if I do an advanced search on groups with the criteria being ‘Membership contains deletedUser,’ WGM itself still returns those groups as having deletedUser as a member.

At the very least, Apple’s tools do a terrible job of keeping directory records in sync. At worst it is a pretty bad security risk. In our workplace our groups protect research documents. We also have people hired all the time that have the same last name as a previous user, and if there is no conflict with an existing user, we’ll re-use the username since we use last name typically.

I’ll probably have to write a script that before removing a user, loops through that user’s groups and removes the user from each one.

[Author]

Posts