2 Replies Latest reply on Aug 26, 2012 12:25 AM by 848613

    How to remove a user from a Group using DBMS_LDAP

      I am using DBMS_LDAP to communicate with Open LDAP. I am able to search for users, add users, remove users and add users to specific Groups. But, I do not see any API to remove a user from a Group. Is there a way to do this using DBMS_LDAP ? Any suggestions are appreciated.

      Thank you,

        • 1. Re: How to remove a user from a Group using DBMS_LDAP
          Hello, Naresh,

          There are different solutions for your problem:

          1) If you have access to metalink, you can use docid 334939.1
          Subject: Example of Using DBMS_LDAP to Delete A User and UniqueMember from a Group

          2) If you don't have access to metalink use the code:

          v_user_base := opf_portal.pkg_opf_utils.get_global_variable('OID_USER_BASE');
          v_user_attr := opf_portal.pkg_opf_utils.get_global_variable('OID_USER_ATTR');

          --delete user from oid
          s_session := DBMS_LDAP.init(portal.wwsec_oid.GET_OID_HOST, portal.wwsec_oid.GET_OID_PORT);

          n_retval := DBMS_LDAP.simple_bind_s(s_session, '<dn of user with delete user provilege>', '*******');

          n_retval := DBMS_LDAP.delete_s(s_session, v_user_attr || '=' || p_email || ',' || v_user_base);

          n_retval := DBMS_LDAP.unbind_s(s_session);

          While using this code, some people get an error: LDAP: error code 50 - Insufficient Access Rights

          But there is a solution:

          The odi agent orclODIPAgentName=IPlanetImport,cn=subscriber profile,cn= changelog subscriber,cn=oracle internet directory does not have full read/write access to the synchronized entries in Oracle Internet Directory. Because the cn=oracleDASCreateUser,cn=groups,cn=oraclecontext,identity_management_realm group will already have the required ACLs defined, this entry should be a member of this group. In this case, <subscriber DN> is set to identity_management_realm. You must add the orclODIPAgentName=IPlanetImport,cn=subscriber profile,cn=changelog subscriber,cn=oracle internet directory user entry to the cn=oracleDASCreateUser,cn=groups,cn=oraclecontext,identity_management_realm group, so that it will have the required ACL access to perform the updates: In Oracle Directory Manager, navigate through: Entry Management ->dc=com,identity_management_realm,cn=oraclecontext-> cn=groups-> cn=oracleDASCreateUser. From here, against the attribute 'uniquemember' add: orclODIPAgentName=IPlanetImport,cn=subscriber profile,cn=changelog subscriber,cn=oracle internet directory.

          If you have any questions, ask.
          Kirill Babeyev
          • 2. Re: How to remove a user from a Group using DBMS_LDAP
            Thank you for your response. I found another solution. I am using the following code:

            CREATE OR REPLACE FUNCTION delete_from_group (p_session dbms_ldap.SESSION,
            p_group VARCHAR2,
            p_user VARCHAR2)
            l_vals dbms_ldap.string_collection;
            v_array dbms_ldap.mod_array;
            retval PLS_INTEGER;

            -- Initialize the pl/sql table for the new entry
            l_vals(1) := p_user;

            -- Initialize the varray for the modify command
            v_array := dbms_ldap.create_mod_array(num => 1);

            IF v_array = NULL THEN
            dbms_output.put_line('Error add_in_group: v_array not initialized.');
            END IF;
            dbms_output.put_line ('v_array initialisee avec succes.');

            -- Populate the varray

            -- Group Modification
            retval := dbms_ldap.modify_s(p_session, p_group, v_array);

            -- Free the varray

            RETURN retval;

            WHEN OTHERS THEN
            dbms_output.put_line('delete_from_group : '|| SQLCODE||' '||SQLERRM);
            RETURN -1 ;
            END delete_from_group;

            Using this function, I am able to remove a User from a given group.