In one of our client's place, we have encountered the following use case:

OIM(11.1.2.X) is configured with LDAP SYNC against OUD. Active Diretory is the Trusted Source, and trusted source Reconcilliation is also configured on OIM to get user data. So users are being pulled in from Active Directory all the way to OUD. During multiple phases of testing in our client's test environment, we have the need to repeatedly clean the data from OUD and OIM. We did not find much documentation on addressing this issue. If we have few users we could have manually delete them from OIM using self service console, which automatically deletes the entries in OUD. But, we have thousands of users are being populated during multiple test phases, and manual deletion is challenging.

We have followed the below approach to address this issue.. 1) Delete the User Data in OUD. a) Run the ldapsearch against OUD and grep all the users that needs to be cleaned up.

ldapsearch -h <oudhostname> -p <oudport> -D "cn=Directory Manager" -w <password> -b <User Base DN in OUD> -s sub (objectclass=orclIDXPerson) dn> dnlist User data will be appended to the file "dnlist" in the following format: dn: cn=test user1, cn=XXXXXXX dn: cn= test user2,cn=XXXXXXX ... This file needs to be trimmed( delete the spaces between the lines and remove "dn: " from each line) so that ldapdelete will be processed without erros. Any search and replace commands can be used to fix this.I have used below "sed" commands to fix this issue. --------sed '/^$/d' dnlist > dnlist_nolines ( This command deletes the spaces between lines) --------sed -i 's/dn: //g' dnlist_nolines ( This command removes "dn: " from each line)

b) Now, run the "ldapdelete" again OUD by passing the above file.

ldapdelete -h <oudhostname> -p <oudport> -D "cn=Directory Manager" -w <password> -f dnlist_nolines

This will delete all the Users from OUD.

2) LDAP SYNC process automatically will not delete the Users OIM that are deleted in OUD.This is taken care by the below two recon jobs.Enable the following LDAPSYNC related Recon Jobs in OIM if they are not enabled, and run them. a) LDAP User Delete Full Recon b) LDAP User Delete Reconcilliation( This is incremental recon job, and if this is not enabled, you can get the latest changelog number from OUD and update this job and you can run it). 3) If, neither of the above jobs are enabled and if you try to delete the users from OIM Console, OIM will not let you delete the users.You normally will see the below Orchestration Failed Error Messages. So, we need to use either of recon jobs to delete the users in OIM.But, in our case since the users are brought in through AD Trusted Source Recon to OIM, we were not able to use get the uers deleted through LDAP User Full Delete Recon Job.In our case, LDAP User Delete Recon Job deleted the users in OIM. [[ oracle.iam.identity.exception.UserDeleteException: Orchestration process with id xxxxx , failed with error message null. at oracle.iam.identity.usermgmt.impl.UserManagerImpl.hardDelete(UserManagerImpl.java:978) at oracle.iam.identity.usermgmt.impl.UserManagerImpl.delete(UserManagerImpl.java:869) . . . Caused by: oracle.iam.request.exception.RequestServiceException: Orchestration process with id xxxxxx, failed with error message null. at oracle.iam.request.impl.RequestEngine.handleOrchResult(RequestEngine.java:5042) at oracle.iam.request.impl.RequestEngine.startOrchestrationFromPreProcess(RequestEngine.java:4949) . . ... 78 more Caused by: oracle.iam.platform.kernel.EventFailedException: IAM-3010054:Deletion failed because the user with LDAP DN uid=XXXXXXXX does not exist in the directory.:uid=xxxxxxxx at oracle.iam.ldapsync.impl.util.LDAPSyncUtil.createEventFailedException(LDAPSyncUtil.java:959) at oracle.iam.ldapsync.impl.util.LDAPSyncUtil.createEventFailedException(LDAPSyncUtil.java:975) at oracle.iam.ldapsync.impl.eventhandlers.user.util.LDAPUserHandlerUtil.deleteUser(LDAPUserHandlerUtil.java:149) at oracle.iam.ldapsync.impl.eventhandlers.user.UserDeleteLDAPHandler.execute(UserDeleteLDAPHandler.java:131) 4) Once the recon job(s) succesfully run,please verify that users are marked as deleted in OIM. You can check this either in Self Service Console, or by running SQL Query (Select * from USR where USR_STATUS != 'Deleted') in OIM Schema. 5) OIM is designed not to hard delete the users from database, and the Users are just marked as deleted .To reuse the same userlogin again, change the system property XL.UserIDReuse to true, and drop the index on USR_LOGIN column of USR table in OIM Schema. 6) Now, we can re-run Trusted Source Recon, and User data can be reloaded back all the way to OUD.

#bulkdeleteclearninguserdataoudoimldapsyncdeleteoracleidentitymanagementoracleunifieddirectory